Engaging one's brain to analyze a denser standalone document can be somewhat painful after one's grown accustomed to the intellectual diarrhea of the blogosphere.
Small point. The devices called out by the authors are not routers, they are MODEMS which are only installed on Fibre To The Cabinet installations. (These modems are then connected, usually, to an ISP-supplied router such as the BT Home Hub or whatever equivalent your ISP chooses to use.)
Fibre installs are by no means the majority or even the standard in the UK. But obviously the general "don't trust your ISP router if you really think the security services are after you" advice would seem to hold good no matter how you're connected.
The basic points (TR069, remote-accessible backdoors for "configuration changes" by the provider - greetings and my personal choice swear words to Telefonica/O2 Germany here!) are still valid for DSL connections.
The router is the perfect gateway into your private home network, especially as Windows disables the firewall in a "home network"...
I just read through the whole document and it felt like someone was narrating a bad infomercial. It takes 30 pages for the document to get into the technical bits and then the research (and mitigation!) methods feel somewhat half-hearted.
1. The "fix" is to log in to the system and manually disable at runtime the VLAN and firewall rules. Nothing is said about making the fixes permanent - as if the authors have never experienced a wedged modem or router. Or had their power go out. (Perhaps they assume everyone has an UPS in place.)
2. The presence of extra VLAN is clear, that's true. I would have wanted to see redacted traffic dumps from a controlled lab network, where the authors actually show that the device attaches to a known VLAN. Right now we have nothing but their inference about egress firewall going up shortly after device boot.
It looks like a real deal. It's just presented in a way that puts me off. I'm waiting for external confirmation and more technical data.
From the terminal sessions, it seems like they're basically describing an IP management interface for a unit that is presumed to be doing modem only (have no IP), and characterizing things in the most sensationalist way possible.
Of course the default gateway is close - it's the next IP hop. If it's indeed being used as a NSA/GCHQ backdoor, the actual attacker is at a different address.
Traffic snooping is surely much easier to implement upstream, and your ISP is indeed upstream of everywhere, despite what this paper alludes to.
As far as a branching off point for attacks on your network - given that this seems to be a modem-only unit, there's still your router between it and your local network. It seems that its attack surface remains the same as for a dumb PPPoE translator.
edit: Actually they could be describing an entire modem+router combo, but an error in saying the lan PC initiates its own "PPPoE" request threw me off. The interfaces look like a multi-port router (in the one's I've seen, the CPU usually has one ethernet interface which goes into the port of a vlan-capable switch). Really, the lack of showing what the complete config looks like when the user's PC is online makes it hard to see what they're actually getting at.
The only actual suspicious thing presented here is the specific 30/8 IP address, and perhaps that has another explanation (address reuse?). Independent verification is needed, but definitely not using their flawed "Method 2" which clearly changes your modem's complete setup :P.
If you attempt to close any backdoors you'll only bring suspicion to yourself. For example using tcpcrypt, you'll only be flagging yourself as an anomaly possibly worthy of inspection.
99.9% of people don't know and don't care about this sort of stuff, you can always thank the bottom of the barrel
I read the whole paper, and it doesn't at all look like the "real deal".
No actual evidence in the form of malware samples (after exploitation of the netwrok), detected "duplicate" certificates or whatever is provided. Not even network captures of any MITM traffic going to the hidden VLAN.
The only "evidence" provided was the presence of the hidden VLAN, which got assigned some 30.x.x.x IPv4 addr via DHCP.
This could simply be some internal management VLAN of the ISP. As the author had stated, the ISP installs updates remotely. So that's their way of connecting to the router. Regardless of updates, ISPs always have a way of managing their equipment remotely.
A WHOIS was performed by the author, and the address turns out to belong to the DoD. Howerver, it's more likely that since this is a "private" VLAN, this address has nothing to do with internet WHOIS records. It was just made up by the ISP.
The authors getting a ping of 8ms to the NSA/GCHQ, is really just them talking to some local server at their ISP.
Also the described attack on TOR seems completely wrong. No details were provided, but the basic premise looks to be just wrong.
To conclude, this whole paper smells to me of sensationalism and confirmation bias.
19 comments
[ 3.2 ms ] story [ 60.3 ms ] threadBut to those of us who have heard/known of TR069, we knew that stuff like this would eventually surface...
Fibre installs are by no means the majority or even the standard in the UK. But obviously the general "don't trust your ISP router if you really think the security services are after you" advice would seem to hold good no matter how you're connected.
The router is the perfect gateway into your private home network, especially as Windows disables the firewall in a "home network"...
1. The "fix" is to log in to the system and manually disable at runtime the VLAN and firewall rules. Nothing is said about making the fixes permanent - as if the authors have never experienced a wedged modem or router. Or had their power go out. (Perhaps they assume everyone has an UPS in place.)
2. The presence of extra VLAN is clear, that's true. I would have wanted to see redacted traffic dumps from a controlled lab network, where the authors actually show that the device attaches to a known VLAN. Right now we have nothing but their inference about egress firewall going up shortly after device boot.
It looks like a real deal. It's just presented in a way that puts me off. I'm waiting for external confirmation and more technical data.
Of course the default gateway is close - it's the next IP hop. If it's indeed being used as a NSA/GCHQ backdoor, the actual attacker is at a different address.
Traffic snooping is surely much easier to implement upstream, and your ISP is indeed upstream of everywhere, despite what this paper alludes to.
As far as a branching off point for attacks on your network - given that this seems to be a modem-only unit, there's still your router between it and your local network. It seems that its attack surface remains the same as for a dumb PPPoE translator.
edit: Actually they could be describing an entire modem+router combo, but an error in saying the lan PC initiates its own "PPPoE" request threw me off. The interfaces look like a multi-port router (in the one's I've seen, the CPU usually has one ethernet interface which goes into the port of a vlan-capable switch). Really, the lack of showing what the complete config looks like when the user's PC is online makes it hard to see what they're actually getting at.
The only actual suspicious thing presented here is the specific 30/8 IP address, and perhaps that has another explanation (address reuse?). Independent verification is needed, but definitely not using their flawed "Method 2" which clearly changes your modem's complete setup :P.
https://news.ycombinator.com/item?id=6887850
https://news.ycombinator.com/item?id=6888251 -- one of the better comments that explains what the authors probably thought they were observing.
No actual evidence in the form of malware samples (after exploitation of the netwrok), detected "duplicate" certificates or whatever is provided. Not even network captures of any MITM traffic going to the hidden VLAN.
The only "evidence" provided was the presence of the hidden VLAN, which got assigned some 30.x.x.x IPv4 addr via DHCP.
This could simply be some internal management VLAN of the ISP. As the author had stated, the ISP installs updates remotely. So that's their way of connecting to the router. Regardless of updates, ISPs always have a way of managing their equipment remotely.
A WHOIS was performed by the author, and the address turns out to belong to the DoD. Howerver, it's more likely that since this is a "private" VLAN, this address has nothing to do with internet WHOIS records. It was just made up by the ISP.
The authors getting a ping of 8ms to the NSA/GCHQ, is really just them talking to some local server at their ISP.
Also the described attack on TOR seems completely wrong. No details were provided, but the basic premise looks to be just wrong.
To conclude, this whole paper smells to me of sensationalism and confirmation bias.