Can someone with some Cisco knowledge clarify whether this sort of tampering can be overwritten by wiping and reloading the firmware on the device? I’m not paranoid about our environment at work (although maybe I should be), I’m just curious how “permanent” this sort of backdoor really is…
How is this accounted for when you’re looking at the tracking information, including datestamps, on the UPS/FedEx/DHL sites?
Is this an example of what Jung called the projection of the Shadow?
“Delayed at sorting facility”
between: “Left shipping facility” and the next intermediate location.
Collusion, or arm-twisting of bulk delivery drivers and/or the shipping companies themselves I would think.
Depends on if the surveillance mechanism is hardware or software or a combo of both. Suspect it would be loaded into BIOS so that an IOS reload wouldn’t overwrite it. A complete wiping of the firmware might depending on how much of the microcode is infected.
So here are a couple questions I have:
-
Why haven’t we seen independent reports about this. If the hardware is tampered with it will be evident. Extra pieces have to be explained. If it’s software or firmware how do they get check sums to match. Cisco posts checks sums for all their software and firmware downloads.
-
If these are NSA employees where are there CAC badges. THose are generally required in any sort of secured facility.
-
How do we know this is an NSA facility. I don’t see anything that actually indicates it? Not even the usual wall detrius that you normally see in government buildings like evacutaion routes etc. All in all it looks like an ordinary loading dock.
If they’re tampering with the hardware, then it’s reasonable to assume they are re-applying the stickers so that it’s not noticeable - most likely with authentic reproductions or possibly even genuine decals.
They could be dropping in a custom ROM chip which would be very difficult to detect unless you knew what you were looking for. Most likely though, they are low-level flashing the EPROM with custom firmware using TFTP and embedding it somewhere deep that the built-in flash utility probably doesn’t touch so that it can’t be easily overwritten.
Checksums are easily faked and are only designed to verify data integrity - not authenticity.
As to the the lack of visual indicators in the workspace, I highly doubt the NSA would have big signs in the background saying “Welcome to the NSA!”.
Possibly they pull things as they cross the border, using customs as cover?
Would it be possible to discover such bootloader tampering using a JTAG port on the board?
Any suggestions for designing tamper-evident hardware, where such attempts could be easily detected?
Here is what I could find:
- Open Source Software which can detect these modifications. Check code comments on how to enable this mode and what kernel modules you will need.
- Clearly badged NSA technician entering the covert facility
- Related to this secret government facility.
You got it all wrong. It’s only sabotage when it’s directed against the United States.
I got to hand it to the US government. Only they would be so brazen to actually take photos of a crime in progress.
Now I’m just plain curious… If I took it into my head to do this sort of thing on my own time, with no “national security” alibi… what kind of criminal charges might I face if I got caught?
It’s hard to imagine anyone in the legal chain, from police constables up to judges, technically savvy enough to even realise there’s anything dodgy here. You’re just tweaking some electronic gubbins. Meh. It’s what engineers do. They’ve got those dayglo jackets’n’stuff.
This little factory reminds me of a plant in East Germany, very hush hush, where the Stasi intercepted all mail and packages to West Germany (and all the mail that was not carried by air from West Berlin) and routinely inspected them. Copied letters, removed stuff etc.
The plant was in a village near Berlin and all road signs to this village had been removed. My family had a summer home not two kilometres away from this plant and we only learned about it when East Germany fell apart. The place is called Freienbrink. Here is an article about it: http://www.spiegel.de/spiegel/print/d-13507390.html (in German I am afraid).
Suddenly when my package zig zags across the nation or back and forth between warehouses for seemingly no reason or sits in one location for more than a day, this all makes sense.
Now the real question is what the NSA wants with my adult sized footy pajamas?
I can see five ways they could be doing this:
- Changing the IOS: Basically just putting in a new operating system image in there. It could hide the changes from regular tools, and even self-replicate into the same major version even if you update it, but a significant change to the IOS version would probably screw it up, and a wipe and reinstall done from the ROMMON mode would clear it.
- Changing the Boot ROM. It could hide there pretty well from most internal tools (report different checksums, etc), but once again a major IOS change could overwrite it with a new version. From previous TAO exploits I have read about, I think this is the most likely.
- Overwriting some other EEPROM on a chip. I don’t know enough about the internals to determine if there are any such chips on Cisco routers that wouldn’t be visible from the IOS and cleanable.
- Changing a ROM module. That would be very hard to detect and fix. I don’t know enough about the internals to determine if there are any such modules on Cisco routers.
- Changing a chip or ASIC. That would require some pretty deep knowledge of the internals and collaboration with chip producers who could supply the NSA with modified chips. I think this is highly unlikely.
I’ve been waiting for an opportunity to post this somewhere (It may have been from an earlier BB post, even):
Andrea Shepard is a Seattle-based core developer with the Tor Project. Draw your own conclusions…
You might want to check the buttons on the butt flap. Probably a microphone and camera now. (I’d hate to be the NSA intern assigned THAT monitoring duty.)