Computer networks, especially the Internet, are complicated animals that can at times be difficult to understand, which may explain why a recent report that claims to have uncovered a secret backdoor for UK GCHQ and US NSA spies in BTOpenreach’s FTTC (VDSL) modems has gained such traction. But is it really a backdoor?
So far as conspiracy theories go, this is at least a fun if largely incorrect one. The “Full Disclosure” report, which was created by an anonymous group called The Adversaries and published on the Wikileaks-style Cryptome document archive (here), effectively claims that BT has created a secret backdoor in two of its VDSL Modems for the NSA and GCHQ to spy on their customers.
Advertisement
The Adversaries say:
“BT are directly responsible for covertly embedding secret spy equipment in millions of homes and businesses within the UK as our evidence will demonstrate. BT have directly enabled Computer Network Exploitation (CNE) of all its home and business customers.”
The modems in question – Huawei’s EchoLife HG612 and the ECI B-FOCuS – are both used as part of BT’s national deployment of up to 40-80Mbps capable FTTC superfast broadband services (note: ISPs can now deploy their own modems or routers). The modem plugs into your phone/FTTC socket and then the other side connects to your router.
The Adversaries added:
“When the DSL connection is established a covert DHCP request is sent to a secret military network owned by the U.S. Government D.O.D. You are then part of that U.S. D.O.D. military network, this happens even before you have been assigned your public IP address from your actual ISP.
This spy network is hidden from the LAN/switch using firewall rules and traffic is hidden using VLANs in the case of BT et al, it uses VLAN 301, but other vendors modems may well use different VLANs. The original slide has a strange number 242 with grey background, we think this represents the VLAN number/Vendor number so BT would be 301.
This hidden network is not visible from your “Modem’s Web Interface” and not subject to your firewall rules, also not subject to any limitations as far as the switch portion of your modem is concerned and the hidden network also has all ports open for the attacker.”
The report itself, which seems to be gaining some traction around the Internet despite a fair number of loopy claims and assumptions, then proceeds to explain how the modem allegedly performs all of these tricks and how you can replicate it yourself. Indeed it is possible to uncover the same behaviour as the group claims to have revealed but the problem is with their conclusion.
For example, the document notes BT’s use of a US military (DoD) IP range (30.x.x.x). But this isn’t uncommon and it actually references a private network. Computers on a home network, which often use IP ranges like 192.168.0.0/16, are also private networks and that means you can’t use those IPs on the Internet. Many other routers do something similar.
Next we have the creation of an allegedly hidden spy network that’s supposedly setup using a Virtual Local Area Network (VLAN), which is similar to a traditional LAN (e.g. your home network) but tends to be more common on bigger domain based corporate networks. But this seems to be related to the common Management Protocol TR-069, which again is used by a lot of ISPs and allows the provider some access to remotely test and manage your broadband link (TR-069 can also support centrally managed services like VoIP etc.).
Advertisement
According to the boss of broadband ISP Andrews & Arnold (AAISP), Adrian Kennard, the VLAN has to be separate as the main FTTC/GEA service is an Ethernet level connection and not IP, so “would not be usable for TR-069“. ISPreview.co.uk consulted Kennard on this subject before reporting because AAISP has developed a good knowledge about the inner workings of Openreach’s VDSL modem (example).
In fairness TR-069 has its own problems, which last year caused a similar security scare among BTInfinity (FTTC) customers (here). But so far ISPs seem able to handle this securely and many routers allow it to be switched off in their advanced settings, although this might make the service more difficult for some people to setup.
Adrian Kennard told ISPreview.co.uk:
“Sadly, this sort of document undermines real concerns and issues that get raised from time to time.
The fact that the ISP could, if they wanted to, re-flash the modem/router, for almost any ISP connection does, indeed, mean that they could install all sorts of stuff directly on the device if they wanted to – but they don’t have any reason to, and there is no evidence of any NSA/GCHQ back doors.
At A&A we only use the BT modems for FTTC, and in that case there would be a router/firewall under the end-user control behind it, so nothing on the modem could do anything useful even if there was some secret conspiracy (i.e. any more useful than trying to attack traffic at the exchange or in the internet).”
The fact is that most routers do a lot of odd and indeed some very silly things under the hood, which can look like one thing when they’re actually another, and we’re not convinced that this is any different. Better evidence is required before real spying could be established and what we have here is simply not enough.
Similarly if an ISP really wanted to spy on you then we can think of better ways of doing it and all without putting the code into a piece of CPE kit that anybody could break apart and discover, much as the above group has done.
Advertisement
On top of that Openreach’s VDSL modems are likely to be increasingly shunned by ISPs as self-install FTTC becomes more common, with some providers already starting to ship their own kit. Alternatively consumers could simply go out and buy their own device if they wanted.
However we always think that it’s a good idea to approach computer and network security from the point of being a little paranoid. The claims made by the group, while extreme and almost certain to be the wrong conclusion, have at least put the spotlight back onto the issue of Internet security and for that we are grateful. Similarly there’s always the possibility that the NSA/GCHQ might have found a way to perform some clever tricks with CPE routers/modems, after all they’ve already tapped into fibre optic cables (here), but we’re not seeing it here.
A Spokewoman for Openreach told ISPreview.co.uk:
“BT routers have a second IP address so we can make software updates without the need for an engineer visit. This is extremely common in the industry and it is well known. It is also the case that many other devices such as gaming consoles and smart TVs have such addresses. As for the anonymous report, it is not our policy to comment on conspiracy theories.”
Meanwhile The Adversaries say they “wish to remain anonymous” and yet are “fully prepared to stand in a court of law and present our evidence“, which would make for an interesting court case. No doubt James Bond (007) has already been sent out, probably in Little Nelly, to assassinate them while simultaneously womanising the local population and drinking far too much alcohol without getting drunk. What a guy!
UPDATE 12:36pm
Added a comment from BTOpenreach above.
Comments are closed