Upload
terminal-x
View
223
Download
1
Embed Size (px)
Citation preview
8/13/2019 The Internet Dark Age (Full Disclosure)
1/46
Full Disclosure
The Internet Dark Age
Removing Governments on-line stranglehold Disabling NSA/GCHQ major capabilities
( !""R!N / #DG#H$""% Restoring on-line privac& - immediatel&
b&
The Adversaries
Spread the Word'
8/13/2019 The Internet Dark Age (Full Disclosure)
2/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
Full Disclosure
Internet Wire-Tapping
WARNING:BT BroadbandE uip!ent "ontain
NSA#G"$%Bac& Doors
NSA/GCHQSources and Methods
Uncovered
We e !"a#n ho$ NSA/GCHQ%
Are Internet wiretapping you
Break into your home network
Perform ' Tailored AccessOperations ' (TAO) in your home
Steal your encryption keys
Can secretly plant anything theylike on your computer
Can secretly steal anything theylike from your computer
ow to STOP this Computer!etwork "#ploitation
Dedicated to the Whistle-Blower
Mr Edward J. Snowden.
We e !ose NSA/GCHQ&s 'ostSecret Wea!on - Contro"
and ho$ (ou can de)eat #t*
8/13/2019 The Internet Dark Age (Full Disclosure)
3/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
Table o' "ontents)re*ace+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Disclos res+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++So rce o* this $n*ormation+++++++++++++++++++++++++++++++++++++++++++++++++++++
r "a0s+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++Companies++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++2echnical Nat re o* this $n*ormation++++++++++++++++++++++++++++++++++++++++++++)rivac& vs Sec rit&+++++++++++++++++++++++++++++++++++++++++++++++++++++++++3otivation++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++2erminolog&+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
6o r Home Net0or7++++++++++++++++++++++++++++++++++++++++++++++++++++++++++2he Hac7+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++Ho0 it :or7s++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2he Attac7s++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++$nternal Net0or7 Access+++++++++++++++++++++++++++++++++++++++++++++++++++++3an-$n-2he-3iddle Attac7++++++++++++++++++++++++++++++++++++++++++++++++++++
All SS" Certi;cates Compromised in Real-2ime+++++++++++++++++++++++++++++++++++++2he*t o* )rivate
9
8/13/2019 The Internet Dark Age (Full Disclosure)
4/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
$s it possible that 2 is na0are o* this++++++++++++++++++++++++++++++++++++++++++++3& e ipment is completel& diFerentB+++++++++++++++++++++++++++++++++++++++++++$Eve never done an&thing 0rong+++++++++++++++++++++++++++++++++++++++++++++++Ho0 can $ veri*& this m&sel*+++++++++++++++++++++++++++++++++++++++++++++++++$ 0o ld li7e to donate and s pport &o r 0or7+++++++++++++++++++++++++++++++++++++++
Ho0 &o can veri*&++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#as& Con;rmation+++++++++++++++++++++++++++++++++++++++++++++++++++++++++Hard Con;rmation+++++++++++++++++++++++++++++++++++++++++++++++++++++++++2he !N-Hac7+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++arriers++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++Social Attac7s on #ngineers+++++++++++++++++++++++++++++++++++++++++++++++++++
Co nter-$ntelligence++++++++++++++++++++++++++++++++++++++++++++++++++++++++++NSA Hone&pots++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Abo t the A thors++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++r 3ission+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Donations+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
8/13/2019 The Internet Dark Age (Full Disclosure)
5/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
(re'ace
Preface
:hen the Government 2elecomm nications companies and $nternet Service)roviders implant secret sp&ing e ipment in &o r home 0itho t &o r7no0ledge or consent nder the g ise o* something else then se thate ipment to in*ect &o r comp ters and sp& on &o r private net0or7 activit&(not the internet % 0e believe &o have a right to &no) +
$t is not possible to ma7e these claims 0itho t act al proo* and 0itho tnaming the act al companies involved+
2hese events coincide 0ith the global s rveillance s&stems recentl& disclosedand the& * rther con;rm the mass scale o* the s rveillance and ho0 deepl&entrenched the Governments are in o r personal lives 0itho t o r 7no0ledge+
2he methods 0e disclose are a violation o* sec rit& and tr st+ Good$n*ormation Sec rit& ($n*oSec% dictates that 0hen 0e discover s ch bac7doors and activit& 0e anal& e nderstand p blici e and ; /patch s chsec rit& holes+ Doing other)ise is !orall* )rong +
:hat is revealed here is the missing piece to the global s rveillance p lethat ans0ers 7e& $n*oSec estions 0hich incl de
Ho0 do the NSA/GCHQ per*orm Comp ter Net0or7 # ploitationB
:e reveal the actual methods sed b& the NSA/GCHQ and others that allo0sthem to instantly peer into &o r personal eFects 0itho t regard *or &o rprivac& 0itho t &o r 7no0ledge and 0itho t legal d e process o* la0 th sviolating &o r H man Rights simpl& beca se the* can +
Disclosures
2he ris7s ta7en 0hen s ch activit& is nderta7en is I Being Disco+ered J andthe activit& being I (ublicl* E,posed J as 0ell as the I oss o' "apabilit* J+
,
8/13/2019 The Internet Dark Age (Full Disclosure)
6/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
Source of this Information
.The si!ple &no)ledge that )e !a* be clandestinel* obser+ed in our o)nho!es pro+ided the deter!ination to /nd the truth0 )hich )e did12
2his in*ormation is not the res lt o* an& 7no0ledge o* classi;ed doc ments orlea7s b t based on in*ormation in the p blic domain and o r o0n *act ;ndingmission d e to @orensic and Net0or7 Anal&sis $nvestigations o* private S Hnet0or7s located in the !
8/13/2019 The Internet Dark Age (Full Disclosure)
7/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
"o!panies
2 are directl& responsible *or covertl& embedding secret sp& e ipment inmillions o* homes and b sinesses 0ithin the !< as o r evidence 0ill
demonstrate+
2 have directl& enabled "o!puter Net)or& E,ploitation (CN#% o* all itshome and b siness c stomers+
Technical Nature o' this In'or!ation
2he in*ormation described here is technical this is beca se in order tos bvert technolog& the attac7ers need to be able to *ool and con* se e pertsin the ;eld and 7eep them b s& slowing them down b t regardless theimpact and eFect can be nderstood b& ever&bod&+
6o r main ta7e a0a& *rom this disclos re is to nderstand concept all& ho0these attac7s 0or7 &o can then p t sec rit& meas res in place to prevents ch attac7s+
(ri+ac* +s Securit*
"oss o* privac& is a breach o* personal sec rit& and the legal violation o*privac& is p rel& a conse ence o* that sec rit& loss+
:eEve *oc sed on the technical breach o' securit* i+e+ the Comp terNet0or7 # ploitation itsel* and b& ; ing that &o can restore at least some o*&o r personal privac&+
2his ill strates that there is no s ch thing as a balance bet0een sec rit& andprivac& &o have them both or &o have none +
1
8/13/2019 The Internet Dark Age (Full Disclosure)
8/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
6oti+ation6oti+ationA*ter st d&ing in detail the revelations b& the #d0ard Sno0den 0e reali edthere 0as a large missing part of the puzzle +
2here has been little to nothing p blished on speci;call& ho0 the attac7erstechnicall& achieve their goals+ 3ost in*ormation p blished is based ontheoretical sit ations+
$* 0e donEt 7no0 ho0 hac7ers act all& achieve these sec rit& breaches 0ecannot de*end against s ch breaches +
@or e ample a slide similar to the *ollo0ing 0as p blished o* all the slidesreleased itEs ninteresting and easil& dismissed as it simpl& describes 0hat iscommonl& 7no0n as a theoretical 3 an- $n- 2 he- 3 iddle attac7+
2he media *oc s o* the slide is o* co rse the Google7s Ser+ers and &o r ;rsttho ght might be E this is Google's pro lem to sol!e E b t 0hat i* EGoogle
Ser+er E 0as E6* Ban&s Ser+ers E &o 0o ld probabl& be more concernedbeca se that ma& directl& eFect &o +But )e thought0 )hat i' 0 7Google Ser+er70 )as 7An* Ser+er0 An*)here87
4
8/13/2019 The Internet Dark Age (Full Disclosure)
9/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
r investigation led to s ncover and nderstand ho0 this attac7 reall&0or7s in practice ho0 it is implemented and the hair-raising realit& o* its tr enat re and that is this not j st a bac7 door b t an entire attac7 plat*orm anddistrib ted architect re+
Ter!inolog* 2o ease e planation 0e are going to se standard sec rit& terms *rom hereon+
Attac&er - GCHQ NSA 2 Gro p or an& combination+
The $ac& K 2he technical method sed b& the attac7ers to illegall& brea7 into&o r home net0or7 comp ters and phones+
5
8/13/2019 The Internet Dark Age (Full Disclosure)
10/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
Basic Securit* Your Home Network$n order to e plain ho0 these Comp ter Net0or7 # ploitation attac7s 0or7and ho0 this aFects &o personall& 0e m st ;rst loo7 at the architect re o* at&pical home or o?ce net0or7+ "oo7 *amiliar to &o B
3ost $nternet connections consists o* an DS" t&pe modem and one or more#thernet ports attached to the modem that &o connect &o r comp tersdevices and add-on s0itches etc+
2here are t0o sec rit& *actors in operation here
a % NA2 based net0or7ing meaning that &o r home comp ters arehidden and all share a single p blic $) address
b % 6o r modem has a b ilt-in ;re0all 0hich is bloc7s inbo nd tra?c+ The
inherent security assumption is that data cannot pass from the in ound D"# line to a #A$ switch port without %rst eing accepted or re&ected y the uilt-in %rewall
'8
8/13/2019 The Internet Dark Age (Full Disclosure)
11/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
@or the technical minded these sec rit& ass mptions are * rther re-enforced i* the modems so*t0are is open so rce e+g+ sing "in and that its so rcecode is *reel& and openl& available as per the GN! G)" re irements+
Given that the above is the most common architect re on the $nternet as itapplies to almost ever& home and o?ce ever&0here lets no0 revisit that ;rstslide b t this time )e as& one si!ple uestion
$o) do the attac&ers get bet)een 9ou and Google or so!e otherser+ice8
n closer inspection o* the diagram &o 0ill notice that I Google Re uest Jand the Attac&er ( #og into outer % share the sa!e router 0hen this slide0as released 0e all ass med that this ro ter 0as either GoogleEs o0n ro teror some pstream ro ter that 0a& the attac&er co ld intercept pac7ets andper*orm a 6an-In-The-6iddle (3$23% attac7+
Ho0ever this 0o ld not 0or7 *or ever& 0ebsite or service on the $nternet+2he attac&er 0o ld need to be pstream e!erywhere L
So )here does the attac&er hide8 Where is this "o!!onRouter 8 again )e as& :
$o) do the attac&ers get bet)een 9ou and Google orso!e other ser+ice8
"ets e amine the diagram one last time+
''
8/13/2019 The Internet Dark Age (Full Disclosure)
12/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
9ou guessed it 0 it7s right inside *our house1 It7s the routersupplied b* *our trusted Internet Ser+ice (ro+ider IS(;1
$* this is tr e it means that &o are being $nternet 0iretapped beca se theattac&er has as entered &o r private propert& and nla0* ll& accessed &o rcomp ter e ipment+
!nli7e a la0* l interception in 0hich a 0arrant is served on the third part&($S)% the intercept happens at the $S)s propert& pstream and o tside &o rpropert&+
2his is happening in &o r home or o?ce 0itho t &o r 7no0ledge 0itho t&o r permission and &o have not been served 0ith a search 0arrant as isre ired la0+
t 0orse is the *act that this architecture is designed *or C&ber Attac7ingin addition to passive monitoring as 0e 0ill detail ne t+
'
8/13/2019 The Internet Dark Age (Full Disclosure)
13/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
The $ac&
The $ac& 2his e ample is based on the !< version o* 0hat 0e are calling The $ac& sing BT $nternet services+ $* &o are not in the !< and regardless o* theservice &o should al)a*s ass me that the e act same principles detailedhere are al)a*s being sed against &o regardless o* &o r co ntr& or $S)+
The $ac& is based on the 'act that a second secret/hidden net0or7 and
second $) address is assigned to &o r modem+ !nder normal se &o cannotdetect or see this *rom &o r "AN b t the attac&er has direct access to &o rmodem and "AN in &o r ho se *rom the $nternet+
$o) it Wor&s
:hen the DS" connection is established a covert DH P re!uest is sent to asecret !ilitar* net)or& o0ned b& the 41S1 Go+ern!ent D131D1 6o arethen part o* that 41S1 D131D1 militar& net0or7 this happens even be*ore &ohave been assigned &o r p blic $) address *rom &o r act al $S)+
2his sp& net0or7 is hidden *rom the "AN/s0itch sing ;re0all r les andtra?c is hidden sing ="ANs in the case o* 2 et al it ses ="AN b tother vendors modems ma& 0ell se diFerent ="ANs+ 2he original slide has astrange n mber ?@? 0ith gre& bac7gro nd 0e thin7 this represents the="AN n mber/=endor n mber so 2 0o ld be +
2his hidden net0or7 is not visible *rom &o r M (odem's We Interface M andnot sub ect to *our /re)all rules also not s bject to an& limitations as *aras the s0itch portion o* &o r modem is concerned and the hidden net0or7also has all ports open *or the attacker +
ther tools and services are permanentl& enabled inside the modem 0hichgreatl& aid the attac&er s ch as )e ra * ipd routing daemons+ ipta les%rewall+ "", remote shell ser!er+ along with a dhcp client
These tools allow the attac&er to control .//0 of the modem functionality*rom the $nternet and in an ndetectable manner+ e+g+ the attac&er can
'9
8/13/2019 The Internet Dark Age (Full Disclosure)
14/46
8/13/2019 The Internet Dark Age (Full Disclosure)
15/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
2his is an e tremel& comple and covert attac7 in*rastr ct re and itEs b iltright into &o r modems ;rm0are 0hich can also be pdated remotel& asre ired b& the attac&er sing the b ilt-in BTAgent +
The $ac& attac7 is t rned on b& de*a lt b t is selectivel& t rned oF *orspecial p rposes or speci/c dangerous custo!ers *or e ample *or certainso*t0are ;rm0are and hard0are developers/engineers ( which may includeyou % so that these people donEt discover The $ac& +
2he attac&er identi;es these speci;c I threats J and mar7s their $nternetconnections as IN DHC)J s ch that the same dhcpc re ests *rom theirtelephone lines are ignored and 0hile these re ests are ignored the hiddennet0or7 0ill not appear inside their modem and is m ch harder to discover+
@irm0are engineers s all& 0ant to 7no0 i* the modems are sing penSo rce so*t0are s ch as "in and s&bo in 0hich case the& are s bject tothe terms o* the GN! ) blic "icense+
2hese engineers as 0ell as tech savv& sers ma& 0ish to p t their o0nso*t0are (e+g+ pen:R2% on these modems ma&be beca se the& donEt tr sttheir $S) b t are prevented b& their $S) *or obsc re reasons+
3ost modem providers s all& violate cop&right la0 b& not releasing theso rce code and 2 0as no e ception to this r le+ nl& b& the threat o* legalaction did the& release the so rce code+ Ho0ever 2 still prevents themodems *rom being pdated b& their c stomers or third parties+
2 goes to e treme lengths to prevent an*one *rom changing the ;rm0are
and those that come close are ;rst s bjected to (h*sical and (s*chologicalBarriers e plained later and the *e0 that overcome that are s bjected to aseparate NSA/GCHQ targeted Social Attac& designed speci;call& to derailan& engineering progress made this is also e plained later+ 2hese attac7s arealmost al0a&s s ccess* l+
D ring these attac7s 2 ses all the in*ormation discovered b& the engineersto prod ce ;rm0are pdates that prevent an&one else sing those sametechni es nder the g ise o* sec rit& and protecting the c stomer and this isper*ormed 0itho t notice to an& c stomers+
',
8/13/2019 The Internet Dark Age (Full Disclosure)
16/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
As 0e move to ne0 generations o* hard0are the modems are ver&sophisticated and ver& covert the engineers capable o* even attempting toreplace the ;rm0are become practicall& non-e istent+
As 0e detail the sole p rpose o* loc7ing the modem is to prevent peoplediscovering that the& are act all& being 0iretapped b& 2 on behal* o*NSA/GCHQ+
As a side note NSA describe "in / pen So rce as $ndigeno s and a S$G$N2 target+
NSA doc ments describe this means o* S$G$N2 collection as
thers incl de
and
'.
8/13/2019 The Internet Dark Age (Full Disclosure)
17/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
9our Real Net)or& 9our Real Net)or& 2he *ollo0ing is a more realistic vie0 o* &o r home net0or7 and 0hat is no0possible given the attac&er no0 has secret access to &o r home "AN+
$t is no0 a simple matter to se other tools and methods available to theattac&er to penetrate &o r internal comp ters this incl des
'1
Steal private =)N/SSH/SS"/)G) 7e&s $n*ect machines 0ith vir ses $nstall 7e& loggers $nstall screen loggers Clone/destro& hard drives !pload/destro& content as re ired
Steal content as re ired Access Corporate =)Ns Clean p a*ter operations Ro te tra?c on demand (e+g+ 3$23% Censorship and
8/13/2019 The Internet Dark Age (Full Disclosure)
18/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
The Attac&s
The Attac&s2his section lists the attac7s on &o that are no0 possible b& the NSA/GCHQ+
"ater 0e sho0 ho0 &o can de*end against these attac7s and it 0o ld be 0iseto implement o r de*enses 0ith immediate eFect+
!nli7e the reval ations so *ar b& Sno0den 0here the attac7s occ r o t theresome0here on the $nternet these attac&s happen in *our ho!e#o ce +
2he attac7s listed are the most obvio s attac7s some are mentioned in#d0ard Sno0den revelations and re*erred to as om#uter NetworkE$#"oitation (CN#%+
Internal Net)or& Access2he attac7er has direct access to &o r "AN and is inside &o r ;re0all+
6o r modem acts as a server it listens on lots o* ports s ch as SSH ( % and2#"N#2 ( 9% so the attac7er can j st hop on to it (b t &o cannot%+
2his is possible beca se another hidden bridged inter*ace e ists 0ith its o0n="AN+ @ire0all r les do not appl& to this inter*ace so the attac&er can see&o r entire "AN and is not s bject to *our ;re0all r les beca se those r lesappl& to the 2 lin7 ( blac& line % not the attac&ers lin7 ( red lines %+
:hen &o scan &o r 2 ) blic $) address *rom o tside &o ma& 0ell onl& see
port '.' open ( BTAgent more on this later% b t 0hen scanned *rom theattac&ers net0or7 all necessar* ports are open and 0ith an SSH daemonr nning ( e!en the username and password are the asic admin2admin %+
asicall& the attac7er is inside &o r home net0or7 and ironicall& in mostcases right ehind your actual curtain (where the modems are usuallylocated %+
2his is the digital version o* 6artial a) 0ith a C&ber Attac7 Soldier in ever&
home in the co ntr&+2he ;rst tas7 o* the attac&er is to per*orm a site s rve& and learn as m ch as
'4
8/13/2019 The Internet Dark Age (Full Disclosure)
19/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
possible abo t all the devices attached to &o r net0or7+
All &o r hard0are can be identi;ed b& the speci;c 3AC addresses and then;ngerprinted *or speci;c protocols and so*t0are versions+ All this cannot bedetected nless &o are logged into &o r "ocked modem+
2he above is j st the base plat*orm o* the NSA/GCHQ *rom 0hich h ndreds o* t&pes o* attac7s are no0 possible 0hich no0 incl de all o* the *ollo0ing
6an-In-The-6iddle Attac& 2he attac&er controls all o tbo nd routes he can easil& per*orm an H22)S3an-$n-2he-3iddle attac7 b& *or0arding speci;c tra?c *or port >>9 ordestination net0or7 to a dedicated 3$23 net0or7 0hich he controls ( as perpre!ious slides %+
2he onl& thing re ired is a valid SS" certi;cates O 7e&s *or a speci;c domain( )hich he alread* has0 see belo) % 2he attac&er is bet0een &o and an&site &o visit or an& service &o se ( not &ust we sites %+ e+g+ S7&pe = $) SSHetc+
2he attac&er simpl& creates a static ro te or more easil& p blishes a Ro ting$n*ormation )rotocol Re est (R$)% re est to the Pebra daemon r nning inthe ro ter *or the target net0or7 address and &o r tra?c *or that net0or70ill then be ro ted to the attac&ers net0or7 ndetectable b& &o +
2he attac&er can then se as&mmetric ro ting and pon e amination o* there ests he can ;lter speci;c re ests he is interested in and respond tothose b t let the target 0ebsite server or service respond to ever&thing else+
2he 7e& here is tra?c *rom the target 0ebsite bac7 to the ser does notthen ha!e to go !ia the attackers hidden network it can go directl& bac7 tosers p blic $) (0hich 0o ld be logged b& the $S)%+
6IT6 can be on an& port or protocol not j st H22)S (>>9% *or e ample &o rSSH connections all !D) or GR# ))2) $)Sec etc+ or an& combination o*an&thing+
'5
8/13/2019 The Internet Dark Age (Full Disclosure)
20/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
All SS "erti/cates "o!pro!ised in Real-Ti!e
2he sec rit& o* ) blic
8/13/2019 The Internet Dark Age (Full Disclosure)
21/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
The't o' (ri+ate 5e*sHome net0or7s are s all& ver& insec re mainl& beca se onl& &o or *amil&se them &o r g ard is do0n and &o r SSH =)N )G) SS" 7e&s are all
v lnerable to the*t b& the attac&er and his available methods+
The $ac& is the 7e& mechanism that enables these the*ts+
As an e ample o* the above i* &o se the modems b ilt-in =)N *eat re &os all& add &o r certi;cate and private 7e& to the modem or generate themboth via its 0eb inter*ace at some later time the attac&er can j st cop&these 7e&s to the IC#S )airing databaseJ via his private net0or7 the datacollected *rom S$G$N2 can later be decr&pted oF-line or in real-time+
$n the case o* 7e&s e tracted *rom the ser b ilt-in =)N the IC#S )aringdatabaseJ no0 contains the real 7e&/cert pair meaning the attac7er can no0attac7 the =)N server environment directl& 0hen that server 0o ld have notbeing e ploitable other0ise+
2he attac&er can also mas7 as the gen ine ser b& per*orming the serverattac7 *rom 0ithin the sers modem ( using the correct source I3 address %this 0a& nothing n s al 0ill appear in the =)Ns logs+ nce inside theparameter o* the =)N server the c&cles repeats+
6o sho ld ass me that all I ig rand J =)Ns and ro ters se the e act sameattac7 strateg& and architect re 0ith variances in the speci;c implementatione+g+ ig rand s pports $)Sec "ittle rand s pports ))2)+
2he NSA llr n G ide states
I2he *act that Cr&ptanal&sis and # ploitation Services (C#S% 0or7s 0ithNSA/CSS Commercial Sol tions Center (NCSC% to leverage sensitivecooperative relationships 0ith speci;c ind str& partners J+
Speci;c implementations ma& be identi;ed b& speci*&ing # ipment3an *act rer ( Big Brand 4(ake4(odel % Service )rovider ( I"3 % or 2arget$mplementation ( speci%c modem4router implementation %+
$n this disclos re 0e are interested in I 2arget $mplementation J beca se ino r e ample case 2 has covertl& implanted these devices in homes 0herethere is an a solute e1pectation of pri!acy 0hereas the otherimplementations e ist 0ithin the $S) or large corporations in 0hich &ocannot e pect privac&+
$tEs important to remember that I ig rands J also ma7e small S H DS" and
'
8/13/2019 The Internet Dark Age (Full Disclosure)
22/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
cable modems+
@ rther evidence o* the mass global distrib tion o* this technolog& to at leastthe '> #&es !SA G R CAN A!S NP" @RA D#! DN< N"D N R #S)$2A #" S:# and almost certainl& man& more co ntries
Q ote *rom GCHQ regarding their abilit& to steal &o r private 7e&s
It is imperati!e to protect the fact that G5,6+ $"A and their "igintpartners ha!e capa ilities against speci%c network security technologiesas well as the num er and scope of successes These capa ilities areamong the "igint community7s most fragile+ and the inad!ertentdisclosure of the simple 8 fact of 9 could alert the ad!ersary and result inimmediate loss of the capa ility
5onse:uently+ any admission of 8 fact of 9 a capa ility to defeat encryptionused in speci%c network communication technologies or disclosure ofdetails relating to that capa ility must e protected y the B;## ;$5
8/13/2019 The Internet Dark Age (Full Disclosure)
23/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
The 5ill S)itch
Act al capabilities ncovered here incl de the act al abilit& to appl& ph&sicalcensorship on the $nternet b& governments directed at individ als gro pscompanies entire co ntries or the majorit& o* the sers o* the $nternet at
once (given a coordinated go!ernment agreement %+ 2his is something that canbe t rned on globall& 0ithin min tes+
2his I 7ill s0itch J is onl& a small portion o* the total capabilities available thatare in place right no0+ #ssentiall& an& operation that can be applied sing asingle ;re0all or R$) ro ter can be applied to ever& c stomer at once+
4ploading#Do)nload "ontent
2he attac7er can pload or do0nload content via either &o r p blic $S)snet0or7 or via his private hidden net0or7 + 2he diFerences is that &o r $S)co ld con;rm or den& *rom their logs the ser did or did not pload/do0nloadcontent *rom/to a partic lar so rce+
$n other 0ords the possibilities and abilit& to *rame someone cannot ever beoverloo7ed+
:hen the attac&ers steal content that in*ormation al0a&s travels via the
private net0or7+$ac&ing in to a C3I(#Cideo "on'erences in Real-Ti!eAs an e ample itEs a trivial matter *or the attacker to ro te speci;c tra?c *orspeci;c media protocol s ch as = $) (S$)/H+9 9/R2S)% etc+ to his net0or7 inreal-time these protocols are s all& not encr&pted so no 7e& the*t is re ired+
$n the case o* S7&pe itEs no stretch o* the imagination to ass me that3icroso*t handed over the 7e&s on da& one+
2hose the& do not redirect in real-time as 0e 7no0 0ill be collected viapstream S$G$N2+
9
8/13/2019 The Internet Dark Age (Full Disclosure)
24/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
Tor 4ser#"ontent Disco+er*!sers o* the 2or net0or7 can easil& be discovered b& "AN pac7et;ngerprinting b t also b& those 0ho do0nload the 2or client+ 2he attac7ercan stain pac7ets leaving &o r net0or7 and be*ore entering the 2or net0or7ma7ing tra?c anal&sis m ch easier than 0as previo sl& 7no0n+
All 2or tra?c can be redirected to a dedicated pri+ate Tor net)or&controlled b& the attac&er in this 0a& the attac7er controls A"" 2or nodesand so can see ever&thing &o do *rom end-to-end+
2his is not something the 2or project can ; it can onl& be ; ed b& the ser*ollo0ing o r methods+
2or hidden services sho ld drop all tra?c *rom n-tr sted 2or nodes this 0a&clients r nning in the sim lated 2or net0or7 0ill *ail to connect to theirdestination+
Encr*pted "ontent
2he attac&er is in &o r net0or7 and has all the tools necessar& (s ch asoperating s&stem bac7 doors% or ero da& v lnerabilities to hac7 into &o rcomp ters and steal &o r =)N )G) SSH 7e&s as 0ell as an& other 7e&s the&desire+ Also content that is encr&pted can be capt red be*ore encr&ption viaan& n mber o* methods 0hen the attac7er is alread& inside &o r net0or7+
"o+ert International Tra c Routing2he attac&er can secretl& ro te &o r tra?c to the !+S+ 0itho t &o rpermission consent or 7no0ledge th s b& passing an& # ropean dataprotection or privac& la0s+
Acti+ists:e have seen man& activist gro ps protest organi ers identi;ed and silencedover the *e0 &ears 0e believe this is the primar& method sed to capt reactivists+
8/13/2019 The Internet Dark Age (Full Disclosure)
25/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
"ensorship2he attac&er has control o* the hidden ;re0all it is eas& *or the attac&er tosimpl& bloc7 tra?c based on speci;c ports or based on destination address ornet0or7 ro te *or e ample the government can bloc7 port 4999 at so rceand there*ore bloc7 all itcoin transactions+
A coordinated attac7 on the itcoin net0or7 is possible b& bloc7ing ports o*3inors aro nd the 0orld+ Red cing the hash rate and bloc7ing transactions+
6obile WIFI Attac&s 3obile devices phones/tablets etc are as easil& accessible once the& connectto &o r :$@$ net0or7 0hich is *rom the attac7ers perspective j st anothernode on the &o r "AN that the attac&er can ab se+
2he level o* sophistication or advanced encr&ption in se b& &o r :$@$ is node*ense beca se the attac7er has gained a tr sted position in &o r net0or7+
All 3AC addresses gathered *rom &o r "AN are stored in the
8/13/2019 The Internet Dark Age (Full Disclosure)
26/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
The 6obile $ac&
?G#G% is almost certainl& s bject to this same attac7
architect re beca se *rom the attac&ers perspective his side o* thein*rastr ct re 0o ld remain the same regardless o* device being attac7ed+
A mobile phone these da&s is simpl& a 0ireless broadband !ode! O phoneso an& encr&pted messaging s&stem *or e ample can be capt red be*oreencr&ption+ 2here*ore mobile phones are s bject to all the same and manymore attac7s as per The $ac& +
This would mean that mo ile phone makers may well e in collusion with the
$"A4G5,6 ecause they would need to implement the e:ui!alent routingand %rewall a ility in each mo ile phone as part of the
8/13/2019 The Internet Dark Age (Full Disclosure)
27/46
8/13/2019 The Internet Dark Age (Full Disclosure)
28/46
8/13/2019 The Internet Dark Age (Full Disclosure)
29/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
3utbound De'ense
3utbound De'ense2his de*ense method sho ld be sed against all NSA/GCHQ Inbound and3utbound attac7s+ 2his is the onl& s re ;re method to protect 2or clients+
2his de*ense re ires that &o (control/ own4rent % a Server or =3 else0hereon the $nternet (*ar a0a& *rom &o r IS( % and pre*erabl& in a diFerent co ntr&+
R n a =)N s ch as pen=)N bet0een &o r "in @ire0all ( blue % and the
&o r =)S server ( green cloud % there &o r n S id )ro & and DNS andbloc7 all inbo nd access e cept *rom &o r =)N+ Al0a&s r n &o r o0n DNSservice on &o r =3/Server+
5
8/13/2019 The Internet Dark Age (Full Disclosure)
30/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
An alternative short-term de*ense is to se 3penWRT ro ter so*t0are that&o install into the modem &o rsel* so that &o can con;rm no hiddennet0or7s or $) addresses e ists and that the ;re0all act all& * nctions+
Ho0ever this is technicall& impossible *or m st sers+
@or open so rce ro ter so*t0are visit https //open0rt+org/
6ore De'ense Tips
$solate &o r :$@$ *rom &o r "AN and limit b& 3AC address O strongpass0ords alternati!ely $solate &o r :$@$ *rom &o r "AN and leave itopen as a *ree hot-spot+
$* &o are capable install &o r o0n ro ter ;rm0are (open0rt% 2ell &o r $S) &o do N 2 0ant a ro ter 0ith bac7 doors or mal0are in it
as7 them to con;rm in 0riting that bac7 doors do not e ist this 0ill help &o in co rt 0hen s ing them
Stop sing an& operating s&stems that is 7no0n to contain bac7 doors nl& se 2or i* &o are sing 3utbound De'ense method other0ise &o
co ld be sing a NSA/GCHQ 0onderland version o* the 2or net0or7 $t cannot be emphasi ed eno gh never tr st closed so rce ro ters Never se &o r $S) DNS servers
98
https://openwrt.org/https://openwrt.org/8/13/2019 The Internet Dark Age (Full Disclosure)
31/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
6IT6 De'ense
6IT6 De'ense!ntil no0 it 0as not * ll& nderstood ho0 a 3$23 act all& 0or7ed 0ithregard to ho0 the attac&er co ld get in the middle o* an* connection+
No0 0e 7no0 0ith '88 con;dence that the man is not in the middle b t inthe !ode! and thatEs ho0 an* individ al can be s bjected to 3$23 attac7+:e hereb& rename this attac7 6an-In-The-6ode! attac7+
As an alternative de*ense *or the * t re in place o* the previo s ( admittedlycomple1 out ound defense % &o co ld se 2cpCr&pt+ 6o can prevent thisattac7 b& ens ring that &o r client and servers are r nning 2cpCr&pt 0hich isa 2C) protocol e tension+ $t 0or7s 0itho t an& con;g ration anda tomaticall& encr&pts 2C) connections i* both server and client s pport it orit 0ill *all bac7 to no encr&ption+ $tEs also '88 NAT 'riendl* +
nce installed this 0or7s *or an& port not j st port 48 it 0ill also protectsH22)S S32) SSH and ever& other service+
9'
8/13/2019 The Internet Dark Age (Full Disclosure)
32/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
T"("R9(T
T"("R9(T2cpCr&pt is a ver& sec re approach to man& o* the problems posed b& theNSA/GCHQ beca se its tr e native end-to-end encr&ption and does notre ire a certi;cate a thorit& and is *ree open so rce so*t0are+
2he NSA have tried to 7ill this project a n mber o* times and 0ill contin e todo so or limit its se &o m st not let that happen+
$* &o 0o ld li7e to see ho0 NSA and GCHQ agents tr& to 7ill projects li7ethis in p blic vie0 the video http //000+tcpcr&pt+org/tal7+php and go to. and hear the voice o* the NSA and then GCHQ+
9
et7s get all T"( connectionsEncr*pted b* de'ault
Available no0 *ree open so rce *or "in :indo0s and S visit
http //000+tcpcr&pt+org/
8/13/2019 The Internet Dark Age (Full Disclosure)
33/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
're!uent"% Ask (uestions
Wh* Full Disclosure8:e are nder no obligation to 0ithhold this in*ormation *rom citi ens o*# rope speci;call& 0e are not s bject to an& provisions o* the ?cialSecrets Act o* '554 as )e ha+e ne+er been
a member o* the sec rit& and intelligence services a Cro0n servant or a government contractor
But !ore i!portantl* because: 2his in*ormation 0as discovered on private propert& As sec rit& conscio s sers o* the internet 0e identi;ed serio s
intentional sec rit& a0s 0hich need to be ; ed and *ast 2he needs o* the man& o t0eigh the needs o* the *e0 !nder the r le o* la0 the tr th is an absol te de*ense and that is 0hat
0e present here lastl& Because )e can
Who should read this in'or!ation2he intended a dience is citi ens o* # rope b t an&one 0ho is or co ld be avictim o* global s rveillance s&stems this incl des ever&bod& in the 0orld
no0 and in the * t re+
Wh* does this docu!ent e,ist
:hen a person(s% or government ta7es a0a& &o r inalienable rights s ch as&o r Right to )rivac& (especiall& in &o r o0n home% *ou ta&e it bac& + 2his isnot something that can be negotiated or traded+
What about the debate0 the balance8
2here is no s ch thing as a balance bet0een privac& and sec rit& &o eitherhave them both or &o have none +
I7! an A!erican0 does this appl* to !e2he NSA 0o ld onl& se this techni e in the !+S+ i* the& reall& tho ght the&co ld go ndetected+
$n the !< the& have gone ndetected ntil no0 (since 8'8% &o sho ld
ass me that the !+S+ is doing the same to all A!ericans and &o sho ld sethe de*enses as detailed herein as a preca tion+ :e can turn o the lights o rselves+
99
8/13/2019 The Internet Dark Age (Full Disclosure)
34/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
Will stopping BTAgent so't)are stop these Attac&sNo +BTAgent is j st misdirection+ $t is not re ired or directl& sed in theattac7s+ $t can be sed to pdate the ;rm0are o* a target modem sho ld theattac&er need speci;c * nctionalit& on the modem b t this 0o ld ben s al+ So 7illing BTAgent is does not help ( you should kill it anyway %+
Is it possible that BT is una)are o' thisNo this is their ;rm0are controlled b& 2 p blish b& 2 pdated b& 2the& also loc7 the modems+
6* e uip!ent is co!pletel* di erent8The $ac& is an NSA#G"$% Global Strateg* and its architect re is
independent o* a speci;c ma7e or model o* modem or mobile phone it is alsoindependent o* the method transport e+g+ dial- p vs+ ADS" D CS$S =DS"Cable modem etc++ $t sits at the top o* the stac7 (2C)/!D) etc% so ho0ever&o connect it connects+ #ach implementation 0ill var& and improve 0itheach generation+
6o sho ld onl& se * ll& open so rce ;rm0are that is p blicl& veri;ed+
I7+e ne+er done an*thing )rong
6es &o have &o have allo0ed hac7ers to enter &o r home net0or7 and plantmal0are that in*ects &o r comp ters 0hich ma& no0 have become part o* aombie arm& 0ith tentacles controlled b& the NSA/GCHQ+ 2his is 0orst thanan& vir s or 0orm &o can imagine+
$o) can I +eri'* this !*sel' @ollo0ing the instr ctions in the *ollo0ing sections &o can also createsim lations oF-line b t that is more technical+
I )ould li&e to donate and support *our )or& 2han7 &o please see the last page o* this doc ment *or details+
9>
8/13/2019 The Internet Dark Age (Full Disclosure)
35/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
How %ou can verif%
2he *ollo0ing section e plains ho0 &o can con;rm that &o r modem has theGCHQ/NSA bac7 door+
$n these e amples 0e se t0o BT 3penReach 0hite modems ( ut moreaccurately descri ed as )T *ver+each % models
$ua)ei Echo i'e $G >? and E"I B-F3"uS CDS ? !ode!1
2hese t0o loo7 almost identical+ 2he HG.' is an earlier model+
2he process o* con;rmation is slightl& diFerent *or each modem+
:e 0ill sho0 t0o o* 0a&s to veri*& the bac7 door the ;rst is somethingan&one can do and re ires j st the ping command+ 2he second re ires re-ashing the ;rm0are so &o can login to the modem itsel*+
"aims of Huawei modems ,-eft havin/ 0ack&doors are fa"se1 the vendor,e./. )T 0ui"d and insta"" the *S for these modems. Huawei sim#"%#rovided hardware. E I Te"ecom -td1 is the #rovider of the second modem,+i/ht 2 the more dan/erous of the two.
9,
8/13/2019 The Internet Dark Age (Full Disclosure)
36/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
Eas* "on/r!ation
Step >1 Remove )o0er *rom the modem and disconnect the telephone line+
Step ?1 n &o r )C (ass med "in % add an $) address '5 +'.4+'+'88 i+e T i'con/g eth=:> > ?1> H1>1>== up
Step ?1> H1>1>
Step @1 Connect a net0or7 cable to "AN'
Step 1 )l g-in the po0er cable to the modem and 0ait *or abo t 98 seconds*or the device to boot &o 0ill then notice
@ b*tes 'ro! > ?1> H1>1>: ic!pJse K>> ttlK @ ti!eK=1 ?< !s@ b*tes 'ro! > ?1> H1>1>: ic!pJse K>> ttlK @ ti!eK=1@ ? !s@ b*tes 'ro! > ?1> H1>1>: ic!pJse K>>L ttlK @ ti!eK=1 >@ !s
6o ma& notice p to ten responses then it 0ill stop+
:hat is happening is the internal "in 7ernel boots the start p scripts thencon;g re the internal and virt al inter*aces and then t rn on the hidden;re0all at 0hich point the pings stop responding+
$n other 0ords there is a short 0indo0 (9-'8 seconds% bet0een 0hen the7ernel boots and the hidden ;re0all 7ic7s in+
6o 0ill not be able to detect an& other signs o* the hidden net0or7 0itho tact all& logging into the modem 0hich is e plained in the ne t section+
9.
8/13/2019 The Internet Dark Age (Full Disclosure)
37/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
$ard "on/r!ation
@or this method &o 0ill need to re- ash the modem b& *ollo0ing theinstr ctions in the doc ment called hg >?Junloc&JinstructionsJ+>-? J on the rightpanel+
nce &o have re- ashed &o r modem &o 0ill be able to login to the modemvia telnet as *ollo0s
Note: $* &o r net0or7 is not '5 +'.4+'+8 &o 0ill need to add the $) addressto &o r )C as e plained previo sl& i+e+
T i'con/g eth=:> > ?1> H1>1>== upT telnet > ?1> H1>1> then loginT !sername ad!in )ass0ord ad!inT then t&pe shell to get the s& o shell prompt+
6o r telephone line sho ld remain disconnected+
91
http://huaweihg612hacking.files.wordpress.com/2011/11/hg612_unlock_instructions_v1-3.pdfhttp://huaweihg612hacking.files.wordpress.com/2011/11/hg612_unlock_instructions_v1-3.pdfhttp://huaweihg612hacking.files.wordpress.com/2011/11/hg612_unlock_instructions_v1-3.pdfhttp://huaweihg612hacking.files.wordpress.com/2011/11/hg612_unlock_instructions_v1-3.pdf8/13/2019 The Internet Dark Age (Full Disclosure)
38/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
6o 0ill be s rprised to learn there e ists '. net0or7 inter*aces inside thedevice most are legitimate b t others are part o* The $ac& +
All $) O 3AC addresses have been redacted to protect victims identities+
# ifconfig -a
br0 Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2
8/13/2019 The Internet Dark Age (Full Disclosure)
39/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
"ets e amine the ro ting table
# route -nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
# ip route show 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
# netstat -nActive Internet connections (w/o servers)Proto Recv-Q Send-Q Local Address Foreign Address Statetcp 0 0 192.168.1.1:23 192.168.1.100:57483 ESTABLISHED # telnettcp 0 0 127.0.0.1:2600 127.0.0.1:33287 ESTABLISHED # Z->riptcp 0 0 127.0.0.1:33287 127.0.0.1:2600 ESTABLISHED # rip->ZActive UNIX domain sockets (w/o servers)Proto RefCnt Flags Type State I-Node Pathunix 3 [ ] STREAM CONNECTED 766 /var/BtAgentSocket # SPIES Socket
$ets see what processes are running% (duplicate and uninteresting linesremove for brevity)
# ps PID Uid VSZ Stat Command 1 0 336 S init
101 0 SW [dsl0] 116 0 SW [eth0] 127 0 504 S mc
131 0 380 S /bin/msg msg136 0 1124 S /bin/dbase146 0 1680 S /bin/cms147 0 1148 S /bin/cwmp191 0 328 S zebra -f /var/zebra/zebra.conf193 0 332 S ripd -f /var/zebra/ripd.conf548 0 396 S dhcpc -i ptm1.301 -I ptm1.301
8/13/2019 The Internet Dark Age (Full Disclosure)
40/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
N3TE: :e have redacted some $) addresses assigned to s b& the attac&er V redacted address+
# route -nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br030.150.xx.0 0.0.0.0 255.255.xxx.0 U 0 0 0 ptm1.3010.0.0.0 30.150.xx.1 0.0.0.0 UG 0 0 0 ptm1.301
Ho$ c"ose #s the attac+er , ver( c"ose . 's
# ping 30.150. xx .1PING 30.150. xx .1 (30.150. xx .1): 56 data bytes64 bytes from 30.150. xx .1: seq=0 ttl=64 time=7.174 ms64 bytes from 30.150. xx .1: seq=1 ttl=64 time=7.648 ms64 bytes from 30.150. xx .1: seq=2 ttl=64 time=7.685 ms
NOTE: You are now pinging the NSA/GCHQ
Now lets see what is happening at a socket level (comments on right after #):
# netstat -anActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address Statetcp 0 0 0.0.0.0:161 0.0.0.0:* LISTEN # This is BTAgenttcp 0 0 127.0.0.1:2600 0.0.0.0:* LISTEN # This is Zebra Router tcp 0 0 127.0.0.1:8011 0.0.0.0:* LISTEN # T ransparent tproxy tcp 0 0 30.150.xx.xx:8081 0.0.0.0:* LISTEN # This NSA/GCHQ Servicestcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN # This is DNS tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN # This is SSH Servertcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN # This is TELNET
tcp 0 55 192.168.1.1:23 192.168.1.100:57484 ESTABLISHED # This telnet sessiontcp 0 0 127.0.0.1:2600 127.0.0.1:36825 ESTABLISHED # This is zebra-riptcp 0 0 127.0.0.1:36825 127.0.0.1:2600 ESTABLISHED # This is rip->zebraudp 0 0 0.0.0.0:69 0.0.0.0:* # TFTP Server for upgrades Active UNIX domain sockets (servers and established)Proto RefCnt Flags Type State I-Node Pathunix 3 [ ] STREAM CONNECTED 766 /var/BtAgentSocket # Special Agent BT
The &e ice is now awaiting the hu PC to issue a PPPO" &isco er re*uest+ atwhich point you will recei e your ,-eal Pu lic IP./
At this point the attac+er has complete control of the mo&em an& your $A!+e#tra 0rewall rules are a&&e& the moment the ptm1/231 4$A! &e ice isena le& y the dhc!c comman&/
>8
8/13/2019 The Internet Dark Age (Full Disclosure)
41/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
The 4N-$A"5
The 4N-$ac& $* &o are able to login to &o r ro ter (via serial port or "AN% there is ade*ense 0hich 0ill prevent A the attac7s sing The $ac& + 2his 0ill un-hac& the modem and needs to be done a*ter each reboot+
Step >1 !npl g the telephone cable and boot the 3odem then login and iss ethe *ollo0ing commands (in bold% the hash is the prompt (donEt t&pe that%
1
'
8/13/2019 The Internet Dark Age (Full Disclosure)
42/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
Special AgentBTSpecial AgentBT
2his I special I so*t0are installed on all modems provided b& 2 calledBTAgent +
2his so*t0are listens on port '.' 0hich is the $ANA assigned port *or SimpleNet0or7 3anagement )rotocol (SN3)% an&one loo7ing at this process 0o lda tomaticall& ass me this to be the case+ SN3) t&pe programs are o*tenre*erred to as SN3) Agents+
2he primar& p rpose o* BTAgent is np blished b t a version has beenpartiall& reverse engineered and the so*t0are does do0nload ;rm0are andpdate the modems ash+
2 responses to eries abo t their BTAgent is to claim that the& need to8remotely manage modems for security purposes9
!ser concerns 0ith 2Agent
. It's closed source
@ ;sers cannot turn it o
The secreti!e nature and responses from BT
>+ !sers cannot pgrade the ;rm0are sing 2Agent,+ )ort '.' is open to the p blic internet
2he second (special% p rpose o* the BTAgent is p rel& reverse reverseps&cholog& and designed to 7eep &o 0ondering abo t it to ca se &o to0aste &o r time reverse engineering it 0hen it ma& 0ell be 0hat it sa&s onthe tin and 0hile &o r thin7ing abo t BTAgent &o Ere not thin7ing abo t theother net0or7 inter*aces s ch as pt!>1 and the dhcpc re ests 0hich allloo7 innocent b t act all& per*orm the dirt& deeds right in the open+
:hen &o reverse engineer BTAgent and p blish &o r res lts this allo0s theNSA/GCHQ to target &o *or other t&pe o* attac&s +
:e sho ld remember that 0ith a single @irm0are pdate *rom BTAgent itco ld morph itsel* and into 0hat 0e originall& *earedL
>
8/13/2019 The Internet Dark Age (Full Disclosure)
43/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
(s*chological and(h*sical Barriers
Barriers2he NSA/GCHQ 0ill do an&thing and ever&thing to stop the The $ac& beingdiscovered+ 2he ;rst step is to deal 0ith the majorit& o* sers and preventthem *rom even thin7ing abo t opening it p or even to ching the modem+
Some o* the s ggestions listed here ma& seem e treme b t the less interestcreated in this bo the less attention it receives *rom cons mers+
'+ $tEs a 0hite bo ps&chologicall& itEs not a Iblac7 bo J so it sho ld be sa*e+ $t comes in a plain bro0n cardboard bo 0hich contain no 0ords or
graphics 0hatsoever 0ith a single 0hite bar-code label 0ith ma7e/modelo* the modem
9+ 2he 2 engineer personall& carries and installs it in &o r home 0hileother components s ch as 2 Home H b the more e pensive componentare sent thro gh the postal s&stem+ 2 cannot leave this shin& 0hitemodem hanging aro nd *or a 0ee7 0hile the& allocate &o r connection
&o ma& tr& to open it or do research abo t it online and the& 0ant to
7no0 0ho is researching it>+ 2he telephone soc7et (RW''% is designed s ch that 0hen &o pl g in thetelephone cable it becomes ver& di?c lt to remove it m ch more sothan a standard telephone RW''+ $ts not j st a case o* pinching the lever
&o have to pinch and p sh * rther in then remove+ 2his is s btle b t it0ill prevent a lot o* people *rom even attempting to disconnect thetelephone cable j st in case the& brea7 it
,+ 2he older model 0as eas& to open j st a *e0 scre0s the ne0er modelsis almost impossible to open beca se it is clip loc7ed closed meaning
that &o 0ill damage it i* &o attempt to open it.+ Red :arning Stic7er on the bac7 K IDonEt cover Air HolesJ 0ise b tscar&
1+ 2he onl& doc mentation is a single piece o* 0hite paper detailing ho0 itsho ld be mo nted there is no instr ctions abo t 0hich cables go0here this is designed never to be to ched
4+ All internal serial port headers are removed so &o can easil& hac7 it5+ 2he modem is plain 0hite and s are e tremel& ninteresting boring
I Nothin/ to see here1 move a"on/ J
All o' this subtle . Anti-6ar&eting 2 'or the !ost ad+anced BT product8
>9
8/13/2019 The Internet Dark Age (Full Disclosure)
44/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
Social Attac&s onEngineers
Social Attac&s on EngineersHaving discovered the attac7 architect re and disabled it 0e decided to visitsome *or ms online 0e 0ere interested to see i* an&one an&0here is closeto ncovering The $ac& and ho0 the NSA/GCHQ react to s ch iss es+
Generall& there are engineers chatting and sharing pict res o* their modemsand ho0 the& solder 0ires on to the ( s all& hidden% serial ports thedisc ssions s all& leads to login and gaining root access o* the modem orreplacing the ;rm0are altogether+
:hen engineers start to get reall& close something s all& e tra-ordinar&happens almost li7e I su#erman to the rescue3 someone 0ho is highl&ali;ed someone 0ho has b ilt p a rep tation o* being a ethical
hac7er/sec rit& e pert introd ces themselves and prod ces 0hat appears tobe major brea7-thro gh in gaining access to the modems+
Ho0ever beca se o* the I ethical J element super!an instead o* sharing themethod contacts 2 or 2 contacts super!an directl& and the& agree toallo0s 2 to ; the a0 ( e g gi!ing BT a / days head start % a*ter 0hichsuper!an 0ill p blish the method he sed+
All things being e al this is *air eno gh b t things are not all e al beca sethis 0as a complete smo7e screen pla&ed o t to disco rage the engineers*rom * rther development 7no0ing that in a *e0 0ee7s I super!an J 0ill givethem access+
3an& o* the engineers/enth siast 0aiting end- p getting ca ght b& pgradeso* their modems ;rm0are 0hich then loc7s them o t o* the game+
2his is a cat and mo se game and engineers sho ld be ver& 0ar& o* thosebearing gi*ts their agenda is to slo0 &o do0n and prevent &o *rom ma7ingan& progress hoping &o 0ill j st give p+
6o can clearl& see this on the 2 *or ms as 0ell others s ch ashttp //000+psidoc+com http //000+ 7its+co+ 7/ http //http //comm nit&+bt+com
and others+ Reverse engineering is legal legitimate and it is a great so rce o*innovation+
>>
http://www.psidoc.com/http://www.kits.co.uk/http://www.kits.co.uk/http://http//community.bt.comhttp://www.psidoc.com/http://www.kits.co.uk/http://www.kits.co.uk/http://http//community.bt.com8/13/2019 The Internet Dark Age (Full Disclosure)
45/46
8/13/2019 The Internet Dark Age (Full Disclosure)
46/46
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
A0out the Authors
2he a thors o* this doc ment 0ish to remain anon&mo s+ Ho0ever 0e are* ll& prepared to stand in a co rt o* la0 and present o r evidence+
:e are a gro p o* technical engineers 0e are not associated 0ith an&activists gro ps 0hatsoever+ :e donEt have a name b t i* 0e did it 0o ldprobabl& be I The Ad+ersaries J according to NSA/GCHQ+
3ur 6issionCreedom is only appreciated when lost We are on the rink of a irre!ersi letotalitarian multi-go!ernment regime and e!en though the uropean3arliament has stated that citizens should not ha!e to defend themsel!esagainst state sponsored 5y ercrime+ the fact remains that our ownGo!ernments continue to attack us in our own homes while we sleep
r mission is de*ensive and legal+ r objectives are to e pose the so rcesand methods sed b& those that harms o r personal *reedoms and rights andto provide practical in*ormation to individ als aro nd the 0orld allo0ing themto de*end themselves against s ch c&ber attac7s+
We elie!e this as well as future disclosures to e in the pu lic interest
Donationsr ongoing 0or7 is technical slo0 tedio s and e pensive an& donations are
ver& 0elcome+ :e onl& accept bitcoins at this time+
bitcoin 'D.Hj91DS m)2)m5 12 S,ocdd)H jma 4
6o can also s pport s b& sending this docu!ent to a 'riend or host it on&o r 0ebsite+
"icensed nder the "reati+e "o!!ons Attribution-NoDeri+s (CC 6-ND%