» ISP News » 

UPD Confusion Over Alleged GCHQ and NSA Backdoor in BT FTTC Modems

Tuesday, December 17th, 2013 (11:33 am) - Score 4,631

Computer networks, especially the Internet, are complicated animals that can at times be difficult to understand, which may explain why a recent report that claims to have uncovered a secret backdoor for UK GCHQ and US NSA spies in BTOpenreach’s FTTC (VDSL) modems has gained such traction. But is it really a backdoor?

So far as conspiracy theories go, this is at least a fun if largely incorrect one. The “Full Disclosure” report, which was created by an anonymous group called The Adversaries and published on the Wikileaks-style Cryptome document archive (here), effectively claims that BT has created a secret backdoor in two of its VDSL Modems for the NSA and GCHQ to spy on their customers.

The Adversaries say:

BT are directly responsible for covertly embedding secret spy equipment in millions of homes and businesses within the UK as our evidence will demonstrate. BT have directly enabled Computer Network Exploitation (CNE) of all its home and business customers.”

The modems in question – Huawei’s EchoLife HG612 and the ECI B-FOCuS – are both used as part of BT’s national deployment of up to 40-80Mbps capable FTTC superfast broadband services (note: ISPs can now deploy their own modems or routers). The modem plugs into your phone/FTTC socket and then the other side connects to your router.

The Adversaries added:

When the DSL connection is established a covert DHCP request is sent to a secret military network owned by the U.S. Government D.O.D. You are then part of that U.S. D.O.D. military network, this happens even before you have been assigned your public IP address from your actual ISP.

This spy network is hidden from the LAN/switch using firewall rules and traffic is hidden using VLANs in the case of BT et al, it uses VLAN 301, but other vendors modems may well use different VLANs. The original slide has a strange number 242 with grey background, we think this represents the VLAN number/Vendor number so BT would be 301.

This hidden network is not visible from your “Modem’s Web Interface” and not subject to your firewall rules, also not subject to any limitations as far as the switch portion of your modem is concerned and the hidden network also has all ports open for the attacker.”

The report itself, which seems to be gaining some traction around the Internet despite a fair number of loopy claims and assumptions, then proceeds to explain how the modem allegedly performs all of these tricks and how you can replicate it yourself. Indeed it is possible to uncover the same behaviour as the group claims to have revealed but the problem is with their conclusion.

For example, the document notes BT’s use of a US military (DoD) IP range (30.x.x.x). But this isn’t uncommon and it actually references a private network. Computers on a home network, which often use IP ranges like, are also private networks and that means you can’t use those IPs on the Internet. Many other routers do something similar.

Next we have the creation of an allegedly hidden spy network that’s supposedly setup using a Virtual Local Area Network (VLAN), which is similar to a traditional LAN (e.g. your home network) but tends to be more common on bigger domain based corporate networks. But this seems to be related to the common Management Protocol TR-069, which again is used by a lot of ISPs and allows the provider some access to remotely test and manage your broadband link (TR-069 can also support centrally managed services like VoIP etc.).

According to the boss of broadband ISP Andrews & Arnold (AAISP), Adrian Kennard, the VLAN has to be separate as the main FTTC/GEA service is an Ethernet level connection and not IP, so “would not be usable for TR-069“. ISPreview.co.uk consulted Kennard on this subject before reporting because AAISP has developed a good knowledge about the inner workings of Openreach’s VDSL modem (example).

In fairness TR-069 has its own problems, which last year caused a similar security scare among BTInfinity (FTTC) customers (here). But so far ISPs seem able to handle this securely and many routers allow it to be switched off in their advanced settings, although this might make the service more difficult for some people to setup.

Adrian Kennard told ISPreview.co.uk:

Sadly, this sort of document undermines real concerns and issues that get raised from time to time.

The fact that the ISP could, if they wanted to, re-flash the modem/router, for almost any ISP connection does, indeed, mean that they could install all sorts of stuff directly on the device if they wanted to – but they don’t have any reason to, and there is no evidence of any NSA/GCHQ back doors.

At A&A we only use the BT modems for FTTC, and in that case there would be a router/firewall under the end-user control behind it, so nothing on the modem could do anything useful even if there was some secret conspiracy (i.e. any more useful than trying to attack traffic at the exchange or in the internet).”

The fact is that most routers do a lot of odd and indeed some very silly things under the hood, which can look like one thing when they’re actually another, and we’re not convinced that this is any different. Better evidence is required before real spying could be established and what we have here is simply not enough.

Similarly if an ISP really wanted to spy on you then we can think of better ways of doing it and all without putting the code into a piece of CPE kit that anybody could break apart and discover, much as the above group has done.

On top of that Openreach’s VDSL modems are likely to be increasingly shunned by ISPs as self-install FTTC becomes more common, with some providers already starting to ship their own kit. Alternatively consumers could simply go out and buy their own device if they wanted.

However we always think that it’s a good idea to approach computer and network security from the point of being a little paranoid. The claims made by the group, while extreme and almost certain to be the wrong conclusion, have at least put the spotlight back onto the issue of Internet security and for that we are grateful. Similarly there’s always the possibility that the NSA/GCHQ might have found a way to perform some clever tricks with CPE routers/modems, after all they’ve already tapped into fibre optic cables (here), but we’re not seeing it here.

A Spokewoman for Openreach told ISPreview.co.uk:

BT routers have a second IP address so we can make software updates without the need for an engineer visit. This is extremely common in the industry and it is well known. It is also the case that many other devices such as gaming consoles and smart TVs have such addresses. As for the anonymous report, it is not our policy to comment on conspiracy theories.”

Meanwhile The Adversaries say they “wish to remain anonymous” and yet are “fully prepared to stand in a court of law and present our evidence“, which would make for an interesting court case. No doubt James Bond (007) has already been sent out, probably in Little Nelly, to assassinate them while simultaneously womanising the local population and drinking far too much alcohol without getting drunk. What a guy!

UPDATE 12:36pm

Added a comment from BTOpenreach above.

Leave a Comment
15 Responses
  1. Bodincus says:

    “But this isn’t uncommon and it actually references a non-routable PRIVATE NETWORK”
    NO IT’S NOT.
    Reserved IP addresses
    It’s a public IP range.

    While it might be used for machines sitting inside a LAN, it’s not a non-routable range.

    There are numerous networks that internally use non-routable ranges (like Virgin Media’ TV services or Fastweb Italia use the 10.x.x.x) for secondary services (management etc).

    Whois says the network is a public IP range allocated to the DoD NIC.

    1. The Bertster says:

      Try a traceroute to 30.x.x.x and see how far it gets you over the public Internet. The range may well be allocated to the DoD but it is not (currently) routable on the public Internet. Your ISP’s first router should return a destination net unreachable. It may not be a private network in the sense of RFC1918 (or indeed RFC5735 for that matter – there are more “reserved” networks than RFC1918), but it is not currently public routable, so in that sense it is indeed a private network.

      In a similar way, many mobile carriers also use these large non-publicly-routable ranges that were allocated to the US and UK defense departments for the private network behind their carrier-grade NAT. There are lots of very amusing forum posts and videos claiming that Sprint and T-Mobile are sending all your traffic to the UK government and recommending you smash your phone with a hammer, it’s hilarious.

      Also, a lot of equipment uses addresses in the 1.x.x.x range for things like captive portals for WiFi access, because this network was at one time not publicly routable, but due to the shortage of IP addresses, we’d really like to have this range available, but as it will break a lot of stuff, it’s a bit tricky.

      In any case, if this really was some nefarious snooping by a shady government body, do you REALLY think they would do it in a way that was so obvious when there are many more less obvious ways to achieve this???

    2. Bodincus says:

      The fact that the range holder instructed all other routers to drop ICMP/UDP/TCP traffic to with IGMP messages doesn’t mean the 30.0.0./8 range cannot be receiving / collecting other traffic. There are SO many other types of traffic that can travel onto an IP network.
      But hey, what do I know?

    3. Ignitionnet says:

      The traceroutes fail mid-way through the provider network because there’re no routes advertised for these ranges. Nothing more nefarious than that.

      However let’s get this straight…

      You seem to think MoD / DoD know what traffic is before it’s reached their networks so that they can fake messages and pretend their networks aren’t routable.

      You seem to think that they can both simultaneously advertise routes to receive traffic and suppress them from showing up in routing tables of the routers they rely on to deliver the traffic.

      Lastly, that a protocol controlling multicast group membership can be used to control unicast traffic handling on non-adjacent routers that have no IP route to the sources of this traffic.

      1) Is ridiculous.
      2) Is ridiculous.
      3) Is ridiculous.

      Step away from the paranoid websites and go read up on some networking or indeed the Snowden leaks. The authorities are acquiring traffic by passive tapping of optical links, nothing more arcane.

      There is the potential for redirection of traffic via advertising prefixes that do not belong to you, but with a smaller mask, them sending them to the real destination. That has and does happen but is unsubtle and obvious.

    4. Ignitionnet says:

      Well, Level3, Cogent, Hurricane Electric and Telia-Sonera draw a blank for routes to

      I guess whichever secret way traffic is being shipped to that subnet is so secret it doesn’t even need IP routes, which is pretty clever on IP networks, especially when you don’t control any routers outside your own network border.

      Evidently I very much underestimated the power of IGMP. As did those who wrote it.

  2. CrazyLazy says:

    Seems entirely possible to me, all BT gear has had BTagent built in which allows BT to basically spy on you so i would not be shocked if it goes further than that.

    Ironic our government and its crones not that long back were claiming stuff by Huawei and similar Chinese manufacturers were all spying on us for the Chinese, turns out they had half of that right only its our US bed buddies instead.

    1. FibreFred says:

      ” turns out they had half of that right only its our US bed buddies instead.”

      Is it ? Glad your so easily taken in by speculation. You sound like a salespersons dream and believe anything you are told no matter how speculative.

    2. CrazyLazy says:

      If i believed everything im told id believe half the BT sales spill you come out with, that obviously to everyone reading your spam in every story though is complete flem.

  3. Jon Roberts says:

    if bt wanted to they they could just do that there end why would they even bother with putting it into customer hardware,

    1. Henrik says:

      Beacuse they want to see the internal traffic and gather the MAC addresses. MAC is great to identify devices when connected to other networks.

  4. CrazyTeeka says:

    This news has totally gone viral! Right into the public spotlight. Gives everyone a chance to comment on it 🙂

  5. Neil McRae says:

    disappointing that such an obviously flawed document gets any sort of platform.

    1. Mark Jackson says:

      We initially shunned it as loopy nonsense during early December but then everybody else started covering it, often without examining the claims properly, and so we felt a need to offer a counter balance.

    2. CrazyLazy says:

      BRITISH Telecom

      Chinese Modems
      Indian Call Centres
      American Spyware

      Result = Millions of government investment 😀

  6. Nobody says:

    When running dmvpn, I have seen networks not reachable without explicitly using that within the ping or trace command. Anyone want to comment on that?

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £15.00 (*25.00)
    Speed 50Mbps, Unlimited
    Gift: None
  • Vodafone £19.50 (*22.50)
    Speed 35Mbps, Unlimited
    Gift: None
  • NOW £20.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • Shell Energy £21.99 (*30.99)
    Speed 35Mbps, Unlimited
    Gift: None
  • Plusnet £22.99 (*38.20)
    Speed 36Mbps, Unlimited
    Gift: £70 Reward Card
Large Availability | View All
Cheapest Ultrafast ISPs
  • Hyperoptic £20.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: None
  • Vodafone £24.00 (*27.00)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Community Fibre £25.00 (*29.50)
    Speed: 300Mbps, Unlimited
    Gift: None
  • Gigaclear £27.00 (*59.00)
    Speed: 500Mbps, Unlimited
    Gift: None
  • Virgin Media £27.00 (*51.00)
    Speed: 108Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3501)
  2. BT (3008)
  3. Politics (1923)
  4. Building Digital UK (1917)
  5. FTTC (1882)
  6. Openreach (1821)
  7. Business (1678)
  8. Mobile Broadband (1469)
  9. Statistics (1406)
  10. FTTH (1364)
  11. 4G (1271)
  12. Fibre Optic (1166)
  13. Virgin Media (1159)
  14. Wireless Internet (1152)
  15. Ofcom Regulation (1139)
  16. Vodafone (836)
  17. EE (830)
  18. TalkTalk (760)
  19. 5G (760)
  20. Sky Broadband (744)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact