I can see five ways they could be doing this:
- Changing the IOS: Basically just putting in a new operating system image in there. It could hide the changes from regular tools, and even self-replicate into the same major version even if you update it, but a significant change to the IOS version would probably screw it up, and a wipe and reinstall done from the ROMMON mode would clear it.
- Changing the Boot ROM. It could hide there pretty well from most internal tools (report different checksums, etc), but once again a major IOS change could overwrite it with a new version. From previous TAO exploits I have read about, I think this is the most likely.
- Overwriting some other EEPROM on a chip. I don’t know enough about the internals to determine if there are any such chips on Cisco routers that wouldn’t be visible from the IOS and cleanable.
- Changing a ROM module. That would be very hard to detect and fix. I don’t know enough about the internals to determine if there are any such modules on Cisco routers.
- Changing a chip or ASIC. That would require some pretty deep knowledge of the internals and collaboration with chip producers who could supply the NSA with modified chips. I think this is highly unlikely.
