Hardware Backdoor Detection in Network Routers Ehsan Salmanpour

Hardware Backdoor Detection in Network Routers Ehsan Salmanpour

Hardware Backdoor Detection in Network Routers Ehsan Salmanpour Mohammad Saeed Ansari Dr. Bayat Spring 2014 Contents The Backdoor NSA Introduction Router: Structure & Duty Backdoor implementation on routers IPv4 Packets Unknown IP protocol Backdoor Possible NIC & RSP Backdoors TCP/32764 backdoor

Real Scenario, Cisco & Quagga Attack LSDB in OSPF 02/25/2020 Hardware Security & Trust 2 The Backdoor (BD) Backdoor: A hidden software or hardware mechanism, usually created for testing and troubleshooting 02/25/2020

--American National Standard for Telecommunications Hardware Security & Trust 3 Snowden: The NSA planted backdoors in Cisco products 'No Place to Hide,' the new book by Glenn Greenwald, says the NSA eavesdrops on 20 billion communications a day -- and planted bugs in Cisco equipment headed overseas "The NSA routinely receives -- or intercepts -routers, servers, and other computer network devices being exported from the U.S. before they are delivered to the international customers," Greenwald

writes. "The agency then implants backdoor surveillance tools, repackages the devices with a factory seal, and sends them on. The NSA thus gains access to entire networks and all their users." 02/25/2020 Hardware Security & Trust 4 NSA Implements BD on CISCO Routers! A techs perform an unauthorized field upgrade to Cisco hardware in these 2010 tos from an NSA document. 02/25/2020 Hardware Security & Trust

5 CISCO CEO Letter to Obama 02/25/2020 Hardware Security & Trust 6 Intro. Importance of Hardware Backdoor in Routers Goal of this project 02/25/2020

Hardware Security & Trust 7 Hardware Backdoor Implementation Untrusted Places on Chip Production What about router??? 02/25/2020 Hardware Security & Trust 8 Network Router Duty:

Forwarding data packets between computer networks 02/25/2020 Hardware Security & Trust 9 Router Structure 02/25/2020 Hardware Security & Trust 10

Troubleshooting/ Troubleshooting/ Upgrading Upgrading Intention Intention SW/HW SW/HW Bugs Bugs Unintentional Unintentional Network Network Information Information

Backdoor Backdoor Implementation Implementation on on Routers Routers Spying Spying Intention Intention Modification Modification Network Network Data Data

Inside Inside Factory Factory Privilege Privilege Escalation Escalation Snooping Snooping Availability Availability Reliability Reliability Outside

Outside Factory Factory Lowering Lowering System System Specification Specification Security Security Other Other Intentions Intentions Performance

Performance rd 3 3rd Party Party Seller Seller Conformance Conformance Shipment Shipment Process Process NSA NSA ->

-> Requires Requires full knowledge full knowledge of of system system Other Other 02/25/2020 Hardware Security & Trust 11

Router Backdoor Triggers Alwa ys ON Enable with Trigger Internally Activated Timer Timer 02/25/2020 Data Data on

on network network Combinati Combinati on on Hardware Security & Trust Externally Activated Antenna Antenna

Physical Physical Access Access 12 IPv4 Packets Format 02/25/2020 Hardware Security & Trust 13 Unknown IP protocol Backdoor This signature detects network traffic that has an unknown IP

protocol, as identified in the 'protocol' field of the IP header. Protocol numbers are in the range 0-255, and the values 0-142 and 253-254 are defined by iana.org, although 253-254 are "experimental". The tune parameter "pam.ip.protocol." represents the range of protocol numbers and supports the iana.org values 0-142 by default, but can be altered as necessary. For example, if the protocol in question is number 171, then setting "pam.ip.protocol.171 = on" will avoid further alerts from network traffic using protocol 171. Unknown protocol values are considered unusual and unexpected, but there may be legitimate reasons to use these protocols on your network. This security event is categorized as an audit event. It is not necessarily indicative of an attack or threat to your network. 02/25/2020

Hardware Security & Trust 14 Unknown IP protocol Backdoor This signature detects network traffic that has an unknown IP protocol. Some of the protocols are listed as "unknown" simply because they are "unusual" or "suspicious.". There are legitimate reasons to use these protocols, however. Therefore, this alert should be considered as a notification that something abnormal is occurring. In many cases, you may wish to stop receiving this alert for a legitimate but peculiar protocol being used in your environment. You can the use "pam.ip.protocol." parameter to avoid seeing

this alert in the future. For example, if the protocol in question is number 71, then you can add the parameter setting "pam.ip.protocol.71 = on" to avoid all further alerts from protocol 71 02/25/2020 Hardware Security & Trust 15 Unknown IP protocol Backdoor Default risk level Low risk , Vulnerability Low Sensors that have this signature RealSecure Server Sensor: 7.0, IBM Security Host Protection for Servers (Windows): 1.0.914.0, IBM Security Host Protection for Servers (Windows):

2.1.14.2400, Proventia Network MFS: 1.0, Proventia-G 1.1 and earlier: G Series, Proventia Network IDS: A Series, Proventia Network IPS: 2.0, IBM Security Host Protection for Servers (Unix): 2.2.2, IBM Security Host Protection for Desktops: 8.0.614.1, Proventia Server IPS for Linux technology: 1.0, Virtual Server Protection for Vmware: 1.0 Systems affected Various vendors Any application Type Suspicious Activity How to remove this vulnerability If you suspect abnormal activity, use a network analysis tool to capture and view network traffic. 02/25/2020 Hardware Security & Trust

16 Possible Backdoor Implementations on NIC A programmable network interface (I-NIC) Our current prototype is on Myrinet A virtual machine over a VMM Work in progress over Xen IBMs Remote Supervisor Adapter? HPs Remote Management Adapter? 02/25/2020 Hardware Security & Trust 17

Backdoor on I-NIC Backdoor provides an alternative access to system memory without involving local CPU/ OS. Private network over a specialized interconnect, VPN, or even over a phone link! Front door CPU Mem NIC I-NIC Backdoor Private Network

02/25/2020 Hardware Security & Trust 18 Backdoor Rootkit For NIC Guillaume Delugr , the security researcher at French security firm Sogeti ESEC has demonstrated how it might be possible to place backdoor rootkit software on a network card. This proof-of-concept code has been developed after studying the firmware from Broadcom Ethernet NetExtreme PCI Ethernet cards. He used publicly available documentation and free open-source tools to built a set of tools to instrument the network card

firmware. Those tools provided him a way to debug in real-time the MIPS CPU of the network card, as well as doing some advanced instrumentation on the firmware code such as execution flow tracing and memory-accesses logging. Further, he developed a custom firmware code and flash the device and get execution on the CPU of the network card by reverse engineering of its EEPROM. 02/25/2020 Hardware Security & Trust 19 Backdoor Rootkit For NIC The developed rootkit will be residing inside the network card and offers some interesting

features: A very stealthy communication end-point over the Ethernet link. It can intercept and forge network frames without the operating system knowing about it. A physical system memory access using DMA over the PCI link, leading to OS corruption. No trace of the rootkit on the operating system, as it is being hidden inside the NIC. 02/25/2020 Hardware Security & Trust 20 Backdoor Rootkit For NIC

The network card natively needs to perform DMA accesses, so that network frames can be exchanged between the driver and the device. From the firmware point of view, everything is operated using special dedicated device registers, some of them being non-documented. An attacker would then be able to communicate remotely with the rootkit in the network card and get access to the underlying operating system thanks to DMA, Delugr explains. This research has been presented in Hack.lu conference. 02/25/2020 Hardware Security & Trust

21 Cisco Router RSP - GPS & NTP 02/25/2020 Hardware Security & Trust 22 Cisco Router RSP - GPS & NTP IEEE 1588 Port A 10/100Mbps Ethernet RJ-45 Port for IEEE 1588 Grand Master Connection through a CAT5 cable. IEEE 1588 Grand Master is an external equipment for time and frequency synchronization. 10MHz Connector

10MHz Input for GPS Synchronization. This signal can provide 10MHz output as well from Cisco ASR 9001 Router. 1PPS Connector 1 PPS Input for GPS Synchronization. This signal can provide 1 PPS output as well from Cisco ASR 9001 Router. 02/25/2020 Hardware Security & Trust 23 TCP/32764 backdoor

Who? Eloi Vanderbeken @elvanderb https://github.com/elvanderb Interested in reverse and crypto. Dont like to write reports :D Certified Ethical Dauber |Microsoft Paint MVP 02/25/2020 Hardware Security & Trust 24 TCP/32764 backdoor When? Christmas!!!

02/25/2020 Hardware Security & Trust 25 TCP/32764 backdoor (1Mb/s) / (10 users * 68dB) = 02/25/2020 Hardware Security & Trust 26 TCP/32764 backdoor IDEA !

02/25/2020 Hardware Security & Trust 27 TCP/32764 backdoor Challenge: No access to the http[s] administration tool. No admin password anyway NEED DA INTERNET! 02/25/2020 Hardware Security & Trust

28 TCP/32764 backdoor Nmap Few interesting ports: ReAIM (http://reaim.sourceforge.net/) Possibly vuln Unknown service listening on TCP/32764 02/25/2020 Responds ScMM\xFF\xFF\xFF\xFF\x00\x00\x00\x00 to any requests. Hardware Security & Trust

29 TCP/32764 backdoor Lets get the firmware! http://support.linksys.com/en-us/suppor t/gateways/WAG200G/download -> FU linksys! http://community.linksys.com/t5/Cable-and-DS L/WAG200G-FR-firmware-upgrade/m-p/23317 0 -> Thks users! http://download.modem-help.co.uk/mfcs-L/Lin kSys/WAG200G/Firmware/v1/ -> Thks modem-help & google! 02/25/2020

Hardware Security & Trust 30 TCP/32764 backdoor 02/25/2020 Hardware Security & Trust 31 TCP/32764 backdoor Found you! 02/25/2020

Hardware Security & Trust 32 TCP/32764 backdoor Result 02/25/2020 Hardware Security & Trust 33 TCP/32764 backdoor Johannes B. Ullrich, Ph.D. - SANS Technology Institute: We do see a lot of probes for port 32764/TCP . According to a post to github from 2 days ago, some Linksys devices may be

listening on this port enabling full unauthenticated admin access. [1] At this point, I urge everybody to scan their networks for devices listening on port 32764/TCP. If you use a Linksys router, try to scan its public IP address from outside your network. Our data shows almost no scans to the port prior to today, but a large number from 3 source IPs today. The by far largest number of scans come from 80.82.78.9. ShodanHQ has also been actively probing this port for the last couple of days. 02/25/2020 Hardware Security & Trust 34

TCP/32764 backdoor 02/25/2020 Hardware Security & Trust 35 TCP/32764 backdoor We only have 10 different source IP addresses originating more then 10 port 32764 scans per day over the last 30 days: +------------+-----------------+--------+ | date |

source |count(*)| +------------+-----------------+--------+ | 2014-01-02 | 080.082.078.009 | 18392 | | 2014-01-01 | 198.020.069.074 | 768 |<-- interesting... 3 days | 2014-01-02 | 198.020.069.074 | 585 |<-- early hits from | 2014-01-02 | 178.079.136.162 | 226 | ShodanHQ | 2013-12-31 | 198.020.069.074 | 102 |<-| 2014-01-02 | 072.182.101.054 | 74 | +------------+-----------------+--------+ 02/25/2020

Hardware Security & Trust 36 TCP/32764 backdoor Hardware Models: 02/25/2020 Hardware Security & Trust 37 Country statistics 02/25/2020

Hardware Security & Trust 38 Real Scenario, Cisco & Quagga 02/25/2020 Hardware Security & Trust 39 Attack LSDB in OSPF Link state 3 phases: Neighbor table LSDB

Dijkstra RFC 2328 02/25/2020 Hardware Security & Trust 40 Attack LSDB in OSPF Fight-Back when a router observes a LSA which states falsehoods about itself, the router is allowed (and actually encouraged) to immediately send another LSA which sets the record right.

02/25/2020 Hardware Security & Trust 41 Attack LSDB in OSPF 02/25/2020 Hardware Security & Trust 42 Attack LSDB in OSPF Python and Scapy

02/25/2020 Hardware Security & Trust 43 References http://www.iss.net/security_center/reference/vuln/IP_Unknown_Protocol.htm http://www-tss.cisco.com/eservice/est-unified/router/asr9000/vho/fru/rsp/ rsp_9000.html#anchor25 https://cs.fit.edu/~mmahoney/paper3.pdf http://www.infoworld.com/d/the-industry-standard/snowden-the-nsa-plantedbackdoors-in-cisco-products-242534?page=0,1 https://github.com/elvanderb/TCP-32764 http://planet.infowars.com/technology/massive-back-door-into-cisco-linksysnetgear-routers http://synacktiv.com/ressources/ethercomm.c

http://www.slideshare.net/FreeLeaks/another-backdoor-in-my-routertcp32764-backdoor-again-34688487?qid=b5e00197-7251-49c6-960eba75e1d8e615&v=default&b=&from_search=1# http://www.blackhat.com/presentations/bh-usa-08/Lindner/ BH_US_08_Lindner_Developments_in_IOS_Forensics.pdf http://www.research.rutgers.edu/~smaldone/talks/BD-Phenix1.ppt 02/25/2020 Hardware Security & Trust 44 References http://esec-lab.sogeti.com/dotclear/public/publications/10-hack.lu- nicreverse_slides.pdf http://www.ssi.gouv.fr/IMG/pdf/paper.pdf http://4xmen.ir/wp-content/uploads/2014/01/Full-Paper.pdf http://www.youtube.com/watch?v=X1K4YxUZ8Ms

http://www.brianlinkletter.com/persistent-configuration-changes-intinycore-linux/ http://blog.ezzi.in/2010/04/adding-host-in-gns3-vm-or-qemu.html https://isc.sans.edu/forums/diary/ Scans+Increase+for+New+Linksys+Backdoor+32764+TCP+/17336 http://blog.quarkslab.com/tcp-backdoor-32764-or-how-we-could-patchthe-internet-or-part-of-it.html http://www.livehacking.com/tag/network-card-backdoor/ http://cronicaseurasia.com/wp-content/uploads/2014/02/ backdoor_description.pdf 02/25/2020 Hardware Security & Trust 45 Thanks for Your Attention 02/25/2020

Hardware Security & Trust 46

Recently Viewed Presentations

  • 2019 PRESENTATION PURSUING STATE OF NM CAPITAL OUTLAY

    2019 PRESENTATION PURSUING STATE OF NM CAPITAL OUTLAY

    The pursuit of capital outlay funding by non profit organizations from the New Mexico State Legislature involves a local governmental agency serving as the fiscal agent.Several preparation and coordination steps for this to occur will be discussed in this presentation.....
  • 74.419 Artificial Intelligence 2002 Description Logics

    74.419 Artificial Intelligence 2002 Description Logics

    74.419 Artificial Intelligence Description Logics see references last slide
  • Algorithms &amp; Pseudocode &amp; Flowcharts

    Algorithms & Pseudocode & Flowcharts

    Computational Thinking. Decomposition Breaking down data, processes, or problems into smaller, manageable parts. Pattern Recognition. Observing patterns, trends, and regularities in data
  • Style &amp; Structure - Stirling English 30

    Style & Structure - Stirling English 30

    Style & Structure a presentation on improving writing skills
  • Us History

    Us History

    1789 - Samuel Slater (an apprentice in British mill) memorizes plans of the mill & travels in disguise to America. Slater rebuilds his mill from memory in Pawtucket, RI. Lesson 1 - A Growing Economy. Rise of Factories. Francis Cabot...
  • Agenda - United States Power Squadrons

    Agenda - United States Power Squadrons

    Application form goes to squadron. More tailoring to local squadron. Restrict certain documents/events to logged in members only. ... from the USPS Information Technology Committee (ITCom). Contact is . [email protected] You will be provided a .
  • عرض تقديمي في PowerPoint

    عرض تقديمي في PowerPoint

    4- Implement a reading system like PM benchmark. 5- Educate families on their responsibilities to cooperate with schools. Bring your pen. List the elements of an Australian school library that you suggest to be replicated in Saudi school libraries.
  • The influence of Teacher-Student Relationships and Teacher Feedback

    The influence of Teacher-Student Relationships and Teacher Feedback

    A mixed method approach combining quantitative and qualitative methods (Cresswell, 2009; Gorard and Taylor, 2004) collected students' self-reported perceptions of the mediating influence of science teacher behaviours and methods upon students' engagement with learning activities in a science learning environment.