A smaller door opens within a safe door

Communications device cyber-security: 'backdoors'

Allegations that state-sponsored surveillance agencies have sought the creation of so-called 'backdoors' in certain public communications devices have been joined by claims that some vendors have been complicit in obliging them. Conspiracy theories – or concrete evidence?

The Edward Snowden revelations were the first time many Internet users – home and business – became aware of the fact their public-network emails and other online activity logs could be made accessible to unauthorised scrutiny. However, recent suggestions that communications hardware is also 'open' to access by foreign agencies will come as a further eye-opener. Should we be so surprised? Arguably, these suggestions are rooted in the fact that for the last 15 years most of us have embraced the joys of the 'Internet revolution' with barely a thought for the possibility that some of the enabling hardware we use may also be 'leaky' – and, moreover, was manufactured as such.

In some respects this situation stems from the early days of connecting computers over public networks. The availability of affordable broadband connectivity in the late-1990s and early-2000s effectively drove the Internet into much wider take-up.

By the turn of the century, that adoption was rolling out rapidly as established Internet users upgraded from their dial-up modems to the new faster digital connections. This rate was boosted by the multitudes of people discovering reasons to 'get on to' the Internet for the first time, drawn by the new services and applications that could only be delivered in a compelling manner via broadband, be they online shopping, online gaming, online gambling or other more adult-oriented web-based recreations. Before 2010, however, significantly more than 50 per cent of the adult population of the US and UK had at least access to a broadband connection.

On the mobile front, phone operator Three launched the UK's first 3G network with an array of battery-hungry handsets – mainly from Chinese manufacturer Huawei – in 2003, but it took until the late 2000s before the first dedicated 3G modems and USB sticks (aka '3G dongles') appeared to kick-start in earnest the world of mobile data communications for mass consumption.

Security had always been an issue. Rumours of 'backdoors' in 3G modems had been bouncing around in information security circles for years before a revealing presentation at Black Hat Europe 2013 raised more general awareness of the possibility and, for many, confirmed the topic as a legitimate cause for concern.

Nikita Tarakanov, an independent IT researcher from Russia, presented a paper entitled 'From China with Love' – co-written with fellow industry colleague Oleg Kupreev – which detailed some startling 'features' of a wide range of Huawei cellular broadband dongles. Tarakanov explained that, in the preceding 12 months or so, he and Kupreev had been researching so-called 'backdoors' into the company's 3G dongles and – even though Huawei is a major supplier of mobile broadband dongles, and there are dozens of models available in different markets around the world – they are mostly based around a single chassis.

This chassis, the researcher said, has a number of 'vulnerabilities' (or 'features', depending on who you talk to and what they're willing to divulge) that allow all manner of remote feeds and access to the device. Because of this, Tarakanov reckons that a typical Huawei USB modem can be used for a number of security attack vectors. These include: a flash memory attack on the host computer, DNS (Domain Name System) poisoning, auto-update poisoning, rogue XML re-configuration and Wi-Fi auto-connect-based attacks using a pre-set approach to compromising the modem itself.

'Backdoor' – or hack door?

More revelations followed. As the Russian researchers asserted, there were several IP feeds/interfaces on the Huawei USB modems that seemed to perform no obviously useful function, including two that essentially allow the modem to 'call home' to report diagnostics and other useful information to a pre-programmed series of IP addresses. Tarakanov and Kupreev's research ignited debate on an issue that has long been discussed on the quiet in the landline modem security circles – namely, to what extent these 'backdoors' are also to be found in landline telecommunications equipment and whether nation states and/or other agencies are tapping into these features on a limited or wider scale.

While the Russians' research into 3G modem backdoors was progressing, a certain former CIA employee and NSA contractor called Edward Joseph Snowden was causing a stir in other IT security circles. Snowden – who has disclosed a large number of top-secret NSA documents to media outlets since June 2013 – first made contact with Glenn Greenwald, then a journalist at the UK's Guardian newspaper, in late 2012. He contacted Greenwald anonymously, saying that he had "sensitive documents" that he would like to share, and by May of the following year a stream of NSA documents started to flow to Snowden's media contacts.

The Snowden effect

A couple of months later – just as the world's media was getting very excited by the continued Snowden disclosures – the Australian Financial Review (AFR) revealed that several experts alleged that Snowden's contractor employer, the NSA, had been engineering hardware level backdoors built-in to computer processors from chip makers Intel and AMD. Steve Blank – one of Silicon Valley's leading technology experts – also reportedly declared that he would be "extremely surprised" if the NSA does not have backdoors built into microprocessors from the two market leaders.

The premise of the AFR's piece – apparently generated as a result of an anonymous tip-off – was that the NSA finds it easier to get into systems via 'backdoors' than by brute-force cracking of the relevant encryption codes. Interestingly, Blank told the financial publication that his suspicions were aroused when he saw the NSA could access Microsoft Outlook emails in their pre-encryption state – and so deduced there had to be a backdoor methodology in play somewhere along the line.

The backdrop to the AFR's report was a presentation made at the summer Black Hat USA 2012 conference when security researcher Jonathan Brossard, CEO and security research engineer at Toucan System, presented a paper on 'hardware backdooring', in which he outlined a documented feature that helps Intel and AMD fix a number of bugs.

The AFR – incorrectly, as it turned out – interpreted Brossard's paper to say that the microprocessor mega players were specifically engineering these backdoors into their chips for purposes of covert government access. Despite this, various industry experts came forward in the wake of the AFR's report asserting that the US government could indeed have 'backdoor' access to microprocessor-driven computers.

Of course, just because the microprocessor in a given computing/technology device is insecure does not mean that the entire device – or its functionality – is insecure. Just as can be seen with the Internet – which is in part based on technology standards around five decades old – it is perfectly possible to add layers of technology to the legacy structure – and by implication, any microprocessor-based device – to ensure its security. Referenced back to Tarakanov and Kupreev's 2013 Black Hat conference presentation, it's hardly surprising if the evidence that the USB modems from Huawei are 'backdoored' starts to attract some further investigation.

It took, in fact, until January 2014, when a Swedish security researcher called Andreas Lindh picked-up on the Russian research, and did his own investigations – only to conclude there are a significant number of vulnerabilities in many 3G and 4G modems that leave targets vulnerable to Cross-Site Request Forgery (CSRF) attacks. These attacks, he claimed, can be used to steal log-in credentials, payment card details and, of course, commit fraud by running-up victims' phone bills.

Lindh argues that the vulnerabilities he discovered could allow attackers to use bogus websites – designed to look like legitimate portals – in order to capture user credentials, and relay them back to the attacker. In his analysis, Lindh further claimed that he was quickly able discover a CSRF vulnerability that would allow him to make the modem send a text message to any number of his choice, simply by persuading the user to visit a website under his control – and unlike Wi-Fi routers, he observes, there is no log-in functionality for USB modems, so he did not have to worry about bypassing authentication. However, as Nigel Stanley, lead security analyst and director with research house Incoming Thought, points out, it is relatively rare to find an end-user or company that patches the firmware of their communications hardware.

Stanley was commenting on revelations from Eloi Vanderbeken, a researcher with French firm Synacktiv Digital Security, who reported in January 2014 that a wireless backdoor, which can be remotely accessed using a regular Internet connection, exists on a number of broadband modems from the likes of Linksys, Netgear and other brands.

Vanderbeken says that the wireless backdoor effectively gives attackers administration-level access by simply resetting the modem's configuration settings, thus bypassing the firewall settings of the unit. The vulnerability particularly affects public access Wi-Fi services, as these modems are designed to allow password-less access to the unit across wireless channels, prior to logging-in.

In his analysis of the alleged flaw, Vanderbeken said that he was attempting to code-limit the bandwidth of users of his family's Linksys WAS200G DSL (digital subscriber line) modem over the Christmas period, but had locked himself out of the wireless admin console. He discovered he could manage the router via an unusual TCP port (32764). After analysing the firmware, Vanderbeken created a simple interface to send admin commands to the router without being logged-in as an administrator – resetting the unit to its default settings.

Switching to a 'shell' (an interface for access to an operating system's services) command, he then coded a script to gain access to admin mode – without the password – and published the script on to the Github software development service, at which stage other Linksys and Netgear users reported the script also worked on their modems.

Whatever the accuracy of the various claims and counter-claims flying around the ICT industry, the issue of 'backdoors' is unlikely to be closed any time soon.

Further information

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles