the hack.pdf

8/13/2019 The Hack.pdf

1/50

Full Disclosure

The Internet Dark Age

Removing Governments on-line stranglehold Disabling NSA/GCHQ major capabilities

(!""R!N / #DG#H$""% Restoring on-line privac& - immediatel&

b&

The Adversaries

Update 1

Spread the Word

'


2/50

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

n September )th*+', r.ce Schneier rote in 0he G.ardian1

The NSA also attacks network devices directly: routers, switches,frewalls, etc. Most of these deviceshave surveillance capabilities already built in; the trick is to srre!titiosly trn the" on. This is an

es!ecially fritfl avene of attack; roters are !dated less fre#ently, tend not to have secrity softwareinstalled on the", and are generally ignored as a vlnera$ility%.

The NSA also devotes considera$le resorces to attacking end!oint co"!ters. This kind of thing is done $yits TA& ' Tailored Access &!erations ' gro!. TA& has a "en of e(!loits it can serve ! against yorco"!ter ' whether yo)re rnning *indows, Mac &S, +in(, i&S, or so"ething else ' and a variety of tricksto get the" on to yor co"!ter. or anti-virs software won)t detect the", and yo)d have tro$le ndingthe" even if yo knew where to look. These are hacker tools designed $y hackers with an essentiallynli"ited $dget. *hat I took away fro" reading the Snowden doc"ents was that if the NSA wants in toyor co"!ter, it)s in. /eriod%.

http1//2theg.ardian2com/orld/*+',/sep/+)/nsa-ho-to-remain-sec.re-s.rveillance

The evidence provided by this Full-Disclosure is the frst independenttechnical verifable proo that Bruce Schneier's statements are indeedcorrect.

*
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillancehttp://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillancehttp://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillancehttp://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance


3/50


Full Disclosure

Internet Wire-Tappin

W!"#I#$%BT Broadband

&uipment (ontain#S!)$(*+Bac, Doors

,

NSA/GCHQSources and Methods

Uncovered

We e!"a#n ho$ NSA/GCHQ%

Are Internet wiretapping you

Break into your home network

Perform 'Tailored Access

Operations' (TAO) in your home

Steal your encryption keys

Can secretly plant anything they

like on your computer

Can secretly steal anything they

like from your computer

ow to STOP this Computer

!etwork "#ploitation

Dedicated to the *histle-0lower

Mr Edward J. Snowden.

We e!ose NSA/GCHQ&s 'ostSecret Wea!on - Contro"

and ho$ (ou can de)eat #t*


4/50


Table o (ontents

3re4ace22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222225Disclos.res22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222225

So.rce o4 this $n4ormation22222222222222222222222222222222222222222222222222222222222222222222222222222226

.r "as22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222226Companies222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222270echnical Nat.re o4 this $n4ormation222222222222222222222222222222222222222222222222222222222227Credibilit& o4 this Research2222222222222222222222222222222222222222222222222222222222222222222222222283rivac& vs Sec.rit&2222222222222222222222222222222222222222222222222222222222222222222222222222222222222'+9otivation222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222''0erminolog&222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222'*

:o.r Home Netor;22222222222222222222222222222222222222222222222222222222222222222222222222222222222222',0he Hac;22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222'5

Ho it


5/50



6/50


reace

Preace


7/50


Source o this nor!ation

1The simple ,nolede that e may be clandestinely observed in our onhomes provided the determination to fnd the truth2 hich e did.3

0his in4ormation is notthe res.lt o4 an& ;noledge o4 classi=ed doc.ments orlea;s b.t based on in4ormation in the p.blic domain and o.r on 4act =ndingmission d.e to Borensic and Netor; Anal&sis $nvestigationso4 private SHnetor;s located in the !>2

As e detail the methods .sed &o. ill see that in4ormation as .ncoveredairly honestlyand leallyand on private propert& .sing privatel& oned

e.ipment2

4ur 0as

0here is no la that e are aare o4 that grants to the !> Government theabilit& to install d.al .se s.rveillance technolog& in millions o4 homes andb.sinesses in the !>2

B.rthermore there is no la e are aare o4 that 4.rther grant the !>Government the abilit& to .se s.ch technolog& to sp& on individ.als 4amiliesin their on homes on the mass scale that this s&stem is deplo&ed2

$4 there are s.ch hidden las the citiens o4 the !> are certainl& .naare o4them and sho.ld bearnedthat s.ch las eEist and that s.ch activit& isbeing engaged in b& their on Government2

All o4 the evidence presented is 4.ll& reprod.cible2

It is our belie that this activity is #4T limited to the 56.

6


8/50


(ompanies

0 are directl& responsible 4or covertl& embedding secret sp& e.ipment inmillions o4 homes and b.sinesses ithin the !> as o.r evidence ill

demonstrate2

0 have directl& enabled (omputer #etor, &/ploitation(CN#% o4 all itshome and b.siness c.stomers2

Technical #ature o this Inormation

0he in4ormation described here is technical this is beca.se in order tos.bvert technolog& the attac;ersneed to be able to 4ool and con4.se eEpertsin the =eld and ;eep them b.s& slowing the" down b.t regardless theimpact and eect can be .nderstood b& ever&bod&2

:o.r main ta;e aa& 4rom this disclos.re is to .nderstand concept.all& hothese attac;s or; &o. can then p.t sec.rit& meas.res in place to prevents.ch attac;s2

7


9/50


(redibility o this "esearch


10/50


rivacy vs Security

"oss o4 privac& is a breach o4 personal sec.rit& and the legal violation o4privac& is p.rel& a conse.ence o4 that sec.rit& loss2


11/50


8otivation

8otivationA4ter st.d&ing in detail the revelations b& the #dard Snoden e realiedthere as a large "issing !art of the !22le2

0here has been little to nothing p.blished on speci=call& ho the attac;erstechnicall& achieve their goals2 9ost in4ormation p.blished is based ontheoretical sit.ations2

$4 e donFt ;no ho hac;ers act.all& achieve these sec.rit& breaches ecannot de4end against s.ch breaches2

Bor eEample a slide similar to the 4olloing as p.blished o4 all the slidesreleased itFs .ninteresting and easil& dismissed as it simpl& describes hat iscommonl& ;non as a theoretical 9an-$n-0he-9iddle attac;2

0he media 4oc.s o4 the slide is o4 co.rse the $oole's Servers and &o.r =rsttho.ght might be Fthis is 3oogle)s !ro$le" to solveF b.t hat i4 F$oole

ServerF as F8y Ban,s ServersF &o. o.ld probabl& be more concernedbeca.se that ma& directl& eect &o.2

But e thouht2hat i2 '$oole Server'2 as '!ny Server2 !nyhere9'

''


12/50


.r investigation led to .s .ncover and .nderstand ho this attac; realls in practice ho it is implemented and the hair-raising realit& o4 its tr.enat.re and that is this not j.st a bac; door b.t an entire attac; plat4orm anddistrib.ted architect.re2

Terminoloy

0o ease eEplanation e are going to .se standard sec.rit& terms 4rom hereon2

!ttac,er- GCHQ NSA 0 Gro.p or an& combination2

The *ac,L 0he technical method .sed b& the attac;ers to illegall& brea; into&o.r home netor; comp.ters and phones2

'*


13/50


Basic Security

"our #o!e $etwor%$n order to eEplain ho these Comp.ter Netor; #Eploitation attac;s or;and ho this aects &o. personall& e m.st =rst loo; at the architect.re o4 at&pical home or oce netor;2 "oo; 4amiliar to &o.

9ost $nternet connections consists o4 an DS" t&pe modem and one or more#thernet ports attached to the modem that &o. connect &o.r comp.tersdevices and add-on sitches etc2

0here are to sec.rit& 4actors in operation here1

a% NA0 based netor;ing meaning that &o.r home comp.ters arehidden and all share a single p.blic $3 address

b% :o.r modem has a b.ilt-in =reall hich is bloc;s inbo.nd trac2 The

inherent secrity ass"!tion is that data cannot !ass fro" the in$ondDS+ line to a +AN switch !ort withot rst $eing acce!ted or re4ected $ythe $ilt-in rewall

',


14/50


Bor the technical minded these sec.rit& ass.mptions are 4.rther re-enforcedi4 the modems so4tare is open so.rce e2g2 .sing "in.E and that its so.rcecode is 4reel& and openl& available as per the GN! G3" re.irements2

Given that the above is the most common architect.re on the $nternet as it

applies to almost ever& home and oce ever&here lets no revisit that =rstslide b.t this timee as, one simple uestion1

*o do the attac,erset beteen :ou and $oole or some otherservice9

n closer inspection o4 the diagram &o. ill notice that I$oole "euestJand the!ttac,er(+og into 5oter% share the same router hen this slide

as released e all ass.med that this ro.ter as either GoogleFs on ro.teror some .pstream ro.ter that a& the attac,erco.ld intercept pac;ets andper4orm a 8an-In-The-8iddle(9$09% attac;2

Hoever this o.ld not or; 4or ever& ebsite or service on the $nternet20he attac,ero.ld need to be .pstream everywhereM

So here does the attac,erhide9 Where is this (ommon"outer9 aain e as,%

*o do the attac,erset beteen :ou and $oole orsome other service9

"ets eEamine the diagram one last time2

'?


15/50


:ou uessed it2 it's riht inside your house. It's the routersupplied byyour trusted Internet Service rovider;IS


16/50


The *ac,

The *ac,

0his eEample is based on the !> version o4 hat e are calling The *ac,.sing BT$nternet services2 $4 &o. are not in the !> and regardless o4 theservice &o. should alays ass.me that the eEact same principles detailedhere are alaysbeing .sed against &o. regardless o4 &o.r co.ntr& or $S32

The *ac,is based on the actthat a second secret/hidden netor; and

second $3 address is assigned to &o.r modem2 !nder normal .se &o. cannotdetect or see this 4rom &o.r "AN b.t the attac,erhas direct access to &o.rmodem and "AN in &o.r ho.se 4rom the $nternet2

*o it Wor,s

? b.tother vendors modems ma& ell .se dierent @"ANs2 0he original slide has astrange n.mber @A@ith gre& bac;gro.nd e thin; this represents the@"AN n.mber/@endor n.mber so 0 o.ld be =>?2

0his hidden netor; is not visible 4rom &o.r Mode")s *e$ Interface andnot subect to your freall rules also nots.bject to an& limitations as 4aras the sitch portion o4 &o.r modemis concerned and the hidden netor;also has allports open 4or the attac%er2

ther tools and services are permanentl& enabled inside the modem hichgreatl& aid the attac,er s.ch as6e$ra 7 5i!d roting dae"ons, i!ta$lesrewall, SS8 re"ote shell server, along with a dhc! client.

These tools allow the attac,erto control 9 of the "ode" fnctionality4rom the $nternet and in an .ndetectable manner2 e2g2 the attac,ercan

'5


17/50


4orard all &o.r DNS re.ests to their private netor; the& can selectivel&ro.te speci=c protocols ports or netor;s or ever&thing to their netor; andb& de4a.lt the& do2

Altho.gh the hidden netor; is oned b& 5.S. D.4.D. it islocated ithin the

!> as the ping time to the attac,er's$3 gatea& is O 7ms 4rom ithin the!>2

0his clearl& demonstrates that the !> Government !2S2 Government !2S29ilitar& and 0 are co-operating together to secretl& iretap all $nternet.sers in their on homes (with few e(ce!tions%2 0he modems are provided b&0 and loc%ed down2 $4 &o. cannot con=rm otherise &o. m.st ass.me thatall$S3s in the !> b& polic& have the same techni.es deplo&ed2

:o.r home netor; act.all& loo;s something li;e the 4olloing diagram2 0othe right is the


18/50


19/50


As e move to ne generations o4 hardare the modems are ver&sophisticated and ver& covert the engineers capable o4 even attempting toreplace the =rmare become practicall& non-eEistent2

As e detail the sole p.rpose o4 loc;ing the modem is to prevent people

discovering that the& are act.all& being iretapped b& 0 on behal4 o4NSA/GCHQ2

As a side note NSA describe "in.E/pen So.rce as $ndigeno.s and a S$G$N0 target2

NSA doc.ments describe this means o4 S$G$N0 collection as1

thers incl.de1

and

'8


20/50


:our "eal #etor,

:our "eal #etor,

0he 4olloing is a more realistic vie o4 &o.r home netor; and hat is nopossible given the attac,erno has secret access to &o.r home "AN2

$t is no a simple matter to .se other tools and methods available to theattac,erto penetrate &o.r internal comp.ters this incl.des1

*+

Steal private @3N/SSH/SS"/3G3 ;e&s

$n4ect machines ith vir.ses

$nstall ;e& loggers

$nstall screen loggers

Clone/destro& hard drives

!pload/destro& content as re.ired

Steal content as re.ired

Access Corporate @3Ns

Clean .p a4ter operations

Ro.te trac on demand (e2g2 9$09%

Censorship and >ill Sitch

3assive observation


21/50


The !ttac,s

The !ttac,s

0his section lists the attac;s on &o. that are no possible b& the NSA/GCHQ2

"ater e sho ho &o. can de4end against these attac;s and it o.ld be iseto implement o.r de4enses ith immediate eect2

!nli;e the reval.ations so 4ar b& Snoden here the attac;s occ.r o.t theresomehere on the $nternet these attac,s happen in your home)o7ce2

0he attac;s listed are the most obvio.s attac;s some are mentioned in#dard Snoden revelations and re4erred to as 'o!puter $etwor%E)ploitation(CN#%2

Internal #etor, !ccess

0he attac;er has direct access to &o.r "AN and is inside &o.r =reall2

:o.r modem acts as a server it listens on lots o4 ports s.ch as SSH (**% and0#"N#0 (*,% so the attac;er can j.st hop on to it (b.t &o. cannot%2

0his is possible beca.se another hidden bridged inter4ace eEists ith its on@"AN2 Bireall r.les do not appl& to this inter4ace so the attac,ercan see&o.r entire "AN and is not s.bject toyour=reall r.les beca.se those r.lesappl& to the 0 lin; (blac, line% not the attac,erslin; (red lines%2


22/50


possible abo.t all the devices attached to &o.r netor;2

All &o.r hardare can be identi=ed b& the speci=c 9AC addresses and then=ngerprinted 4or speci=c protocols and so4tare versions2 All this cannot bedetected .nless &o. are logged into &o.r loc%edmodem2

0he above is j.st the base plat4orm o4 the NSA/GCHQ 4rom hich h.ndreds o4t&pes o4 attac;s are no possible hich no incl.de all o4 the 4olloing1

8an-In-The-8iddle !ttac,

0he attac,ercontrols all o.tbo.nd routes he can easil& per4orm an H003S9an-$n-0he-9iddle attac; b& 4orarding speci=c trac 4or port ??, ordestination netor; to a dedicated 9$09 netor; hich he controls (as !er!revios slides%2

0he onl& thing re.ired is a valid SS" certi=cates P ;e&s 4or a speci=c domain(hich he already has2 see belo% 0he attac,eris beteen &o. and an&site &o. visit or an& service &o. .se (not 4st we$sites%2 e2g2 S;&pe @$3 SSHetc2

0he attac,ersimpl& creates a static ro.te or more easil& p.blishes a Ro.ting$n4ormation 3rotocol Re.est (R$3% re.est to the ebra daemon r.nning inthe ro.ter 4or the target netor; address and &o.r trac 4or that netor;ill then be ro.ted to the attac,ersnetor; .ndetectable b& &o.2

0he attac,ercan then .se as&mmetric ro.ting and .pon eEamination o4 there.ests he can =lter speci=c re.ests he is interested in and respond tothose b.t let the target ebsite server or service respond to ever&thing else2

0he ;e& here is trac 4rom the target ebsite bac; to the .ser does notthen have to go via the attac%ershidden network it can go directl& bac; to.sers p.blic $3 (hich o.ld be logged b& the $S3%2

8IT8can be on an& port or protocol not j.st H003S (??,% 4or eEample &o.rSSH connections all !D3 or GR# 3303 $3Sec etc2 or an& combination o4an&thing2

**


23/50


!ll SS0 (ertifcates (ompromised in "eal-Time

0he sec.rit& o4 3.blic >e& $n4rastr.ct.re (3>$% is based primaril& on thesec.rit& o4 the oners private ;e&s2 0hese private ;e&s are not necessaril&re.ired in order to per4orm a 9$09 attac;2

All that is re.ired is an act.al d.plicate signed certi=cate .sing NSA/GCHQon private ;e&s2 0he 9$09 attac; can be as simple as r.nning a transparentproE& and &o. ill ala&s see a valid certi=cate b.t .nable to detect theattac;2

At the point o4 the proE& all &o.r trac is decr&pted in real-time at hichpoint targeted pac;et injection can occ.r or simpl& monitored2

$t ma;es per4ect sense that the tr.sted Certi=cate A.thorit& (CA% act.all&ma;e a second d.plicate SS" certi=cate ith a separate set NSA providedprivate ;e&s as the CA never sees the real certi=cate oners private ;e&s2


24/50


Thet o rivate 6eys

Home netor;s are .s.all& ver& insec.re mainl& beca.se onl& &o. or 4amil&.se them &o.r g.ard is don and &o.r SSH @3N 3G3 SS" ;e&s are allv.lnerable to the4t b& the attac,erand his available methods2

The *ac,is the ;e& mechanism that enables these the4ts2

As an eEample o4 the above i4 &o. .se the modems b.ilt-in @3N 4eat.re &o..s.all& add &o.r certi=cate and private ;e& to the modem or generate themboth via its eb inter4ace at some later time the attac,ercan j.st cop&these ;e&s to the IC#S 3airing databaseJ via his private netor; the datacollected 4rom S$G$N0 can later be decr&pted o-line or in real-time2

$n the case o4 ;e&s eEtracted 4rom the modems b.ilt-in @3N the IC#S 3aringdatabaseJ no contains the real ;e&/cert pair meaning the attac;er can noattac; the @3N server environment directl& hen that server o.ld have notbeing eEploitable otherise2

0he attac,ercan also mas; as the gen.ine .ser b& per4orming the serverattac; 4rom ithin the .sers modem (sing the correct sorce I/ address%this a& nothing .n.s.al ill appear in the @3Ns logs2 nce inside theparameter o4 the @3N server the c&cles repeats2

:o. sho.ld assumethat all Iig randJ @3Ns and ro.ters .se the eEact sameattac; strateg& and architect.re ith variances in the speci=c implementatione2g2 ig rands.pports $3Sec "ittle rands.pports 33032

0he NSA .llr.n G.ide states1

I0he 4act that Cr&ptanal&sis and #Eploitation Services (C#S% or;s ithNSA/CSS Commercial Sol.tions Center (NCSC% to leverage sensitivecooperative relationshipsith speci=c ind.str& partnersJ2

Speci=c implementations ma& be identi=ed b& speci4&ing #.ipment9an.4act.rer (0ig 0rand


25/50


cable modems2

B.rther evidence o4 the mass global distrib.tion o4 this technolog& to at leastthe '? #&es1 !SA GR CAN A!S N" BRA D#! DN> N"D NR #S3$0A #" S


26/50


The 6ill Sitch

Act.al capabilities .ncovered here incl.de the act.al abilit& to appl& ph&sicalcensorship on the $nternet b& governments directed at individ.als gro.pscompanies entire co.ntries or the majorit& o4 the .sers o4 the $nternet at

once (given a coordinated govern"ent agree"ent%2 0his is something that canbe t.rned on globall& ithin min.tes2

0his I;ill sitchJ is onl& a small portion o4 the total capabilities available thatare in place right no2 #ssentiall& an& operation that can be applied .sing asingle =reall or R$3 ro.ter can be applied to ever& c.stomer at once2

5ploadin)Donload (ontent

0he attac;er can .pload or donload contentviaeither&o.rp.blic $S3snetor; or via his private hidden netor;2 0he dierences is that &o.r $S3co.ld con=rm or den& 4rom their logs the .ser did or did not .pload/donloadcontent 4rom/to a partic.lar so.rce2

$n other ords the possibilities and abilit& to 4rame someone cannot ever beoverloo;ed2


27/50


Tor 5ser)(ontent Discovery

!sers o4 the 0or netor; can easil& be discovered b& "AN pac;et=ngerprinting b.t also b& those ho donload the 0or client2 0he attac;ercan stain pac;ets leaving &o.r netor; and be4ore entering the 0or netor;ma;ing trac anal&sis m.ch easier than as previo.sl& ;non2

All 0or trac can be redirected to a dedicated private Tor netor,controlled b& the attac,er in this a& the attac;er controls A"" 0or nodesand so can see ever&thing &o. do 4rom end-to-end2

0his is not something the 0or project can =E it can onl& be =Eed b& the .ser4olloing o.r methods2

0or hidden services sho.ld drop all trac 4rom .n-tr.sted 0or nodes this a&clients r.nning in the sim.lated 0or netor; ill 4ail to connect to theirdestination2

&ncrypted (ontent

0he attac,eris in &o.r netor; and has all the tools necessar& (s.ch asoperating s&stem bac; doors% or ero da& v.lnerabilities to hac; into &o.rcomp.ters and steal &o.r @3N 3G3 SSH ;e&s as ell as an& other ;e&s the&desire2 Also content that is encr&pted can be capt.red be4ore encr&ption viaan& n.mber o4 methods hen the attac;er is alread& inside &o.r netor;2

(overt International Tra7c "outin

0he attac,ercan secretl& ro.te &o.r trac to the !2S2 itho.t &o.rpermission consent or ;noledge th.s b& passing an& #.ropean dataprotection or privac& las2

!ctivists

noing the victims $S3 o.ld indicate hich $S3s are involved2

Destroy Systems

Released doc.ments state that the !2S2 C&ber Command have the abilit& todisableor completel& destro&an adversaries netor; and s&stems the =rst

step to this o.ld be to penetrate the adversaries netor; =reall ma;ingsecondar& steps m.ch easier2

*6


28/50


(ensorship

0he attac,erhas control o4 the hidden =reall it is eas& 4or the attac,ertosimpl& bloc; trac based on speci=c ports or based on destination address ornetor; ro.te 4or eEample the government can bloc; port 7,,, at so.rceand there4ore bloc; all itcoin transactions2

A coordinated attac; on the itcoin netor; is possible b& bloc;ing ports o49inors aro.nd the orld2 Red.cing the hash rate and bloc;ing transactions2

8obile WIFI !ttac,s

9obile devices phones/tablets etc are as easil& accessible once the& connectto &o.r #:SCR#database so the& can be .sed to identit& speci=c devices and speci=clocations alloing the attac;er to trac; &o. itho.t the aid o4 G3S or hereno G3S signal eEists2

Document Trac,in

9icroso4t embeds the ph&sical 9AC addresses o4 the comp.ter insidedoc.ments it creates2 0his allos the so.rce o4 a doc.ment to be identi=edeasil&2 0he 4olloing is 4rom the >#:SCR# 3oer3oint2

*7


29/50


The 8obile *ac,

@$)=$)A$ 8obile !ttac,s

Given the NSA/GCHQ plan to sp& on1any phone2 anyhere2 any time32The *ac,detailed in this doc.ment is a carrier independent method toachieve that goal that or;s ver& ell2 0he attac,erill almost certainl& re-.se the same strateg& 4or all 9obile phones or ireless broadband devices2

:o.r mobile phone (*G/,G/?G% is almost certainl& s.bject to this same attac;

architect.re beca.se 4rom the attac,ersperspective his side o4 thein4rastr.ct.re o.ld remain the same regardless o4 device being attac;ed2

A mobile phone these da&s is simpl& a ireless broadband modemP phoneso an& encr&pted messaging s&stem 4or eEample can be capt.red be4oreencr&ption2 0here4ore mobile phones are s.bject to all the same and "any"oreattac;s as per The *ac,2

This wold "ean that "o$ile !hone "akers "ay well $e in collsion with the

NSA $ecase they wold need to i"!le"ent the e#ivalent rotingand rewall a$ility in each "o$ile !hone as !art of the &S if it was to re"ainhidden.

0he mobile phone version o4 The *ac,is also m.ch more dic.lt to detectthan the broadband version2 9obile phones ma;e more .se o4 $3v5 and theoverall compleEit& o4 $3v5 means that even eEperts ma& not ;no hat the&are loo;ing at in the ro.ting tables even i4 the& co.ld see them2 Carriers o4tenhave m.ltiple $3s 4or dierent services the& provide2

#ven top-.p mobile phones itho.t an& credit can be accessed 4or eEamplethe mobiles phones top-.p services are ala&s available and their DNSservers are ala&s accessible regardless o4 &o.r top-credit state2

9odern ;ernels .se m.ltiple ro.ting tables (e2g2 ip r.le sho% 4or polic& basedro.ting so again .nless &o. con=rm ho ons a speci=c $35 range it ill bedic.lt to spot especiall& as =rmare hac;ers are not even loo;ing 4or s.chbac; doors2 9a&be no the& ill2


30/50


Basic Deense

Basic Deense

>noing ho &o. are being attac;ed is hal4 the battle b.t in this case d.e tothe attac,ersab.se o4 a privileged position and the 4act that the attac,eris&o.r on government and its 4oreign partners de4ense is m.ch more dic.ltcompared to a common vir.s orms or hac;ers2

ne o4 the best de4enses is to ta;e "egal action against 0 or &o.r $S32

$4 &o. are serio.s abo.t &o.r privac& donFt eEpect an& help 4rom &o.rattac,ers(as attac;ers never help their victims%2 :o. m.st ens.re &o.r onprivac&2 e4ore e eEplain practical de4enses here are some good tips2

Secure your end*points

Never ever tr.st $S3 s.pplied e.ipment (e2g2 ro.ter =reall S0s%ala&s consider s.ch devices as hostile and position them in &o.r

netor; architect.re accordingl& i2e2 in the 9ilitaried one (9% Do not .se an& b.ilt-in 4eat.res o4 $S3 e.ipment (e2g2 Birealls @3Ns% Never ever tr.st a device that has an& closed so.rce =rmare or other

elements regardless o4 the eEc.ses the &o.r attac,ergives &o. Never tr.st a device that &o. cannot change the =rmare &o.rsel4

regardless o4 Ibig brandJ names Disable all protocols that &o. donFt .se or donFt .nderstand especiall&

0R-+58 and an& other Remote 9anagement 4eat.res these are all part o4the s.rveillance controls&stem (e.g. 0TAgent r"ware !date%

Ala&s .se a second "in.E =reall hich &o. control that &o. have b.ilt Control all &o.r NA0 on &o.r second "in.E =reall not the $S3s s.pplied

ro.ter 9a;e s.re &o. control all end-points henever possible #ns.re that '++ o4 pac;ets !D3/0C3 (e.g. inclding DNS% are

encr&pted leaving &o.r second =reall (this is the %ey to end*pointsecurity% this re.ires .sing 4utbound Deensemethod describedlater

Ala&s .se a @3N and remote proE& that &o. control or tr.st disablelogging altogether to protect privac&2 0his re.ires .sing 4utboundDeensemethod described later

,+


31/50


Inbound Deense

Inbound Deense

0his de4ense method against most NSA/GCHQ Inboundattac;s is 4airl& eas&to implement and not too technical ever&bod& at a minim.m sho.ld incl.dethis method in their de4ense strateg&2

0he strateg& ill onlyprevent NSA/GCHQ 4rom hackinginto&o.r home/oce"AN2 $t cannotprevent other direct attac;s beca.se the attac,ercan still

intercept and ro.te all pac;ets leaving &o.r propert&2

A second "in.E =reall device (blue% thatyou control and manaeisplaced in 4ront o4 the $S3 ro.ter eectivel& placing the $S3s ro.ter in the9ilitaried one (9% i2e2 the $nternet2 A single cable (red% is .sed to lin; the"AN o4 the $S3 ro.ter to the $nternet "AN port o4 the "in.E =reall2

loc; all inbo.nd access incl.ding m.lticast pac;ets 4rom the $S3 ro.ter r.nDHC3 and NA0 on &o.r "in.E =reall2

:o.r second =reall can then iss.e 333# re.ests via its $nternet port andcreate a local ppp+ device hich ill be its ne $nternet connection2 Allpac;ets leaving the =reall ill no be 333# encaps.lated2

,'


32/50


33/50


An alternative short-term de4ense is to .se 4penW"Tro.ter so4tare that&o. install into the modem &o.rsel4 so that &o. can con=rm no hiddennetor;s or $3 addresses eEists and that the =reall act.all& 4.nctions2

Hoever this is technicall& impossible 4or m.st .sers2

Bor open so.rce ro.ter so4tare visit https1//openrt2org/

8ore Deense Tips

$solate &o.r


34/50


8IT8 Deense

8IT8 Deense

!ntil no it as not 4.ll& .nderstood ho a 9$09 act.all& or;ed ithregard to ho the attac,erco.ld get in the middle o4 anyconnection2

No e ;no ith '++ con=dence that the man is notin the middle b.t inthe modemand thatFs ho anyindivid.al can be s.bjected to 9$09 attac;2


35/50


T((":T

T((":T

0cpCr&pt is a ver& sec.re approach to man& o4 the problems posed b& theNSA/GCHQ beca.se its tr.e native end-to-end encr&ption and does notre.ire a certi=cate a.thorit& and is 4ree open so.rce so4tare2

0he NSA have tried to ;ill this project a n.mber o4 times and ill contin.e todo so or limit its .se &o. m.st not let that happen2

$4 &o. o.ld li;e to see ho NSA and GCHQ agents tr& to ;ill projects li;ethis in p.blic vie the video http1//2tcpcr&pt2org/tal;2phpand go to*51** and hear the voice o4 the NSA and then GCHQ2

,)

0et's et all T( connections&ncrypted by deault

Available no 4ree open so.rce 4or "in.E ernel Developers - please s.pport

Tcp(rypt 6ernel 8odule
http://www.tcpcrypt.org/talk.phphttp://www.tcpcrypt.org/http://www.tcpcrypt.org/http://www.tcpcrypt.org/talk.php


36/50


+re(uently As% ,uestions

Why Full Disclosure9

the& have gone .ndetected .ntil no (since99, as evidenced $y the date of the r"ware% &o. sho.ld ass.me that the!2S2 is doing the same to all !mericansand &o. sho.ld .se the de4enses asdetailed herein as a preca.tion2


37/50


Will stoppin BT!ent sotare stop these !ttac,s

#o2 BT!entis j.st misdirection2 $t is not re.ired or directl& .sed in theattac;s2 $t can be .sed to .pdate the =rmare o4 a target modem sho.ld theattac,erneed speci=c 4.nctionalit& on the modem b.t this o.ld be.n.s.al2 So ;illing BT!entis does not help (yo shold kill it anyway%2

Is it possible that BT is unaare o this

#o this is their =rmare controlled b& 0 p.blish b& 0 .pdated b& 0the& also loc; the modems2

8y euipment is completely diEerent9

The *ac,is an #S!)$(*+ $lobal Strateyand its architect.re is

independent o4 a speci=c ma;e or model o4 modem or mobile phone it is alsoindependent o4 the method transport e2g2 dial-.p vs2 ADS" DCS$S @DS"Cable modem etc22 $t sits at the top o4 the stac; (0C3/!D3 etc% so hoever&o. connect it connects2 #ach implementation ill var& and improve itheach generation2

:o. sho.ld onl& .se 4.ll& open so.rce =rmare that is p.blicl& veri=ed2

I've never done anythin ron

:es &o. have &o. have alloed hac;ers to enter &o.r home netor; and plantmalare that in4ects &o.r comp.ters hich ma& no have become part o4 aombie arm& ith tentacles controlled b& the NSA/GCHQ2 0his is orst thanan& vir.s or orm &o. can imagine2

*o can I veriy this mysel

Bolloing the instr.ctions in the 4olloing sections &o. can also createsim.lations o-line b.t that is more technical2

I ould li,e to donate and support your or,

0han; &o. please see the last page o4 this doc.ment 4or details2

,6


38/50


#ow you can veriy

0he 4olloing section eEplains ho &o. can con=rm that &o.r modem has theGCHQ/NSA bac; door2

$n these eEamples e .se to BT 4pen"eachhite modems ($t "oreaccrately descri$ed as-T ver/each% models1

*uaei &cho0ie *$?@and &(I B-F4(uS CDS0@ modem.

0hese to loo; almost identical2 0he HG5'* is an earlier model2

0he process o4 con=rmation is slightl& dierent 4or each modem2


39/50


&asy (onfrmation

Step ?.Remove 3oer 4rom the modem and disconnect the telephone line2

Step @.n &o.r 3C (ass.med "in.E% add an $3 address '8*2'572'2'++ i2e1

U iconf eth>%? ?G@.?H.?.?>> up

Step =.Start to ping '8*2'572'2' 4rom &o.r 3C i2e1 U pin ?G@.?H.?.?

Step A.Connect a netor; cable to "AN'

Step .3l.g-in the poer cable to the modem and ait 4or abo.t ,+ seconds4or the device to boot &o. ill then notice1

A bytes rom ?G@.?H.?.?% icmpJseK?? ttlKA timeK>.G@= msA bytes rom ?G@.?H.?.?% icmpJseK?? ttlKA timeK>.AG@ msA bytes rom ?G@.?H.?.?% icmpJseK??L ttlKA timeK>.?A ms

:o. ma& notice .p to ten responses then it ill stop2


40/50


*ard (onfrmation

8ethod ?% ;no frmare modifcation reuiredill the 4olloing processes1U ,illall Oebra ripd dnsmas ttpd sshd 8idServer

>ill the pids o4 the )bin)sh )BT!ent)ro)start1U,ill L

No >ill all o4 the 0Agent processes1U,illall btaent

!nmo.nt the 0Agent partition1Uumount )usr)BT!ent

Remove the attac;ers @"AN ,+'1Uvconf rem ptm?.=>?

>ill the rog.e dhcpc process ith 4orce (-8% or it ill re-spanU,illall -G dhcpc

Remove all hidden =reall r.lesUiptables -F -t manleUiptables -F -t natUiptables -F

Step @.3l.gin the telephone cable and the DS" ill connect to 0 (itho.tthe NSA/GCHQ listening%2

Step =.No start &o.r 333# session 4rom &o.r second "in.E =reall

machine as per the instr.ctions 4or Inbound Deenseand 4utboundDeenseas applicable and &noy your privacy2

?)


46/50


Special !entBT

Special !entBT

0his IspecialI so4tare installed on all modems provided b& 0 calledBT!ent2

0his so4tare listens on port '5' hich is the $ANA assigned port 4or SimpleNetor; 9anagement 3rotocol (SN93% an&one loo;ing at this process o.lda.tomaticall& ass.me this to be the case2 SN93 t&pe programs are o4tenre4erred to as SN93 Agents2

0he primar& p.rpose o4 BT!entis .np.blished b.t a version has beenpartiall& reverse engineered and the so4tare does donload =rmare and.pdate the modems Tash2

0 responses to .eries abo.t their BT!entis to claim that the& need tore"otely "anage "ode"s for secrity !r!oses%.

!ser concerns ith 0Agent1

9. It)s closed sorce

. @sers cannot trn it oE

F. The secretive natre and res!onses fro" 0T

?2 !sers cannot .pgrade the =rmare .sing 0Agent

)2 3ort '5' is open to the p.blic internet

0he second (special% p.rpose o4 the BT!entis p.rel& reverse reverseps&cholog& and designed to ;eep &o. ondering abo.t it to ca.se &o. toaste &o.r time reverse engineering it hen it ma& ell be hat it sa&s onthe tin and hile &o.r thin;ing abo.t BT!ent&o.Fre not thin;ing abo.t theother netor; inter4aces s.ch as ptm?.=>?and the dhcpcre.ests hich allloo; innocent b.t act.all& per4orm the dirt& deeds right in the open2


47/50


sycholoical andhysical Barriers

Barriers

0he NSA/GCHQ ill do an&thing and ever&thing to stop the The *ac,beingdiscovered2 0he =rst step is to deal ith the majorit& o4 .sers and preventthem 4rom even thin;ing abo.t opening it .p or even to.ching the modem2

Some o4 the s.ggestions listed here ma& seem eEtreme b.t the less interestcreated in this boE the less attention it receives 4rom cons.mers2

'2 $tFs a hite boE ps&chologicall& itFs not a Iblac; boEJ so it sho.ld be sa4e*2 $t comes in a plain bron cardboard boE hich contain no ords or

graphics hatsoever ith a single hite bar-code label ith ma;e/modelo4 the modem

,2 0he 0 engineer personall& carries and installs it in &o.r home hileother components s.ch as 0 Home H.b the more eEpensive componentare sent thro.gh the postal s&stem2 0 cannot leave this shin& hitemodem hanging aro.nd 4or a ee; hile the& allocate &o.r connection

&o. ma& tr& to open it or do research abo.t it online and the& ant to

;no ho is researching it?2 0he telephone soc;et (RK''% is designed s.ch that hen &o. pl.g in the

telephone cable it becomes ver& dic.lt to remove it m.ch more sothan a standard telephone RK''2 $ts not j.st a case o4 pinching the lever

&o. have to pinch and p.sh 4.rther in then remove2 0his is s.btle b.t itill prevent a lot o4 people 4rom even attempting to disconnect thetelephone cable j.st in case the& brea; it

)2 0he older model as eas& to open j.st a 4e scres the neer modelsis almost impossible to open beca.se it is clip loc;ed closed meaning

that &o. ill damage it i4 &o. attempt to open it52 Red


48/50


Social !ttac,s on&nineers

Social !ttac,s on &nineers

Having discovered the attac; architect.re and disabled it e decided to visitsome 4or.ms online e ere interested to see i4 an&one an&here is closeto .ncovering The *ac,and ho the NSA/GCHQ react to s.ch iss.es2

Generall& there are engineers chatting and sharing pict.res o4 their modemsand ho the& solder ires on to the (.s.all& hidden% serial ports thedisc.ssions .s.all& leads to login and gaining root access o4 the modem or

replacing the =rmare altogether2


49/50


(ounter-Intellience

'ounter*ntelli3ence

0he NSA/GCHQ et al2 have being atching and attac;ing .s itFs abo.t timee t.rned the tables started de4ending o.rselves and also atching them2

0his section is not going to detail speci=c techni.es b.t rather s.ggestoverall approaches some o4 hich e have done over a period o4 months2

#S! *oneypots

No e .nderstand the attac; architect.re e can sim.late the modem in a9$3S @irt.al 9achine (0TAgent is not re#iredB.


50/50


About the Authors

0he a.thors o4 this doc.ment ish to remain anon&mo.s2 Hoever e are4.ll& prepared to stand in a co.rt o4 la and present o.r evidence2

the hack.pdf

Documents