Hardware Backdoor Detection in Network Routers Ehsan Salmanpour
Hardware Backdoor Detection in Network Routers Ehsan Salmanpour Mohammad Saeed Ansari Dr. Bayat Spring 2014 Contents The Backdoor NSA Introduction Router: Structure & Duty Backdoor implementation on routers IPv4 Packets Unknown IP protocol Backdoor Possible NIC & RSP Backdoors TCP/32764 backdoor
Real Scenario, Cisco & Quagga Attack LSDB in OSPF 02/25/2020 Hardware Security & Trust 2 The Backdoor (BD) Backdoor: A hidden software or hardware mechanism, usually created for testing and troubleshooting 02/25/2020
--American National Standard for Telecommunications Hardware Security & Trust 3 Snowden: The NSA planted backdoors in Cisco products 'No Place to Hide,' the new book by Glenn Greenwald, says the NSA eavesdrops on 20 billion communications a day -- and planted bugs in Cisco equipment headed overseas "The NSA routinely receives -- or intercepts -routers, servers, and other computer network devices being exported from the U.S. before they are delivered to the international customers," Greenwald
writes. "The agency then implants backdoor surveillance tools, repackages the devices with a factory seal, and sends them on. The NSA thus gains access to entire networks and all their users." 02/25/2020 Hardware Security & Trust 4 NSA Implements BD on CISCO Routers! A techs perform an unauthorized field upgrade to Cisco hardware in these 2010 tos from an NSA document. 02/25/2020 Hardware Security & Trust
5 CISCO CEO Letter to Obama 02/25/2020 Hardware Security & Trust 6 Intro. Importance of Hardware Backdoor in Routers Goal of this project 02/25/2020
Hardware Security & Trust 7 Hardware Backdoor Implementation Untrusted Places on Chip Production What about router??? 02/25/2020 Hardware Security & Trust 8 Network Router Duty:
Forwarding data packets between computer networks 02/25/2020 Hardware Security & Trust 9 Router Structure 02/25/2020 Hardware Security & Trust 10
Troubleshooting/ Troubleshooting/ Upgrading Upgrading Intention Intention SW/HW SW/HW Bugs Bugs Unintentional Unintentional Network Network Information Information
Backdoor Backdoor Implementation Implementation on on Routers Routers Spying Spying Intention Intention Modification Modification Network Network Data Data
Outside Factory Factory Lowering Lowering System System Specification Specification Security Security Other Other Intentions Intentions Performance
Performance rd 3 3rd Party Party Seller Seller Conformance Conformance Shipment Shipment Process Process NSA NSA ->
-> Requires Requires full knowledge full knowledge of of system system Other Other 02/25/2020 Hardware Security & Trust 11
Router Backdoor Triggers Alwa ys ON Enable with Trigger Internally Activated Timer Timer 02/25/2020 Data Data on
on network network Combinati Combinati on on Hardware Security & Trust Externally Activated Antenna Antenna
Physical Physical Access Access 12 IPv4 Packets Format 02/25/2020 Hardware Security & Trust 13 Unknown IP protocol Backdoor This signature detects network traffic that has an unknown IP
protocol, as identified in the 'protocol' field of the IP header. Protocol numbers are in the range 0-255, and the values 0-142 and 253-254 are defined by iana.org, although 253-254 are "experimental". The tune parameter "pam.ip.protocol." represents the range of protocol numbers and supports the iana.org values 0-142 by default, but can be altered as necessary. For example, if the protocol in question is number 171, then setting "pam.ip.protocol.171 = on" will avoid further alerts from network traffic using protocol 171. Unknown protocol values are considered unusual and unexpected, but there may be legitimate reasons to use these protocols on your network. This security event is categorized as an audit event. It is not necessarily indicative of an attack or threat to your network. 02/25/2020
Hardware Security & Trust 14 Unknown IP protocol Backdoor This signature detects network traffic that has an unknown IP protocol. Some of the protocols are listed as "unknown" simply because they are "unusual" or "suspicious.". There are legitimate reasons to use these protocols, however. Therefore, this alert should be considered as a notification that something abnormal is occurring. In many cases, you may wish to stop receiving this alert for a legitimate but peculiar protocol being used in your environment. You can the use "pam.ip.protocol." parameter to avoid seeing
this alert in the future. For example, if the protocol in question is number 71, then you can add the parameter setting "pam.ip.protocol.71 = on" to avoid all further alerts from protocol 71 02/25/2020 Hardware Security & Trust 15 Unknown IP protocol Backdoor Default risk level Low risk , Vulnerability Low Sensors that have this signature RealSecure Server Sensor: 7.0, IBM Security Host Protection for Servers (Windows): 1.0.914.0, IBM Security Host Protection for Servers (Windows):
220.127.116.110, Proventia Network MFS: 1.0, Proventia-G 1.1 and earlier: G Series, Proventia Network IDS: A Series, Proventia Network IPS: 2.0, IBM Security Host Protection for Servers (Unix): 2.2.2, IBM Security Host Protection for Desktops: 8.0.614.1, Proventia Server IPS for Linux technology: 1.0, Virtual Server Protection for Vmware: 1.0 Systems affected Various vendors Any application Type Suspicious Activity How to remove this vulnerability If you suspect abnormal activity, use a network analysis tool to capture and view network traffic. 02/25/2020 Hardware Security & Trust
16 Possible Backdoor Implementations on NIC A programmable network interface (I-NIC) Our current prototype is on Myrinet A virtual machine over a VMM Work in progress over Xen IBMs Remote Supervisor Adapter? HPs Remote Management Adapter? 02/25/2020 Hardware Security & Trust 17
Backdoor on I-NIC Backdoor provides an alternative access to system memory without involving local CPU/ OS. Private network over a specialized interconnect, VPN, or even over a phone link! Front door CPU Mem NIC I-NIC Backdoor Private Network
02/25/2020 Hardware Security & Trust 18 Backdoor Rootkit For NIC Guillaume Delugr , the security researcher at French security firm Sogeti ESEC has demonstrated how it might be possible to place backdoor rootkit software on a network card. This proof-of-concept code has been developed after studying the firmware from Broadcom Ethernet NetExtreme PCI Ethernet cards. He used publicly available documentation and free open-source tools to built a set of tools to instrument the network card
firmware. Those tools provided him a way to debug in real-time the MIPS CPU of the network card, as well as doing some advanced instrumentation on the firmware code such as execution flow tracing and memory-accesses logging. Further, he developed a custom firmware code and flash the device and get execution on the CPU of the network card by reverse engineering of its EEPROM. 02/25/2020 Hardware Security & Trust 19 Backdoor Rootkit For NIC The developed rootkit will be residing inside the network card and offers some interesting
features: A very stealthy communication end-point over the Ethernet link. It can intercept and forge network frames without the operating system knowing about it. A physical system memory access using DMA over the PCI link, leading to OS corruption. No trace of the rootkit on the operating system, as it is being hidden inside the NIC. 02/25/2020 Hardware Security & Trust 20 Backdoor Rootkit For NIC
The network card natively needs to perform DMA accesses, so that network frames can be exchanged between the driver and the device. From the firmware point of view, everything is operated using special dedicated device registers, some of them being non-documented. An attacker would then be able to communicate remotely with the rootkit in the network card and get access to the underlying operating system thanks to DMA, Delugr explains. This research has been presented in Hack.lu conference. 02/25/2020 Hardware Security & Trust
21 Cisco Router RSP - GPS & NTP 02/25/2020 Hardware Security & Trust 22 Cisco Router RSP - GPS & NTP IEEE 1588 Port A 10/100Mbps Ethernet RJ-45 Port for IEEE 1588 Grand Master Connection through a CAT5 cable. IEEE 1588 Grand Master is an external equipment for time and frequency synchronization. 10MHz Connector
10MHz Input for GPS Synchronization. This signal can provide 10MHz output as well from Cisco ASR 9001 Router. 1PPS Connector 1 PPS Input for GPS Synchronization. This signal can provide 1 PPS output as well from Cisco ASR 9001 Router. 02/25/2020 Hardware Security & Trust 23 TCP/32764 backdoor
Who? Eloi Vanderbeken @elvanderb https://github.com/elvanderb Interested in reverse and crypto. Dont like to write reports :D Certified Ethical Dauber |Microsoft Paint MVP 02/25/2020 Hardware Security & Trust 24 TCP/32764 backdoor When? Christmas!!!
Hardware Security & Trust 32 TCP/32764 backdoor Result 02/25/2020 Hardware Security & Trust 33 TCP/32764 backdoor Johannes B. Ullrich, Ph.D. - SANS Technology Institute: We do see a lot of probes for port 32764/TCP . According to a post to github from 2 days ago, some Linksys devices may be
listening on this port enabling full unauthenticated admin access.  At this point, I urge everybody to scan their networks for devices listening on port 32764/TCP. If you use a Linksys router, try to scan its public IP address from outside your network. Our data shows almost no scans to the port prior to today, but a large number from 3 source IPs today. The by far largest number of scans come from 18.104.22.168. ShodanHQ has also been actively probing this port for the last couple of days. 02/25/2020 Hardware Security & Trust 34
TCP/32764 backdoor 02/25/2020 Hardware Security & Trust 35 TCP/32764 backdoor We only have 10 different source IP addresses originating more then 10 port 32764 scans per day over the last 30 days: +------------+-----------------+--------+ | date |
Hardware Security & Trust 38 Real Scenario, Cisco & Quagga 02/25/2020 Hardware Security & Trust 39 Attack LSDB in OSPF Link state 3 phases: Neighbor table LSDB
Dijkstra RFC 2328 02/25/2020 Hardware Security & Trust 40 Attack LSDB in OSPF Fight-Back when a router observes a LSA which states falsehoods about itself, the router is allowed (and actually encouraged) to immediately send another LSA which sets the record right.
02/25/2020 Hardware Security & Trust 41 Attack LSDB in OSPF 02/25/2020 Hardware Security & Trust 42 Attack LSDB in OSPF Python and Scapy
The pursuit of capital outlay funding by non profit organizations from the New Mexico State Legislature involves a local governmental agency serving as the fiscal agent.Several preparation and coordination steps for this to occur will be discussed in this presentation.....
1789 - Samuel Slater (an apprentice in British mill) memorizes plans of the mill & travels in disguise to America. Slater rebuilds his mill from memory in Pawtucket, RI. Lesson 1 - A Growing Economy. Rise of Factories. Francis Cabot...
Application form goes to squadron. More tailoring to local squadron. Restrict certain documents/events to logged in members only. ... from the USPS Information Technology Committee (ITCom). Contact is . [email protected] You will be provided a .
4- Implement a reading system like PM benchmark. 5- Educate families on their responsibilities to cooperate with schools. Bring your pen. List the elements of an Australian school library that you suggest to be replicated in Saudi school libraries.
A mixed method approach combining quantitative and qualitative methods (Cresswell, 2009; Gorard and Taylor, 2004) collected students' self-reported perceptions of the mediating influence of science teacher behaviours and methods upon students' engagement with learning activities in a science learning environment.
Ready to download the document? Go ahead and hit continue!