Search Mailing List Archives
[liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches
rguerra at privaterra.org
Wed Sep 4 17:33:09 PDT 2013
Curious on people's comments on types of routers, firewalls and other appliances that might be affected as well as mitigation strategies. Would installing a pfsense and/or other open source firewall be helpful in anyway at a home net location?
Phone/Cell: +1 202-905-2081
Email: rguerra at privaterra.org
On 2013-09-04, at 4:12 PM, Eugen Leitl wrote:
> NSA Laughs at PCs, Prefers Hacking Routers and Switches
> BY KIM ZETTER09.04.136:30 AM
> Photo: Santiago Cabezas/Flickr
> The NSA runs a massive, full-time hacking operation targeting foreign
> systems, the latest leaks from Edward Snowden show. But unlike conventional
> cybercriminals, the agency is less interested in hacking PCs and Macs.
> Instead, America’s spooks have their eyes on the internet routers and
> switches that form the basic infrastructure of the net, and are largely
> overlooked as security vulnerabilities.
> Under a $652-million program codenamed “Genie,” U.S. intel agencies have
> hacked into foreign computers and networks to monitor communications crossing
> them and to establish control over them, according to a secret black budget
> document leaked to the Washington Post. U.S. intelligence agencies conducted
> 231 offensive cyber operations in 2011 to penetrate the computer networks of
> targets abroad.
> This included not only installing covert “implants” in foreign desktop
> computers but also on routers and firewalls — tens of thousands of machines
> every year in all. According to the Post, the government planned to expand
> the program to cover millions of additional foreign machines in the future
> and preferred hacking routers to individual PCs because it gave agencies
> access to data from entire networks of computers instead of just individual
> Most of the hacks targeted the systems and communications of top adversaries
> like China, Russia, Iran and North Korea and included activities around
> nuclear proliferation.
> The NSA’s focus on routers highlights an often-overlooked attack vector with
> huge advantages for the intruder, says Marc Maiffret, chief technology
> officer at security firm Beyond Trust. Hacking routers is an ideal way for an
> intelligence or military agency to maintain a persistent hold on network
> traffic because the systems aren’t updated with new software very often or
> patched in the way that Windows and Linux systems are.
> “No one updates their routers,” he says. “If you think people are bad about
> patching Windows and Linux (which they are) then they are … horrible about
> updating their networking gear because it is too critical, and usually they
> don’t have redundancy to be able to do it properly.”
> He also notes that routers don’t have security software that can help detect
> a breach.
> “The challenge [with desktop systems] is that while antivirus don’t work well
> on your desktop, they at least do something [to detect attacks],” he says.
> “But you don’t even have an integrity check for the most part on routers and
> other such devices like IP cameras.”
> Hijacking routers and switches could allow the NSA to do more than just
> eavesdrop on all the communications crossing that equipment. It would also
> let them bring down networks or prevent certain communication, such as
> military orders, from getting through, though the Post story doesn’t report
> any such activities. With control of routers, the NSA could re-route traffic
> to a different location, or intelligence agencies could alter it for
> disinformation campaigns, such as planting information that would have a
> detrimental political effect or altering orders to re-route troops or
> supplies in a military operation.
> According to the budget document, the CIA’s Tailored Access Programs and
> NSA’s software engineers possess “templates” for breaking into common brands
> and models of routers, switches and firewalls.
> The article doesn’t say it, but this would likely involve pre-written scripts
> or backdoor tools and root kits for attacking known but unpatched
> vulnerabilities in these systems, as well as for attacking zero-day
> vulnerabilities that are yet unknown to the vendor and customers.
> “[Router software is] just an operating system and can be hacked just as
> Windows or Linux would be hacked,” Maiffret says. “They’ve tried to harden
> them a little bit more [than these other systems], but for folks at a place
> like the NSA or any other major government intelligence agency, it’s pretty
> standard fare of having a ready-to-go backdoor for your [off-the-shelf] Cisco
> or Juniper models.”
> Not all of the activity mentioned in the budget document involved remote
> hacking. In some cases, according to the document, the operations involved
> clandestine activity by the CIA or military intelligence units to “physically
> place hardware implants or software modifications” to aid the spying.
> “Much more often, an implant is coded entirely in software by an NSA group
> called Tailored Access Operations (TAO),” the Post writes in its story about
> the document. “As its name suggests, TAO builds attack tools that are
> custom-fitted to their targets.”
> A handful of security researchers have uncovered vulnerabilities in routers
> in recent years that could be used to do the kind of hacking described in the
> budget document.
> In 2005, security researcher Mike Lynn found a serious vulnerability in Cisco
> IOS, the operating system running on millions of Cisco routers around the
> Lynn discovered the vulnerability after his employer, Internet Security
> Systems, asked him to reverse-engineer the Cisco operating system to see if
> he could find security problems with it. Cisco makes the majority of the
> routers that operate the backbone of the internet as well as many company
> networks and critical infrastructure systems. The Cisco IOS is as ubiquitous
> in the backbone as the Windows operating system is on desktops.
> The vulnerability Lynn found, in a new version of the operation system that
> Cisco planned to release at the time, would have allowed someone to create a
> router worm that would shut down every Cisco router through which it passed,
> bringing down a nation’s critical infrastructure. It also would have allowed
> an attacker to gain complete control of the router to sniff all traffic
> passing through a network in order to read, record or alter it, or simply
> prevent traffic from reaching its recipient.
> Once Lynn found the vulnerability, it took him six months to develop a
> working exploit to attack it.
> Lynn had planned to discuss the vulnerability at the Black Hat security
> conference in Las Vegas, until Cisco intervened and forced him to pull the
> talk under threat of a lawsuit.
> But if Lynn knew about the vulnerability, there were likely others who did as
> well — including intelligence agencies and criminal hackers.
> Source code for Cisco’s IOS has been stolen at least twice, either by
> entities who were interested in studying the software to gain a competitive
> advantage or to uncover vulnerabilities that would allow someone to hack or
> control them.
> Other researchers have uncovered different vulnerabilities in other Cisco
> routers that are commonly used in small businesses and home offices.
> Every year at computer security conferences — including the Black Hat
> conference where NSA Director Keith Alexander presented a keynote this year —
> U.S. intelligence agencies and contractors from around the world attend to
> discover information about new vulnerabilities that might be exploited and to
> hire talented researchers and hackers capable of finding more vulnerabilities
> in systems.
> In 2008, a researcher at Core Security Technologies developed a root kit for
> the Cisco IOS that was designed to give an attacker a persistent foothold on
> a Cisco router while remaining undetected.
> According to the Post story, the NSA designs most of the offensive tools it
> uses in its Genie operation, but it spent $25.1 million in one year for
> “additional covert purchases of software vulnerabilities” from private
> malware vendors who operate on the grey market — closed markets that peddle
> vulnerabilities and exploits to law enforcement and intelligence agencies, as
> opposed to the black market that sells them to cyber criminals.
> The price of vulnerabilities and exploits varies, depending on a number of
> factors. Vulnerabilities and exploits can sell for anywhere from $50,000 to
> more than a million, depending on the exclusivity of the purchase — some
> vulnerabilities are sold to multiple parties with the understanding that
> others are using it as well — and their ubiquity. A vulnerability that exists
> in multiple versions of an operating system is more valuable than a
> vulnerability that exists in just one version. A class of vulnerability that
> crosses multiple browser brands is also more valuable than a single
> vulnerability that just affects the Safari browser or Chrome.
> The Stuxnet cyber weapon that was reportedly created by the U.S. and Israel
> to sabotage centrifuges used in Iran’s uranium enrichment program, used five
> zero-day exploits to spread itself among systems in Iran, including a rare
> exploit that attacked the .LNK function in multiple versions of the Windows
> operating system in order to spread the worm silently via infected USB
> Ubiquitous router vulnerabilities are difficult to find since there are so
> many different configurations for routers, and an attack that works against
> one router configuration might not work for another. But a vulnerability that
> affects the core operating system is much more valuable since it is less
> likely to be dependent on the configuration. Maiffret says there hasn’t been
> a lot of public research on router vulnerabilities, but whenever someone has
> taken a look at them, they have found security holes in them.
> “They’re always successful in finding something,” he says.
> Once a vulnerability becomes known to the software maker and is patched, it
> loses a lot of its value. But because many users and administrators do not
> patch their systems, some vulnerabilities can be used effectively for years,
> even after a patch is available. The Conficker worm, for example, continued
> to infect millions of computers long after Microsoft released a patch that
> should have stopped the worm from spreading.
> Routers in particular often remain unpatched because system administrators
> don’t think they will be targeted and because administrators are concerned
> about network outages that could occur while the patch is applied or if the
> patch is faulty.
> Kim Zetter is a senior reporter at Wired covering cybercrime, privacy,
> security and civil liberties.
> Read more by Kim Zetter
> Follow @KimZetter and @ThreatLevel on Twitter.
> Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.
More information about the liberationtech