Hacker News new | past | comments | ask | show | jobs | submit login
BTAgent – CPE backdoor (cryptome.org)
145 points by aburan28 on Nov 1, 2014 | hide | past | web | favorite | 17 comments

I was initially interested when I first saw this last year, but it turns out to be complete FUD. See http://www.revk.uk/2013/12/paraniod-ravings.html for the take on the original disclosures from the MD of one of the UK's most technical ISPs (and believe me, he's no fan of BT's).

See also http://www.ispreview.co.uk/index.php/2013/12/confusion-alleg...

In a nutshell, some ISPs will effectively hijack publicly routable ranges for internal use if they know that there's no way those addresses will ever be used for real public services. In this case, a UK ISP is re-using the US DoD's network. Anecdotally I've heard the inverse is also true (US ISPs use UK MoD ranges).

No matter if he's right or not: it can't hurt to set up an additional firewall. TR-069 is scary enough.

Yeah, I packet captured what TR-069 (on my Actiontek C1000A) was sending to CenturyLink every day it included:

All the Mac address associated on the network.

The username/password to my router.

All the names of the computers associated on the network.

My WPS pin.

My SSID Name.

My WPA2 Password.

My old WEP Password.

How long each computer has been on the network.

Amongst other things.

It was pretty scary. Luckily I have root on the device, tr69 is no longer alive

Another example (Rogers Internet, Canada): The first hop after my router is IP which is owned by the DoD.

Most of this stuff was published a few months ago and completely debunked - the ip range was just chosen because it isn't routable.

The BTAgent is there to manage the devices - e.g. Updating them. Its possible that some stats are there to improve line quality as well. To me that seems a reasonable tradeoff, and if I wasn't happy with it then it is always possible to use your own piece of CPE.

The other point is that the interface that BTAgent runs on isn't exposed to the internet, it is only available from the management network so someone obtaining the keys for BTAgent would also have to compromise the management network - at which point bt has bigger problems!

While the pdf from cryptome was initially published almost a year ago the person who reverse engineered the firmware has been visited by the police and then sent a response to cryptome in response to the pdf to clear up some misconceptions.

Is it a crime to reverse engineer routers provided by an ISP? (Honest question, I know things like MAC spoofing are illegal, which can be used in the UK to get free cable TV / Internet).

Not under EU law, but this is the UK we're talking about...

You know you tried to make that sound like you had any idea what you were talking about.

Do you have a source to back this up?

The only technically interesting thing here is the lousy remote management setup BT seems to be using.

It's not mentioned in the article, but I'm not aware of a DSL provider in North America NOT using TR-69 to remotely manage the routers given to customers. To properly support customers, you simply need to use something that gives you remote admin capabilities.

"e.g. with remote access via a CPE backdoor, the local ethernet port on the CPE can be put into "promiscuous mode" and all ethernet frames on the local network snagged. Allowing, for example, the snooping of traffic to a networked local printer in an office."

I've actually done this, with the permission of the customer, to diagnose a problem inside the customer's home network. It was actually a badly broken printer killing the wifi.

I know it's not always possible, but if you don't trust the ISP in your home network, don't use the ISP's gear. I don't and I work for one.

I'm always surprised how few network guys are on HN.

Every device in infrastructure should have a management address. This int is routed differently than the data interface. In a datacenter, management will be a separate physical int but telecom can't go running 2 cables into a house so it's a logical management int in that case. Comcast remotes into my modem all the time for management purposes (service magically goes out) and I doubt they login via my DHCP address from them. It's just good practice to manage a device from a management int and in a consumer environment this should be hidden from the user. Everyone in infrastructure knows, the less the user knows the better.

Tinfoil hat time - funny cowinkydink they chose a DoD subnet. Why wouldn't they use like the rest of the world? Could be them being different, could be something more. Convenient for the DoD to own the management subnet, just saying.

Less chances to overlap with the RFC1918 address in a home network ? (a silent assumption here is that the CPEs are user-configurable in any way).

Or just that they had historically some 10/8 space already used elsewhere in the network ?

Note that they're not the only ones camping on DoD address space, I know a couple more folks who had to do it out of necessity at some point, under the assumption (flawed, sure) that DoD probably will never advertise them.

The best way to solve it is to go IPv6-only in management, and for those folks who are lucky enough to have had public IPv4 space for management purposes, that is one of the big drivers.

Out of the box these home routers all come with the same subnet (every linksys out of box runs in the US ). Private addressing behind the box is meaningless in the telecom cloud. It's all NAT.

Could be 10/8 used elsewhere for some other network but us infrastructure guys are lazy. NAT that shit. I've never known an ISP to be a monument to best practices.

I've yet to come across any 30/8 subnets in my career. RFC1918 gives one a shit-ton of address space to work with. Bleeding into the 30/8 for necessity seems like something is wrong somewhere.

The fact ipv6 isnt more widely adopted reiterates my point above, engineers are lazy and NAT works. I've only known one company to use public ipv4 space for managment and they were a mess. I'd love to say using 30/8 is out of necessity or out of laziness but it's just oddly convenient.

"Out of the box these home routers all come with the same subnet" - if the customer has any way to change the router LAN subnet, this does not matter. Someone will put it to 10.x.x.x. My cable modem came from ISP with a default login from the LAN side which allows me to change pretty much anything I wish - if in BT setup they do not allow login, then that argument of mine would not make sense.

"NAT that" - sure, if you say so. Unless someone years ago already made that choice for you and you already have that management network.

"yet to come across any 30/8" - http://blog.erratasec.com/2013/12/dod-address-space-its-not-... - read the blogpost and comments.

Or http://networksavant.blogspot.fr/2013/05/70008.html

Or http://xerocrypt.wordpress.com/2013/12/07/the-adversaries-co...


Of course you also can use looking glasses (http://lg.he.net/, http://www.cogentco.com/en/network/looking-glass in case anyone to check me) to verify that 30/8 is not in the BGP tables, thus is not routed.

And even if it starts getting routed, e.g. someone makes a hijack, the space surely does not have to be 30/8 to be hijacked, as evidenced by e.g. http://research.dyn.com/2013/11/mitm-internet-hijacking/

And let me put a tinfoil hat on and ask: if I were to spy on the home routers and wanted to keep the whole affair in secret, would not assignment of less "hot" chunk of addressing space (like, for example, RFC1918), and then getting the access to the system that can use that range within this network keep me much lower under the radar ?

I worked for a company that was using some addresses in the 99/8 range (I don't remember what the narrower range was) internally. This occasionally caused issues when some ISPs started doling out those addresses.

Here have our free router so that we can access your network whenever we want.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact