24 October 2014
BTAgent - CPE backdoor
Date: Fri, 24 Oct 2014 16:00:01 +0100
Subject: BTAgent - CPE backdoor
To: cryptome[at]earthlink.net
I am a British national.
My background is in electronic engineering, embedded systems development
on various architectures, and software engineering in C / assembler.
Back in December 2013, you published a series of articles about a "backdoor"
discovered in CPE (consumer premises equipment); modem-router devices that
are supplied en masse to subscribers of internet services in Britain.
See:
http://cryptome.org/2013/12/Full-Disclosure.pdf
http://cryptome.org/2013/12/full-disclosure-comments.htm
http://blog.erratasec.com/2013/12/dod-address-space-its-not-conspiracy.html
The CPE with that particular backdoor, are the ADSL2 and VDSL2 modem/routers
supplied by the "Openreach" division of the incumbent British Telecom. Around
ten million of these CPE have to date been supplied to households and
businesses.
The same backdoor (dubbed BTAgent) is found in all recent models of BT HomeHub;
the MIPS-based BT Business Hubs; and the latest VDSL2 modem-routers: the
MIPS-based Huawei HG612 and ECI B-FOCuS V-2Fub/I and /R (both revisions B1
and B2)
These devices are supplied 'free of charge' by British Telecom. Until recently
they were installed in the consumer premises by visiting employees or agents
of the company itself.
The author/s of those articles you host, above, make reference to two online
blogs about this "backdoor" discovery.
Those blogs are mine, and all content, when not stated otherwise, is my own.
However, the blogs are published under a Creative Commons Share-a-Like License;
and I am happy that the information discovered is being shared.
---------
To add to what has already been disclosed above, it has been possible to
"unlock" and gain a (remote) root shell on the Trimedia-based (VLIW) BT Business
Hubs.
These Trimedia TM3260 devices (a very unusual five instruction slot
parallel-processing platform ideal for DSP work, formerly a division of Philips
now NXP). These devices are also supplied by AT&T for its U-Verse VDSL2
service.
Some of the (earlier) discoveries concerning the Trimedia CPE are documented
here:
http://hackingbtbusinesshub.wordpress.com/
---------
Most/All(?) of the BT CPE utilise the same 2048 bit RSA keypair for remote
access to these devices. At the time of that discovery (August 2011) I wrote
this:
From
http://huaweihg612hacking.wordpress.com/?s=public+key
:
"God knows who holds the corresponding private key. Hopefully just responsible
adults in British Telecom (if there are any!)"
---------
I also run other blogs/websites related, more or less, to intelligence and
security.
One website concerns media fakery, and the detection of fake news stories
through image forensic analysis.
For example, using Error Level Analysis (ELA) to detect flaws in a "photo";
flaws that can suggest "faux-to-shopping".  ELA relies
on an inverse DCT transformation; shifting the image entropy from the spatial
domain back into the frequency domain.
This ELA technique is used to visually detect any conflicting compression
levels in an "photo"; indicating composite fakery in an image.
See:
http://fotoforensics.com/tutorial-ela.php
---------
On 19 June 2014, in relation to discoveries published on my media fakery
blog, my home in Shropshire was raided by six police/intelligence officers;
only two of whom identified themselves.
An undocumented quantity of electronics equipment, including modems, computers,
media storage devices, and paperwork was seized.
The actual grounds for my arrest was cited as "harassment". This concerned
a suspected fake news story that had been exposed on my blog.
Evidence of media fakery that implied corruption in the local health authority
and indeed in NHS England. It was one of many similar fake news stories
- viz the engineered "Mid Staffs Crisis" used to provide the pretext for
rationalising and closing health facilities across the country.
During the police interview -- both in the "informal chat" before the official
interview itself, and during that formal tape-recording grilling -- I was
probed by detectives on topics quite unrelated to my arrest.
In wholly irrelevant circumstances, I was grilled over my role in "unlocking"
these CPE, and in my motives for doing so. Not in any way relevant
to the accusations filed against me.
In interview, I brushed aside the serious espionage implications of having
backdoors in CPE; believing that -- for whatever reason -- everyone has a
right to choose what software is running on electronic equipment installed
in their own home or office.
Nevertheless, I am expected to appear in court in a couple of weeks, for
a preliminary hearing into that spurious (IMHO) charge of harassment.
I suspect that these allegations were engineered to intimidate and silence
my security disclosures in the future, and to gain access to sensitive
electronics equipment (including several DSLAMs) housed in my home.
As an aside, slow progress (currently on pause) has been made in extracting
and scrutinising the firmware in the Huawei MA56xx series of DSLAM; equipment
used widely in Britain and elsewhere.
These DSLAMs are telco central office / curb-side kit which elements in the
US-USA security apparatus are claiming has firmware with backdoors installed
by the Chinese secret service. Pot Kettle Black!
See:
http://insidehuaweima5616msan.wordpress.com/
---------
Apologies for the ten month delay in responding, after your initial disclosure,
Hopefully, this is still relevant though.
It was only a few days ago when viewing some Apache logs, and noticing hundreds
of referred hits from your site, that I became aware that these CPE backdoor
discoveries had also been discussed on cryptome.
---------
Finally, to end on a point which has been overlooked, so far as I
know:
The rebuttal commonly cited in response to these CPE backdoor concerns, is
that MI6/CIA/GCHQ/NSA/TLA et al, have no role, since they have centralised
facilities of their own for internet espionage. They therefore don't need
CPE backdoors.
However, interceptions performed at that centralised layer of the Intelligence
Apparatus, would presumably require authorisation under the 2000 Regulation
of Investigatory Powers (RIP) Act.
Whereas clandestinely logging into an individual's CPE through that BTAgent
backdoor can obviously be done without any official oversight, and from anywhere
in the world.
A CPE backdoor brings advantages that could not otherwise be achieved through
centrally-performed surveillance, like that undertaken (allegedly) at the
Donut - GCHQ's sigint facility in Cheltenham.
e.g. with remote access via a CPE backdoor, the local ethernet port on the
CPE can be put into "promiscuous mode" and all ethernet frames on the local
network snagged. Allowing, for example, the snooping of traffic to a networked
local printer in an office. Surveillance couldn't easily be done without
access to a device on the local ethernet. Hence the usefulness of a CPE
backdoor.
Thanks for your time, and keep up the good work!
Cheers
|
