NSA Laughs at PCs, Prefers Hacking Routers and Switches

[Rich Jones]

No surprises there then, I remember the underground
talking<http://www.phrack.org/issues.html?issue=55&id=10>about IOS
vulnerabilities in the 90s..

Wasn't that how Sabu et al got you guys, John?


On Wed, Sep 4, 2013 at 1:12 PM, Eugen Leitl <eugen at leitl.org> wrote:

>
> http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/
>
> NSA Laughs at PCs, Prefers Hacking Routers and Switches
>
> BY KIM ZETTER09.04.136:30 AM
>
> Photo: Santiago Cabezas/Flickr
>
> The NSA runs a massive, full-time hacking operation targeting foreign
> systems, the latest leaks from Edward Snowden show. But unlike conventional
> cybercriminals, the agency is less interested in hacking PCs and Macs.
> Instead, America’s spooks have their eyes on the internet routers and
> switches that form the basic infrastructure of the net, and are largely
> overlooked as security vulnerabilities.
>
> Under a $652-million program codenamed “Genie,” U.S. intel agencies have
> hacked into foreign computers and networks to monitor communications
> crossing
> them and to establish control over them, according to a secret black budget
> document leaked to the Washington Post. U.S. intelligence agencies
> conducted
> 231 offensive cyber operations in 2011 to penetrate the computer networks
> of
> targets abroad.
>
> This included not only installing covert “implants” in foreign desktop
> computers but also on routers and firewalls — tens of thousands of machines
> every year in all. According to the Post, the government planned to expand
> the program to cover millions of additional foreign machines in the future
> and preferred hacking routers to individual PCs because it gave agencies
> access to data from entire networks of computers instead of just individual
> machines.
>
> Most of the hacks targeted the systems and communications of top
> adversaries
> like China, Russia, Iran and North Korea and included activities around
> nuclear proliferation.
>
> The NSA’s focus on routers highlights an often-overlooked attack vector
> with
> huge advantages for the intruder, says Marc Maiffret, chief technology
> officer at security firm Beyond Trust. Hacking routers is an ideal way for
> an
> intelligence or military agency to maintain a persistent hold on network
> traffic because the systems aren’t updated with new software very often or
> patched in the way that Windows and Linux systems are.
>
> “No one updates their routers,” he says. “If you think people are bad about
> patching Windows and Linux (which they are) then they are … horrible about
> updating their networking gear because it is too critical, and usually they
> don’t have redundancy to be able to do it properly.”
>
> He also notes that routers don’t have security software that can help
> detect
> a breach.
>
> “The challenge [with desktop systems] is that while antivirus don’t work
> well
> on your desktop, they at least do something [to detect attacks],” he says.
> “But you don’t even have an integrity check for the most part on routers
> and
> other such devices like IP cameras.”
>
> Hijacking routers and switches could allow the NSA to do more than just
> eavesdrop on all the communications crossing that equipment. It would also
> let them bring down networks or prevent certain communication, such as
> military orders, from getting through, though the Post story doesn’t report
> any such activities. With control of routers, the NSA could re-route
> traffic
> to a different location, or intelligence agencies could alter it for
> disinformation campaigns, such as planting information that would have a
> detrimental political effect or altering orders to re-route troops or
> supplies in a military operation.
>
> According to the budget document, the CIA’s Tailored Access Programs and
> NSA’s software engineers possess “templates” for breaking into common
> brands
> and models of routers, switches and firewalls.
>
> The article doesn’t say it, but this would likely involve pre-written
> scripts
> or backdoor tools and root kits for attacking known but unpatched
> vulnerabilities in these systems, as well as for attacking zero-day
> vulnerabilities that are yet unknown to the vendor and customers.
>
> “[Router software is] just an operating system and can be hacked just as
> Windows or Linux would be hacked,” Maiffret says. “They’ve tried to harden
> them a little bit more [than these other systems], but for folks at a place
> like the NSA or any other major government intelligence agency, it’s pretty
> standard fare of having a ready-to-go backdoor for your [off-the-shelf]
> Cisco
> or Juniper models.”
>
> Not all of the activity mentioned in the budget document involved remote
> hacking. In some cases, according to the document, the operations involved
> clandestine activity by the CIA or military intelligence units to
> “physically
> place hardware implants or software modifications” to aid the spying.
>
> “Much more often, an implant is coded entirely in software by an NSA group
> called Tailored Access Operations (TAO),” the Post writes in its story
> about
> the document. “As its name suggests, TAO builds attack tools that are
> custom-fitted to their targets.”
>
> A handful of security researchers have uncovered vulnerabilities in routers
> in recent years that could be used to do the kind of hacking described in
> the
> budget document.
>
> In 2005, security researcher Mike Lynn found a serious vulnerability in
> Cisco
> IOS, the operating system running on millions of Cisco routers around the
> world.
>
> Lynn discovered the vulnerability after his employer, Internet Security
> Systems, asked him to reverse-engineer the Cisco operating system to see if
> he could find security problems with it. Cisco makes the majority of the
> routers that operate the backbone of the internet as well as many company
> networks and critical infrastructure systems. The Cisco IOS is as
> ubiquitous
> in the backbone as the Windows operating system is on desktops.
>
> The vulnerability Lynn found, in a new version of the operation system that
> Cisco planned to release at the time, would have allowed someone to create
> a
> router worm that would shut down every Cisco router through which it
> passed,
> bringing down a nation’s critical infrastructure. It also would have
> allowed
> an attacker to gain complete control of the router to sniff all traffic
> passing through a network in order to read, record or alter it, or simply
> prevent traffic from reaching its recipient.
>
> Once Lynn found the vulnerability, it took him six months to develop a
> working exploit to attack it.
>
> Lynn had planned to discuss the vulnerability at the Black Hat security
> conference in Las Vegas, until Cisco intervened and forced him to pull the
> talk under threat of a lawsuit.
>
> But if Lynn knew about the vulnerability, there were likely others who did
> as
> well — including intelligence agencies and criminal hackers.
>
> Source code for Cisco’s IOS has been stolen at least twice, either by
> entities who were interested in studying the software to gain a competitive
> advantage or to uncover vulnerabilities that would allow someone to hack or
> control them.
>
> Other researchers have uncovered different vulnerabilities in other Cisco
> routers that are commonly used in small businesses and home offices.
>
> Every year at computer security conferences — including the Black Hat
> conference where NSA Director Keith Alexander presented a keynote this
> year —
> U.S. intelligence agencies and contractors from around the world attend to
> discover information about new vulnerabilities that might be exploited and
> to
> hire talented researchers and hackers capable of finding more
> vulnerabilities
> in systems.
>
> In 2008, a researcher at Core Security Technologies developed a root kit
> for
> the Cisco IOS that was designed to give an attacker a persistent foothold
> on
> a Cisco router while remaining undetected.
>
> According to the Post story, the NSA designs most of the offensive tools it
> uses in its Genie operation, but it spent $25.1 million in one year for
> “additional covert purchases of software vulnerabilities” from private
> malware vendors who operate on the grey market — closed markets that peddle
> vulnerabilities and exploits to law enforcement and intelligence agencies,
> as
> opposed to the black market that sells them to cyber criminals.
>
> The price of vulnerabilities and exploits varies, depending on a number of
> factors. Vulnerabilities and exploits can sell for anywhere from $50,000 to
> more than a million, depending on the exclusivity of the purchase — some
> vulnerabilities are sold to multiple parties with the understanding that
> others are using it as well — and their ubiquity. A vulnerability that
> exists
> in multiple versions of an operating system is more valuable than a
> vulnerability that exists in just one version. A class of vulnerability
> that
> crosses multiple browser brands is also more valuable than a single
> vulnerability that just affects the Safari browser or Chrome.
>
> The Stuxnet cyber weapon that was reportedly created by the U.S. and Israel
> to sabotage centrifuges used in Iran’s uranium enrichment program, used
> five
> zero-day exploits to spread itself among systems in Iran, including a rare
> exploit that attacked the .LNK function in multiple versions of the Windows
> operating system in order to spread the worm silently via infected USB
> sticks.
>
> Ubiquitous router vulnerabilities are difficult to find since there are so
> many different configurations for routers, and an attack that works against
> one router configuration might not work for another. But a vulnerability
> that
> affects the core operating system is much more valuable since it is less
> likely to be dependent on the configuration. Maiffret says there hasn’t
> been
> a lot of public research on router vulnerabilities, but whenever someone
> has
> taken a look at them, they have found security holes in them.
>
> “They’re always successful in finding something,” he says.
>
> Once a vulnerability becomes known to the software maker and is patched, it
> loses a lot of its value. But because many users and administrators do not
> patch their systems, some vulnerabilities can be used effectively for
> years,
> even after a patch is available. The Conficker worm, for example, continued
> to infect millions of computers long after Microsoft released a patch that
> should have stopped the worm from spreading.
>
> Routers in particular often remain unpatched because system administrators
> don’t think they will be targeted and because administrators are concerned
> about network outages that could occur while the patch is applied or if the
> patch is faulty.
>
> Kim Zetter is a senior reporter at Wired covering cybercrime, privacy,
> security and civil liberties.
>
> Read more by Kim Zetter
>
> Follow @KimZetter and @ThreatLevel on Twitter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 11738 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20130904/bdccf2d9/attachment-0001.txt>