NSA Full Disclosure

Full Disclosure
The Internet Dark Age

Removing Governments on-line stranglehold Disabling NSA/GCHQ major capabilities ( !""R!N / #DG#H$""% Restoring on-line privac& - immediatel&
b&
The Adversaries Update 2
Spread the Word

'
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND
(n September )th *+',-
r.ce Schneier- /rote in 0he G.ardian1
The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to s rre!titio sly t rn the" on. This is an es!ecially fr itf l aven e of attack; ro ters are !dated less fre# ently, tend not to have sec rity software installed on the", and are generally ignored as a v lnera$ility%. The NSA also devotes considera$le reso rces to attacking end!oint co"! ters. This kind of thing is done $y its TA& ' Tailored Access &!erations ' gro !. TA& has a "en of e(!loits it can serve ! against yo r co"! ter ' whether yo )re r nning *indows, Mac &S, +in (, i&S, or so"ething else ' and a variety of tricks to get the" on to yo r co"! ter. ,o r anti-vir s software won)t detect the", and yo )d have tro $le .nding the" even if yo knew where to look. These are hacker tools designed $y hackers with an essentially nli"ited $ dget. *hat I took away fro" reading the Snowden doc "ents was that if the NSA wants in to yo r co"! ter, it)s in. /eriod%.
http1/////2theg.ardian2com//orld/*+',/sep/+)/nsa-ho/-to-remain-sec.res.rveillance The evidence provided by this Full-Disclosure is the first independent technical verifiable proof that Bruce Schneier's statements are indeed correct.
(previo.s readers sho.ld start on page )'% 0his .pdate incl.des '+ pages o3 additional evidenceco.rtes& o3 the !2S2 Government2
Full Disclosure
NSA/GCHQ Sources and Methods Uncovered
We e !"a#n ho$ NSA/GCHQ% Are Internet wiretapping you Break into your home network Perform 'Tailored Access Operations' (TAO) in your home Steal your encryption keys Can secretly plant anything they like on your computer Can secretly steal anything they like from your computer ow to STOP this Computer !etwork "#ploitation
Internet Wire-Tappin
W!"#I#$%
BT Broadband &'uipment (ontain #S!)$(*+ Bac, Doors
We e !ose NSA/GCHQ&s 'ost Secret Wea!on - Contro" and ho$ (ou can de)eat #t*
Dedicated to the *histle-0lower
Mr Edward J. Snowden.
,
Table of (ontents
4re3ace22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222225 Disclos.res22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222225 So.rce o3 this $n3ormation22222222222222222222222222222222222222222222222222222222222222222222222222222226 (.r "a/s22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222226 Companies22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222227 0echnical Nat.re o3 this $n3ormation222222222222222222222222222222222222222222222222222222222227 Credibilit& o3 this Research222222222222222222222222222222222222222222222222222222222222222222222222228 4rivac& vs Sec.rit&2222222222222222222222222222222222222222222222222222222222222222222222222222222222222'+ 9otivation222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222'' 0erminolog&222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222'* :o.r Home Net/or;22222222222222222222222222222222222222222222222222222222222222222222222222222222222222', 0he Hac;22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222'5 Ho/ it <or;s2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222'5 0he Attac;s2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222*' $nternal Net/or; Access2222222222222222222222222222222222222222222222222222222222222222222222222222*' 9an-$n-0he-9iddle Attac;22222222222222222222222222222222222222222222222222222222222222222222222222** All SS" Certi=cates Compromised in Real-0ime2222222222222222222222222222222222222222*, 0he3t o3 4rivate >e&s2222222222222222222222222222222222222222222222222222222222222222222222222222222222*? 0he >ill S/itch22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222*5 !ploading/Do/nload Content22222222222222222222222222222222222222222222222222222222222222222222*5 Hac;ing in to a @($4/@ideo Con3erences in Real-0ime222222222222222222222222222222*5 0or !ser/Content Discover&22222222222222222222222222222222222222222222222222222222222222222222222*6 #ncr&pted Content22222222222222222222222222222222222222222222222222222222222222222222222222222222222222*6 Covert $nternational 0raAc Ro.ting2222222222222222222222222222222222222222222222222222222222*6 Activists222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222*6 Destro& S&stems22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222*6 Censorship22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222*7 9obile <$B$ Attac;s22222222222222222222222222222222222222222222222222222222222222222222222222222222222*7 Doc.ment 0rac;ing222222222222222222222222222222222222222222222222222222222222222222222222222222222222*7 *G/,G/?G 9obile Attac;s222222222222222222222222222222222222222222222222222222222222222222222222222*8 asic De3ense222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222,+ Sec.re &o.r end-points2222222222222222222222222222222222222222222222222222222222222222222222222222222222,+ $nbo.nd De3ense22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222,' (.tbo.nd De3ense22222222222222222222222222222222222222222222222222222222222222222222222222222222222222,* 9ore De3ense 0ips22222222222222222222222222222222222222222222222222222222222222222222222222222222222222,, 9$09 De3ense22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222,? 0C4CR:4022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222,) BreC.entl& As; Q.estions222222222222222222222222222222222222222222222222222222222222222222222222222222,5 <h& B.ll Disclos.reD2222222222222222222222222222222222222222222222222222222222222222222222222222222222,5 <ho sho.ld read this in3ormation22222222222222222222222222222222222222222222222222222222222222,5 <h& does this doc.ment eEist22222222222222222222222222222222222222222222222222222222222222222222,5 <hat abo.t the debate- the balanceD222222222222222222222222222222222222222222222222222222222,5 $Fm an American- does this appl& to me22222222222222222222222222222222222222222222222222222,5 ?
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND <ill stopping 0Agent so3t/are stop these Attac;s2222222222222222222222222222222222,6 $s it possible that 0 is .na/are o3 this22222222222222222222222222222222222222222222222222222,6 9& eC.ipment is completel& diGerentD222222222222222222222222222222222222222222222222222222,6 $Fve never done an&thing /rong22222222222222222222222222222222222222222222222222222222222222222,6 Ho/ can $ veri3& this m&sel322222222222222222222222222222222222222222222222222222222222222222222222,6 $ /o.ld li;e to donate and s.pport &o.r /or;2222222222222222222222222222222222222222222,6 Ho/ &o. can veri3&2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222,7 #as& Con=rmation22222222222222222222222222222222222222222222222222222222222222222222222222222222222222,8 Hard Con=rmation22222222222222222222222222222222222222222222222222222222222222222222222222222222222222?+ 0he !N-Hac;2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222?) arriers2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222?6 Social Attac;s on #ngineers22222222222222222222222222222222222222222222222222222222222222222222222?7 Co.nter-$ntelligence22222222222222222222222222222222222222222222222222222222222222222222222222222222222222?8 NSA Hone&pots2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222?8 Abo.t the A.thors222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222)+ (.r 9ission222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222)+ Donations2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222)+ !4DA0# *222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222)' !2S2 D(D $4 Addresses2222222222222222222222222222222222222222222222222222222222222222222222222222222)* !2>2 9(D $4 Addresses222222222222222222222222222222222222222222222222222222222222222222222222222222)* "ocations o3 Attac;er Net/or;s22222222222222222222222222222222222222222222222222222222222222222), Notes122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222225+
-reface
Preface <hen the Government- 0elecomm.nications companies and $nternet Service 4roviders- implant secret sp&ing eC.ipment in &o.r home /itho.t &o.r ;no/ledge or consent .nder the g.ise o3 something else- then .se that eC.ipment to in3ect &o.r comp.ters and sp& on &o.r private net/or; activit& (not the internet%- /e believe &o. have a ri ht to ,no.2 $t is not possible to ma;e these claims /itho.t act.al proo3 and /itho.t naming the act.al companies involved2 0hese events coincide /ith the global s.rveillance s&stems recentl& disclosed and the& 3.rther con=rm the mass scale o3 the s.rveillance and ho/ deepl& entrenched the Governments are in o.r personal lives /itho.t o.r ;no/ledge2 0he methods /e disclose are a violation o3 sec.rit& and tr.st2 Good $n3ormation Sec.rit& ($n3oSec% dictates that /hen /e discover s.ch bac; doors and activit&- /e anal&He- .nderstand- p.bliciHe and =E/patch s.ch sec.rit& holes2 Doin other.ise is morally .ron 2 <hat is revealed here is the missing piece to the global s.rveillance p.HHlethat ans/ers ;e& $n3oSec C.estions /hich incl.de1 Ho/ do the NSA/GCHQ per3orm Comp.ter Net/or; #EploitationD <e reveal the act al "ethods .sed b& the NSA/GCHQ and others that allo/s them to instantly peer into &o.r personal eGects /itho.t regard 3or &o.r privac&- /itho.t &o.r ;no/ledge and /itho.t legal d.e process o3 la/- th.s violating &o.r H.man Rights- simpl& beca.se they can2 Disclosures 0he ris;s ta;en /hen s.ch activit& is .nderta;en is I Bein DiscoveredJ and the activit& being I-ublicly &/posedJ- as /ell as the I0oss of (apabilityJ2
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND Source of this nfor!ation

1The simple ,no.led e that .e may be clandestinely observed in our o.n homes provided the determination to find the truth2 .hich .e did.3
0his in3ormation is not the res.lt o3 an& ;no/ledge o3 classi=ed doc.ments or lea;s- b.t based on in3ormation in the p.blic domain and o.r o/n 3act =nding mission d.e to Borensic and Net/or; Anal&sis $nvestigations o3 private S(H( net/or;s located in the !>2 As /e detail the methods .sed- &o. /ill see that in3ormation /as .ncovered fairly- honestly and le ally and on private propert& .sing privatel& o/ned eC.ipment2 4ur 0a.s 0here is no la/ that /e are a/are o3 that grants to the !> Government the abilit& to install d.al .se s.rveillance technolog& in millions o3 homes and b.sinesses in the !>2 B.rthermore- there is no la/ /e are a/are o3 that 3.rther grant the !> Government the abilit& to .se s.ch technolog& to sp& on individ.als- 3amilies in their o/n homes on the mass scale that this s&stem is deplo&ed2 $3 there are s.ch hidden la/s- the citiHens o3 the !> are certainl& .na/are o3 them and sho.ld be .arned that s.ch la/s eEist and that s.ch activit& is being engaged in b& their o/n Government2 All o3 the evidence presented is 3.ll& reprod.cible2 It is our belief that this activity is #4T limited to the 56.
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND (ompanies 0 are directl& responsible 3or covertl& embedding secret sp& eC.ipment in millions o3 homes and b.sinesses /ithin the !> as o.r evidence /ill demonstrate2 0 have directl& enabled (omputer #et.or, &/ploitation (CN#% o3 all its home and b.siness c.stomers2 Technical #ature of this Information 0he in3ormation described here is technical- this is beca.se- in order to s.bvert technolog&- the attac;ers need to be able to 3ool and con3.se eEperts in the =eld and ;eep them b.s& slowing the" down- b.t regardless- the impact and eGect can be .nderstood b& ever&bod&2 :o.r main ta;e a/a& 3rom this disclos.re is to .nderstand concept.all& ho/ these attac;s /or;- &o. can then p.t sec.rit& meas.res in place to prevent s.ch attac;s2
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND (redibility of this "esearch <e =rst made o.r discoveries in K.ne *+', and ;ept silent so that /e co.ld research the capabilities /itho.t being detected2 As more #d/ard Sno/den disclos.res /ere p.blished it became cr&stal clear that /hat /e discovered is a major component o3 the s.rveillance s&stem2 0hose /ho /ish to discredit o.r evidence- 3eel 3ree to do so- b.t do so on a technical level- simpl& claiming it Iit)s not tr e% or per3orming some social attac; simpl& re-en3orces it and identi=es the IdiscreditorJ as an agent o3 the NSA/GCHQ or an agent o3 the global s.rveillance s&stem2 (.r evidence is based on p.blic available !N9(D$B$#D =rm/are images2 0o veri3& o.r claims .sing !N9(D$B$#D images reC.ires connecting a !S to serial port to the modem motherboard board /hich allo/s &o. to login (admin/admin% and veri3& &o.rsel32 As most people /ill =nd this diAc.lt- /e provided a lin; to third part& 9(D$B$#D images based on o7cial BT release GN! so.rce code that allo/ &o. to telnet to the device ('8*2'572'2'%- this modi=ed version incl.des the same bac;door2 0hese can be 3o.nd here1 http1//h.a/eihg5'*hac;ing2/ordpress2com/ and http1//hac;ingecib3oc.sv*3.birevb2/ordpress2com/ 0he 9(D$B$#D images have been p.blicl& available since A.g.st- *+'*- long $efore the 1dward Snowden disclos res2 0he methods /e p.blished- allo/s con=rmation witho t having to o!en the device2 Ho/ever i3 &o. are s.spicio.s o3 the 9(D$B$#D =rm/are 3rom A.g.st *+'*- simpl& connect to the !S serial port o3 &o.r o/n eEisting .nmodi=ed modem and login to veri3&- either /a& the res.lts /ill be the same2
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND -rivacy vs Security "oss o3 privac& is a breach o3 personal sec.rit& and the legal violation o3 privac& is p.rel& a conseC.ence o3 that sec.rit& loss2 <eFve 3oc.sed on the technical breach of security i2e2 the Comp.ter Net/or; #Eploitation itsel3 and b& =Eing that &o. can restore at least some o3 &o.r personal privac&2 0his ill.strates that there is no s.ch thing as a balance bet/een sec.rit& and privac&- &o. have them both or &o. have none2
'+
8otivation
8otivation A3ter st.d&ing in detail the revelations b& the #d/ard Sno/den- /e realiHed there /as a large "issing !art of the ! 22le2 0here has been little to nothing p.blished on speci=call& ho/ the attac;ers technicall& achieve their goals2 9ost in3ormation p.blished is based on theoretical sit.ations2 $3 /e donFt ;no/ ho/ hac;ers act.all& achieve these sec.rit& breaches- /e cannot de3end against s.ch breaches2 Bor eEample- a slide similar to the 3ollo/ing /as p.blished- o3 all the slides released- itFs .ninteresting and easil& dismissed- as it simpl& describes /hat is commonl& ;no/n as a theoretical 9an-$n-0he-9iddle attac;2
0he media 3oc.s o3 the slide is o3 co.rse the $oo le's Servers- and &o.r =rst tho.ght might be- Fthis is 3oogle)s !ro$le" to solveF- b.t /hat i3 - F$oo le ServerF /as F8y Ban,s ServersF- &o. /o.ld probabl& be more concernedbeca.se that ma& directl& eGect &o.2 But .e thou ht2 .hat if2 '$oo le Server'2 .as '!ny Server2 !ny.here9' ''
(.r investigation led to .s .ncover- and .nderstand ho/ this attac; reall& /or;s in practice- ho/ it is implemented and the hair-raising realit& o3 its tr.e nat.re and that is- this not j.st a bac; door- b.t an entire attac; plat3orm and distrib.ted architect.re2 Terminolo y 0o ease eEplanation- /e are going to .se standard sec.rit& terms 3rom here on2 !ttac,er - GCHQ- NSA0 Gro.p or an& combination2
The *ac, L 0he technical method .sed b& the attac;ers to illegall& brea; into &o.r home net/or; comp.ters and phones2
'*
Basic Security
"our #o!e $etwor% $n order to eEplain ho/ these Comp.ter Net/or; #Eploitation attac;s /or;and ho/ this aGects &o. personall&- /e m.st =rst loo; at the architect.re o3 a t&pical home or oAce net/or;2 "oo; 3amiliar to &o.D
9ost $nternet connections consists o3 an DS" t&pe modem and one or more #thernet ports attached to the modem that &o. connect &o.r comp.tersdevices and add-on s/itches etc2 0here are t/o sec.rit& 3actors in operation here1 a% NA0 based net/or;ing- meaning that &o.r home comp.ters are hidden and all share a single p.blic $4 address b% :o.r modem has a b.ilt-in =re/all /hich is bloc;s inbo.nd traAc2 The inherent sec rity ass "!tion is that data cannot !ass fro" the in$o nd DS+ line to a +AN switch !ort witho t .rst $eing acce!ted or re4ected $y the $ ilt-in .rewall ',
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND Bor the technical minded- these sec.rit& ass.mptions are 3.rther re-enforced i3 the modems so3t/are is open so.rce e2g2 .sing "in.E and that its so.rce code is 3reel& and openl& available as per the GN! G4" reC.irements2 Given that the above is the most common architect.re on the $nternet as it applies to almost ever& home and oAce- ever&/here- lets no/ revisit that =rst slide- b.t this time- .e as, one simple 'uestion1 *o. do the attac,ers service9 et bet.een :ou and $oo le or some other
(n closer inspection o3 the diagram &o. /ill notice that I $oo le "e'uestJ and the !ttac,er (+og into 5o ter% share the same router- /hen this slide /as released- /e all ass.med that this ro.ter /as either GoogleFs o/n ro.ter or some .pstream ro.ter- that /a& the attac,er co.ld intercept pac;ets and per3orm a 8an-In-The-8iddle (9$09% attac;2 Ho/ever- this /o.ld not /or; 3or ever& /ebsite or service on the $nternet2 0he attac,er /o.ld need to be .pstream everywhereM
So .here does the attac,er hide9 Where is this (ommon "outer9 a ain .e as,% *o. do the attac,ers some other service9 et bet.een :ou and $oo le or
"ets eEamine the diagram one last time2
'?
:ou uessed it2 it's ri ht inside your house. It's the router supplied by your trusted Internet Service -rovider ;IS-<.
$3 this is tr.e- it means that &o. are being $nternet /iretapped- beca.se the attac,er has as entered &o.r private propert& and .nla/3.ll& accessed &o.r comp.ter eC.ipment2 !nli;e a la/3.l interception in /hich a /arrant is served on the third part& ($S4%- the intercept happens at the $S4s propert& .pstream and o.tside &o.r propert&2 0his is happening in &o.r home or oAce- /itho.t &o.r ;no/ledge- /itho.t &o.r permission and &o. have not been served /ith a search /arrant as is reC.ired la/2 .t /orse- is the 3act that this architecture is designed 3or C&ber Attac;ing in addition to passive monitoring as /e /ill detail neEt2
')
The *ac,
The *ac, 0his eEample is based on the !> version o3 /hat /e are calling The *ac, .sing BT $nternet services2 $3 &o. are not in the !> and regardless o3 the service- &o. should al.ays ass.me that the eEact same principles detailed here are al.ays being .sed against &o. regardless o3 &o.r co.ntr& or $S4 2 The *ac, is based on the fact that a second secret/hidden net/or; and second $4 address is assigned to &o.r modem2 !nder normal .se- &o. cannot detect or see this 3rom &o.r "AN- b.t the attac,er has direct access to &o.r modem and "AN in &o.r ho.se 3rom the $nternet2 *o. it Wor,s <hen the DS" connection is established a covert &#'P re(uest is sent to a secret military net.or, o/ned b& the 5.S. $overnment D.4.D. :o. are then part o3 that 5.S. D.4.D. militar& net/or;- this happens even be3ore &o. have been assigned &o.r p.blic $4 address 3rom &o.r act.al $S4 2 0his sp& net/or; is hidden 3rom the "AN/s/itch .sing =re/all r.les and traAc is hidden .sing @"ANs in the case o3 0 et al- it .ses @"AN =>?- b.t other vendors modems ma& /ell .se diGerent @"ANs2 0he original slide has a strange n.mber @A@ /ith gre& bac;gro.nd- /e thin; this represents the @"AN n.mber/@endor n.mber so 0 /o.ld be =>?2 0his hidden net/or; is not visible 3rom &o.r N Mode")s *e$ InterfaceN and not subBect to your fire.all rules- also not s.bject to an& limitations as 3ar as the s/itch portion o3 &o.r modem is concerned and the hidden net/or; also has all ports open 3or the attac%er2 (ther tools and services are permanentl& enabled inside the modem- /hich greatl& aid the attac,er- s.ch as 6e$ra 7 5i!d ro ting dae"ons, i!ta$les .rewall, SS8 re"ote shell server, along with a dhc! client. These tools allow the attac,er to control 9::; of the "ode" f nctionality 3rom the $nternet and in an .ndetectable manner2 e2g2- the attac,er can '5
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND 3or/ard all &o.r DNS reC.ests to their private net/or;- the& can selectivel& ro.te speci=c protocols- ports or net/or;s or ever&thing to their net/or; and b& de3a.lt the& do2 Altho.gh the hidden net/or; is o/ned b& 5.S. D.4.D.- it is located /ithin the !> as the ping time to the attac,er's $4 gate/a& is O 7ms 3rom /ithin the !>2 0his clearl& demonstrates that the !> Government- !2S2 Government- !2S2 9ilitar& and 0 are co-operating together to secretl& /iretap all $nternet .sers in their o/n homes (with few e(ce!tions%2 0he modems are provided b& 0 and loc%ed down2 $3 &o. cannot con=rm other/ise- &o. m.st ass.me that all $S4s in the !> b& polic& have the same techniC.es deplo&ed2 :o.r home net/or; act.all& loo;s something li;e the 3ollo/ing diagram2 0o the right is the <H($S record o3 the net/or; o.r modems are a.tomaticall& connected- &o.rs ma& var&2
0he above hidden net/or; is created a.tomaticall& in all o.r test cases across a /ide range o3 modems2 $t sho.ld be noted that even be3ore &o.r 4oint-to-4oint over #thernet (444(#% reC.est is iss.ed- this hidden net/or; is already fully operational2 So m.ch so- that &o.r "AN can be directl& accessed even /hen &o. thin; &o.r modem is oG-line2 0his is an eEtremel& compleE and covert attac; in3rastr.ct.re and itFs b.ilt '6
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND right into &o.r modems =rm/are /hich can also be .pdated remotel& as reC.ired b& the attac,er .sing the b.ilt-in BT! ent2 The *ac, attac; is t.rned on b& de3a.lt- b.t is selectivel& t.rned oG 3or special p.rposes or specific dan erous customers- 3or eEample- 3or certain so3t/are- =rm/are and hard/are developers/engineers ( which "ay incl de yo %- so that these people donFt discover The *ac,2 0he attac,er identi=es these speci=c IthreatsJ and mar;s their $nternet connections as IN( DHC4J- s.ch that the same dhcpc reC.ests 3rom their telephone lines are ignored and /hile these reC.ests are ignored- the hidden net/or; /ill not appear inside their modem and is m.ch harder to discover2 Birm/are engineers .s.all& /ant to ;no/ i3 the modems are .sing (pen So.rce so3t/are s.ch as "in.E and .s&boE- in /hich case the& are s.bject to the terms o3 the GN! 4.blic "icense2 0hese engineers as /ell as tech savv& .sers ma& /ish to p.t their o/n so3t/are (e2g2 (pen<R0% on these modems- ma&be beca.se the& donFt tr.st their $S4 - b.t are prevented b& their $S4 3or obsc.re reasons2 9ost modem providers .s.all& violate cop&right la/ b& not releasing the so.rce code and 0 /as no eEception to this r.le2 (nl& b& the threat o3 legal action did the& release the so.rce code2 Ho/ever- 0 still prevents the modems 3rom being .pdated b& their c.stomers or third parties2 0 goes to eEtreme lengths to prevent anyone 3rom changing the =rm/areand those that come close are =rst s.bjected to -hysical and -sycholo ical Barriers eEplained later and the 3e/ that overcome that- are s.bjected to a separate NSA/GCHQ targeted Social !ttac, designed speci=call& to derail an& engineering progress made- this is also eEplained later2 0hese attac;s are almost al/a&s s.ccess3.l2 D.ring these attac;s- 0 .ses all the in3ormation discovered b& the engineers to prod.ce =rm/are .pdates that prevent an&one else .sing those same techniC.es .nder the g.ise o3 sec.rit& and protecting the c.stomer and this is per3ormed /itho.t notice to an& c.stomers2 As /e move to ne/ generations o3 hard/are- the modems are ver& '7
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND sophisticated and ver& covert- the engineers capable o3 even attempting to replace the =rm/are become practicall& non-eEistent2 As /e detail- the sole p.rpose o3 loc;ing the modem is to prevent people discovering that the& are act.all& being /iretapped b& 0 on behal3 o3 NSA/GCHQ2
As a side note NSA describe "in.E/(pen So.rce as $ndigeno.s and a S$G$N0 target2
NSA doc.ments- describe this means o3 S$G$N0 collection as1
(thers incl.de1
and
'8
:our "eal #et.or,

:our "eal #et.or, 0he 3ollo/ing is a more realistic vie/ o3 &o.r home net/or; and /hat is no/ possible- given the attac,er no/ has secret access to &o.r home "AN2
$t is no/ a simple matter to .se other tools and methods available to the attac,er to penetrate &o.r internal comp.ters- this incl.des1
Steal private @4N/SSH/SS"/4G4 ;e&s $n3ect machines /ith vir.ses $nstall ;e& loggers $nstall screen loggers Clone/destro& hard drives !pload/destro& content as reC.ired Steal content as reC.ired Access Corporate @4Ns Clean .p a3ter operations Ro.te traAc on demand (e2g2 9$09% Censorship and >ill S/itch 4assive observation
*+
The !ttac,s
The !ttac,s 0his section lists the attac;s on &o. that are no/ possible b& the NSA/GCHQ2 "ater- /e sho/ ho/ &o. can de3end against these attac;s and it /o.ld be /ise to implement o.r de3enses /ith immediate eGect2 !nli;e the reval.ations so 3ar b& Sno/den /here the attac;s occ.r o.t there some/here on the $nternet- these attac,s happen in your home)o7ce2 0he attac;s listed are the most obvio.s attac;s- some are mentioned in #d/ard Sno/den revelations and re3erred to as 'o!puter $etwor% E)ploitation (CN#%2 Internal #et.or, !ccess 0he attac;er has direct access to &o.r "AN and is inside &o.r =re/all2 :o.r modem acts as a server- it listens on lots o3 ports s.ch as SSH (**% and 0#"N#0 (*,%- so the attac;er can j.st hop on to it (b.t &o. cannot%2 0his is possible beca.se another hidden bridged inter3ace eEists /ith its o/n @"AN2 Bire/all r.les do not appl& to this inter3ace- so the attac,er can see &o.r entire "AN and is not s.bject to your =re/all r.les beca.se those r.les appl& to the 0 lin; (blac, line% not the attac,ers lin; (red lines%2 <hen &o. scan &o.r 0 4.blic $4 address 3rom o.tside- &o. ma& /ell onl& see port '5' open (BT! ent- more on this later%- b.t /hen scanned 3rom the attac,ers net/or;- all necessary ports are open and /ith an SSH daemon r.nning (even the serna"e and !assword are the $asic ad"in:ad"in %2 asicall& the attac;er is inside &o.r home net/or;- and ironicall&- in most cases- right $ehind yo r act al c rtain (where the "ode"s are s ally located%2 0his is the digital version o3 8artial 0a. /ith a C&ber Attac; Soldier in ever& home in the co.ntr&2 0he =rst tas; o3 the attac,er is to per3orm a site s.rve& and learn as m.ch as *'
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND possible abo.t all the devices attached to &o.r net/or;2 All &o.r hard/are can be identi=ed b& the speci=c 9AC addresses and then =ngerprinted 3or speci=c protocols and so3t/are versions2 All this cannot be detected .nless &o. are logged into &o.r loc%ed modem2 0he above is j.st the base plat3orm o3 the NSA/GCHQ 3rom /hich h.ndreds o3 t&pes o3 attac;s are no/ possible- /hich no/ incl.de all o3 the 3ollo/ing1 8an-In-The-8iddle !ttac, 0he attac,er controls all o.tbo.nd routes- he can easil& per3orm an H004S 9an-$n-0he-9iddle attac; b& 3or/arding speci=c traAc 3or port ??, or destination net/or; to a dedicated 9$09 net/or; /hich he controls ( as !er !revio s slides%2 0he onl& thing reC.ired is a valid SS" certi=cates P ;e&s 3or a speci=c domain (.hich he already has2 see belo.%- 0he attac,er is bet/een &o. and an& site &o. visit or an& service &o. .se (not 4 st we$sites%2 e2g2 S;&pe- @($4 - SSH etc2 0he attac,er simpl& creates a static ro.te or more easil& p.blishes a Ro.ting $n3ormation 4rotocol ReC.est (R$4% reC.est to the Qebra daemon r.nning in the ro.ter 3or the target net/or; address and &o.r traAc 3or that net/or; /ill then be ro.ted to the attac,ers net/or; .ndetectable b& &o.2 0he attac,er can then .se as&mmetric ro.ting and .pon eEamination o3 the reC.ests he can =lter speci=c reC.ests he is interested in and respond to those- b.t let the target /ebsite server or service respond to ever&thing else2 0he ;e& here- is- traAc 3rom the target /ebsite bac; to the .ser does not then have to go via the attac%ers hidden network- it can go directl& bac; to .sers p.blic $4 (/hich /o.ld be logged b& the $S4%2 8IT8 can be on an& port or protocol not j.st H004S (??,%- 3or eEample &o.r SSH connections- all !D4 or GR#- 4404 - $4Sec etc2 or an& combination o3 an&thing2
**
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND !ll SS0 (ertificates (ompromised in "eal-Time 0he sec.rit& o3 4.blic >e& $n3rastr.ct.re (4>$% is based primaril& on the sec.rit& o3 the o/ners private ;e&s2 0hese private ;e&s are not necessaril& reC.ired in order to per3orm a 9$09 attac;2 All that is reC.ired is an act.al d.plicate signed certi=cate .sing NSA/GCHQ o/n private ;e&s2 0he 9$09 attac; can be as simple as r.nning a transparent proE& and &o. /ill al/a&s see a valid certi=cate b.t .nable to detect the attac;2 At the point o3 the proE& all &o.r traAc is decr&pted in real-time- at /hich point targeted pac;et injection can occ.r or simpl& monitored2 $t ma;es per3ect sense that the tr.sted Certi=cate A.thorit& (CA% act.all& ma;e a second d.plicate SS" certi=cate /ith a separate set NSA provided private ;e&s- as the CA never sees the real certi=cate o/ners private ;e&s2 <hen &o. send &o.r Certi=cate Signing ReC.est (CSR% and order &o.r SS" Certi=cate- a d.plicate signed certi=cate is then a.tomaticall& sent to the NSA and stored in their IC#S 4aring databaseJ as per Sno/den releases2 <e m.st there3ore ass.me that NSA/GCHQ alread& have a d.plicate o3 ever& 4>$ certi=cateP;e& (;e& diGerent 3rom &o.rs%2 0his means as soon as &o. revo;e or rene/ &o.r certi=cate- the NSA is read& and /aiting again- allo/ing them to do real-time decr&ption on almost an& site an&/here across an& protocol that .ses 4>$2
*,
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND Theft of -rivate 6eys Home net/or;s are .s.all& ver& insec.re- mainl& beca.se onl& &o. or 3amil& .se them- &o.r g.ard is do/n and &o.r SSH- @4N- 4G4 - SS" ;e&s are all v.lnerable to the3t b& the attac,er and his available methods2 The *ac, is the ;e& mechanism that enables these the3ts2 As an eEample o3 the above- i3 &o. .se the modems b.ilt-in @4N 3eat.re- &o. .s.all& add &o.r certi=cate and private ;e& to the modem or generate them both via its /eb inter3ace- at some later time- the attac,er can j.st cop& these ;e&s to the IC#S 4airing databaseJ via his private net/or;- the data collected 3rom S$G$N0 can later be decr&pted oG-line or in real-time2 $n the case o3 ;e&s eEtracted 3rom the modems b.ilt-in @4N- the IC#S 4aring databaseJ no/ contains the real ;e&/cert pair- meaning the attac;er can no/ attac; the @4N server environment directl& /hen that server /o.ld have not being eEploitable other/ise2 0he attac,er can also mas; as the gen.ine .ser b& per3orming the server attac; 3rom /ithin the .sers modem ( sing the correct so rce I/ address%this /a& nothing .n.s.al /ill appear in the @4Ns logs2 (nce inside the parameter o3 the @4N server the c&cles repeats2 :o. sho.ld assume that all I ig randJ @4Ns and ro.ters .se the eEact same attac; strateg& and architect.re /ith variances in the speci=c implementation e2g2 ig rand s.pports $4Sec- "ittle rand s.pports 4404 2 0he NSA .llr.n G.ide states1
I0he 3act that Cr&ptanal&sis and #Eploitation Services (C#S% /or;s /ith NSA/CSS Commercial Sol.tions Center (NCSC% to leverage sensitivecooperative relationships /ith speci=c ind.str& partnersJ2 Speci=c implementations ma& be identi=ed b& speci3&ing #C.ipment 9an.3act.rer (0ig 0rand<Make<Model%- Service 4rovider (IS/% or 0arget $mplementation (s!eci.c "ode"<ro ter i"!le"entation%2 $n this disclos.re- /e are interested in I0arget $mplementationJ- beca.se in o.r eEample case- 0 has covertl& implanted these devices in homes /here there is an a$sol te e(!ectation of !rivacy- /hereas the other implementations eEist /ithin the $S4 or large corporations in /hich &o. cannot eEpect privac&2 $tFs important to remember that I ig randsJ also ma;e small S(H( DS" and *?
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND cable modems2 B.rther evidence o3 the mass global distrib.tion o3 this technolog& to at least the '? #&es1 !SA- G R- CAN- A!S- NQ"- BRA- D#!- DN>- N"D- N(R- #S4 $0A- #"- S<# and almost certainl& man& more co.ntries1 Q.ote 3rom GCHQ regarding their abilit& to steal &o.r private ;e&s1 It is i"!erative to !rotect the fact that 3=8>, NSA and their Sigint !artners have ca!a$ilities against s!eci.c network sec rity technologies as well as the n "$er and sco!e of s ccesses. These ca!a$ilities are a"ong the Sigint co"" nity?s "ost fragile, and the inadvertent disclos re of the si"!le fact of% co ld alert the adversary and res lt in i""ediate loss of the ca!a$ility. =onse# ently, any ad"ission of fact of% a ca!a$ility to defeat encry!tion sed in s!eci.c network co"" nication technologies or disclos re of details relating to that ca!a$ility " st $e !rotected $y the 0@++5@N =&I and restricted to those s!eci.cally indoctrinated for 0@++5@N. The vario s ty!es of sec rity covered $y 0@++5@N incl de, $ t are not li"ited to, T+S<SS+, htt!s Ae.g. we$"ailB, SS8, encry!ted chat, C/Ns and encry!ted C&I/ . And 5e!orts derived fro" 0@++5@N "aterial shall not reveal Aor i"!lyB that the so rce data was decry!ted. The network co"" nication technology that carried the co"" nication sho ld not $e revealed. Brom the NSA1
*)
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND The 6ill S.itch Act.al capabilities .ncovered here incl.de the act.al abilit& to appl& ph&sical censorship on the $nternet b& governments directed at individ.als- gro.pscompanies- entire co.ntries or the majorit& o3 the .sers o3 the $nternet at once (given a coordinated govern"ent agree"ent%2 0his is something that can be t.rned on globall& /ithin min.tes2 0his I;ill s/itchJ is onl& a small portion o3 the total capabilities available that are in place right no/2 #ssentiall&- an& operation that can be applied .sing a single =re/all or R$4 ro.ter- can be applied to ever& c.stomer at once2 5ploadin )Do.nload (ontent 0he attac;er can .pload or do/nload content via either &o.r p.blic $S4s net/or; or via his private hidden net/or;2 0he diGerences is that &o.r $S4 co.ld con=rm or den& 3rom their logs the .ser did or did not .pload/do/nload content 3rom/to a partic.lar so.rce2 $n other /ords- the possibilities and abilit& to 3rame someone cannot ever be overloo;ed2 <hen the attac,ers steal content- that in3ormation al/a&s travels via the private net/or;2 *ac,in in to a C4I-)Cideo (onferences in "eal-Time As an eEample- itFs a trivial matter 3or the attac%er to ro.te speci=c traAc 3or speci=c media protocol s.ch as @($4 (S$4/H2,*,/R0S4% etc2 to his net/or; in real-time these protocols are .s.all& not encr&pted so no ;e& the3t is reC.ired2 $n the case o3 S;&pe- itFs no stretch o3 the imagination to ass.me that 9icroso3t handed over the ;e&s on da& one2 0hose the& do not redirect in real-time as /e ;no/- /ill be collected via .pstream S$G$N02
*5
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND Tor 5ser)(ontent Discovery !sers o3 the 0or net/or; can easil& be discovered b& "AN pac;et =ngerprinting- b.t also b& those /ho do/nload the 0or client2 0he attac;er can stain pac;ets leaving &o.r net/or; and be3ore entering the 0or net/or;ma;ing traAc anal&sis m.ch easier than /as previo.sl& ;no/n2 All 0or traAc can be redirected to a dedicated private Tor net.or, controlled b& the attac,er- in this /a& the attac;er controls A"" 0or nodes and so can see ever&thing &o. do 3rom end-to-end2 0his is not something the 0or project can =E- it can onl& be =Eed b& the .ser 3ollo/ing o.r methods2 0or hidden services sho.ld drop all traAc 3rom .n-tr.sted 0or nodes- this /a& clients r.nning in the sim.lated 0or net/or; /ill 3ail to connect to their destination2 &ncrypted (ontent 0he attac,er is in &o.r net/or; and has all the tools necessar& (s.ch as operating s&stem bac; doors% or Hero da& v.lnerabilities to hac; into &o.r comp.ters and steal &o.r @4N- 4G4 - SSH ;e&s as /ell as an& other ;e&s the& desire2 Also- content that is encr&pted can be capt.red be3ore encr&ption via an& n.mber o3 methods /hen the attac;er is alread& inside &o.r net/or;2 (overt International Tra7c "outin 0he attac,er can secretl& ro.te &o.r traAc to the !2S2 /itho.t &o.r permission- consent or ;no/ledge th.s b& passing an& #.ropean data protection or privac& la/s2 !ctivists <e have seen man& activist gro.ps- protest organiHers identi=ed and silenced over the 3e/ &ears- /e believe this is the primar& method .sed to capt.re activists2 >no/ing the victims $S4 /o.ld indicate /hich $S4s are involved2 Destroy Systems Released doc.ments state that the !2S2 C&ber Command have the abilit& to disable or completel& destro& an adversaries net/or; and s&stems- the =rst step to this /o.ld be to penetrate the adversaries net/or; =re/all ma;ing secondar& steps m.ch easier2
*6
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND (ensorship 0he attac,er has control o3 the hidden =re/all- it is eas& 3or the attac,er to simpl& bloc; traAc based on speci=c ports or based on destination address or net/or; ro.te- 3or eEample- the government can bloc; port 7,,, at so.rce and there3ore bloc; all itcoin transactions2 A coordinated attac; on the itcoin net/or; is possible b& bloc;ing ports o3 9inors aro.nd the /orld2 Red.cing the hash rate and bloc;ing transactions2 8obile WIFI !ttac,s 9obile devices phones/tablets etc- are as easil& accessible once the& connect to &o.r <$B$ net/or; /hich is- 3rom the attac;ers perspective- j.st another node on the &o.r "AN that the attac,er can ab.se2 0he level o3 sophistication or advanced encr&ption in .se b& &o.r <$B$ is no de3ense beca.se the attac;er has gained a tr.sted position in &o.r net/or;2 All 9AC addresses gathered 3rom &o.r "AN are stored in the R>#:SC(R# database so the& can be .sed to identit& speci=c devices and speci=c locations- allo/ing the attac;er to trac; &o. /itho.t the aid o3 G4S or /here no G4S signal eEists2 Document Trac,in 9icroso3t embeds the ph&sical 9AC addresses o3 the comp.ter inside doc.ments it creates2 0his allo/s the so.rce o3 a doc.ment to be identi=ed easil&2 0he 3ollo/ing is 3rom the R>#:SC(R# 4o/er4oint2
*7
The 8obile *ac,

@$)=$)A$ 8obile !ttac,s Given the NSA/GCHQ plan to sp& on 1any phone2 any.here2 any time32 The *ac, detailed in this doc.ment is a carrier independent method to achieve that goal that /or;s ver& /ell2 0he attac,er /ill almost certainl& re.se the same strateg& 3or all 9obile phones or /ireless broadband devices2 :o.r mobile phone (*G/,G/?G% is almost certainl& s.bject to this same attac; architect.re beca.se 3rom the attac,ers perspective- his side o3 the in3rastr.ct.re /o.ld remain the same regardless o3 device being attac;ed2 A mobile phone these da&s is simpl& a /ireless broadband modem P phoneso an& encr&pted messaging s&stem 3or eEample can be capt.red be3ore encr&ption2 0here3ore mobile phones are s.bject to all the same and "any "ore attac;s as per The *ac,2 This wo ld "ean that "o$ile !hone "akers "ay well $e in coll sion with the NSA<3=8> $eca se they wo ld need to i"!le"ent the e# ivalent ro ting and .rewall a$ility in each "o$ile !hone as !art of the &S if it was to re"ain hidden. 0he mobile phone version o3 The *ac, is also m.ch more diAc.lt to detect than the broadband version2 9obile phones ma;e more .se o3 $4v5 and the overall compleEit& o3 $4v5 means that even eEperts ma& not ;no/ /hat the& are loo;ing at in the ro.ting tables even i3 the& co.ld see them2 Carriers o3ten have m.ltiple $4s 3or diGerent services the& provide2 #ven top-.p mobile phones /itho.t an& credit can be accessed- 3or eEamplethe mobiles phones top-.p services are al/a&s available and their DNS servers are al/a&s accessible regardless o3 &o.r top-credit state2 9odern ;ernels .se m.ltiple ro.ting tables (e2g2 ip r.le sho/% 3or polic& based ro.ting- so again .nless &o. con=rm /ho o/ns a speci=c $45 range- it /ill be diAc.lt to spot- especiall& as =rm/are hac;ers are not even loo;ing 3or s.ch bac; doors2 9a&be no/ the& /ill2 <e do not provide de3ense methods 3or 9obile 4hones at this time2 *8
Basic Defense
Basic Defense >no/ing ho/ &o. are being attac;ed is hal3 the battle- b.t in this case- d.e to the attac,ers ab.se o3 a privileged position and the 3act that the attac,er is &o.r o/n government and its 3oreign partners- de3ense is m.ch more diAc.ltcompared to a common vir.s- /orms or hac;ers2 (ne o3 the best de3enses is to ta;e "egal action against 0 or &o.r $S4 2
$3 &o. are serio.s abo.t &o.r privac&- donFt eEpect an& help 3rom &o.r attac,ers (as attac;ers never help their victims%2 :o. m.st ens.re &o.r o/n privac&2 e3ore /e eEplain practical de3enses- here are some good tips2 Secure your end*points Never ever tr.st $S4 s.pplied eC.ipment (e2g2 ro.ter- =re/all- S0 s%al/a&s consider s.ch devices as hostile and position them in &o.r net/or; architect.re accordingl& i2e2 in the 9ilitariHed Qone (9Q% Do not .se an& b.ilt-in 3eat.res o3 $S4 eC.ipment (e2g2 Bire/alls- @4Ns% Never ever tr.st a device that has an& closed so.rce =rm/are or other elements- regardless o3 the eEc.ses the &o.r attac,er gives &o. Never tr.st a device that &o. cannot change the =rm/are &o.rsel3regardless o3 Ibig brandJ names Disable all protocols that &o. donFt .se or donFt .nderstand- especiall& 0R-+58 and an& other Remote 9anagement 3eat.res- these are all part o3 the s.rveillance control s&stem (e.g. 0TAgent .r"ware !date% Al/a&s .se a second "in.E =re/all /hich &o. control- that &o. have b.ilt Control all &o.r NA0 on &o.r second "in.E =re/all not the $S4s s.pplied ro.ter 9a;e s.re &o. control all end-points /henever possible #ns.re that '++S o3 pac;ets !D4/0C4 (e.g. incl ding DNS% are encr&pted leaving &o.r second =re/all (this is the %ey to end*point security%- this reC.ires .sing 4utbound Defense method described later Al/a&s .se a @4N and remote proE& that &o. control or tr.st- disable logging altogether to protect privac&2 0his reC.ires .sing 4utbound Defense method described later ,+
Inbound Defense
Inbound Defense 0his de3ense method against most NSA/GCHQ Inbound attac;s is 3airl& eas& to implement and not too technical- ever&bod& at a minim.m sho.ld incl.de this method in their de3ense strateg&2 0he strateg& /ill only prevent NSA/GCHQ 3rom hacking into &o.r home/oAce "AN2 $t cannot prevent other direct attac;s beca.se the attac,er can still intercept and ro.te all pac;ets leaving &o.r propert&2
A second "in.E =re/all device (blue% that you control and mana e is placed in 3ront o3 the $S4 ro.ter eGectivel& placing the $S4s ro.ter in the 9ilitariHed Qone (9Q% i2e2 the $nternet2 A single cable ( red% is .sed to lin; the "AN o3 the $S4 ro.ter to the $nternet "AN port o3 the "in.E =re/all2 loc; all inbo.nd access incl.ding m.lticast pac;ets 3rom the $S4 ro.ter- r.n DHC4 and NA0 on &o.r "in.E =re/all2 :o.r second =re/all can then iss.e 444(# reC.ests via its $nternet port and create a local ppp+ device /hich /ill be its ne/ $nternet connection2 All pac;ets leaving the =re/all /ill no/ be 444(# encaps.lated2 ,'
4utbound Defense
4utbound Defense 0his de3ense method sho.ld be .sed against all NSA/GCHQ Inbound and 4utbound attac;s2 0his is the onl& s.re =re method to protect 0or clients2 0his de3ense reC.ires that &o. (control/own<rent% a Server or @9 else/here on the $nternet (3ar a/a& 3rom &o.r IS-% and pre3erabl& in a diGerent co.ntr&2 R.n a @4N s.ch as (pen@4N bet/een &o.r "in.E Bire/all ( blue% and the &o.r @4S server ( reen cloud%- there- &o. r.n SC.id 4roE& and DNS and bloc; all inbo.nd access eEcept 3rom &o.r @4N2 Al/a&s r.n &o.r o/n DNS service on &o.r @9/Server2
,*
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND An alternative short-term de3ense is to .se 4penW"T ro.ter so3t/are that &o. install into the modem &o.rsel3 so that &o. can con=rm no hidden net/or;s or $4 addresses eEists and that the =re/all act.all& 3.nctions2 Ho/ever- this is technicall& impossible 3or m.st .sers2 Bor open so.rce ro.ter so3t/are visit https1//open/rt2org/ 8ore Defense Tips $solate &o.r <$B$ 3rom &o.r "AN and limit b& 9AC address P strong pass/ords alternatively- $solate &o.r <$B$ 3rom &o.r "AN and leave it open as a 3ree hot-spot2 $3 &o. are capable- install &o.r o/n ro.ter =rm/are (open/rt% 0ell &o.r $S4 &o. do N(0 /ant a ro.ter /ith bac; doors or mal/are in itas; them to con=rm in /riting that bac; doors do not eEist- this /ill help &o. in co.rt /hen s.ing them Stop .sing an& operating s&stems that is ;no/n to contain bac; doors (nl& .se 0or i3 &o. are .sing 4utbound Defense method- other/ise &o. co.ld be .sing a NSA/GCHQ /onderland version o3 the 0or net/or; $t cannot be emphasiHed eno.gh- never tr.st closed so.rce ro.ters Never .se &o.r $S4 DNS servers
,,
8IT8 Defense
8IT8 Defense !ntil no/- it /as not 3.ll& .nderstood ho/ a 9$09 act.all& /or;ed /ith regard to ho/ the attac,er co.ld get in the middle o3 any connection2 No/ /e ;no/ /ith '++S con=dence that the man is not in the middle- b.t in the modem and thatFs ho/ any individ.al can be s.bjected to 9$09 attac;2 <e hereb& rename this attac; 8an-In-The-8odem attac;2 As an alternative de3ense 3or the 3.t.re in place o3 the previo.s ( ad"ittedly co"!le( o t$o nd defense%- &o. co.ld .se 0cpCr&pt2 :o. can prevent this attac; b& ens.ring that &o.r client and servers are r.nning 0cpCr&pt- /hich is a 0C4 protocol eEtension2 $t /or;s /itho.t an& con=g.ration and a.tomaticall& encr&pts 0C4 connections i3 both server and client s.pport it or it /ill 3all bac; to no encr&ption2 $tFs also '++S #!T friendly2
(nce installed- this /or;s 3or an& port not j.st port 7+- it /ill also protects H004S- S904 - SSH and ever& other service2 ,?
T(-(":-T
T(-(":-T 0cpCr&pt is a ver& sec.re approach to man& o3 the problems posed b& the NSA/GCHQ beca.se its tr.e native end-to-end encr&ption and does not reC.ire a certi=cate a.thorit& and is 3ree open so.rce so3t/are2 0he NSA have tried to ;ill this project a n.mber o3 times and /ill contin.e to do so or limit its .se- &o. m.st not let that happen2
0et's et all T(- connections &ncrypted by defaultD

Available no/ 3ree open so.rce 3or "in.E- <indo/s and (SR visit1
http1/////2tcpcr&pt2org/ >ernel Developers - please s.pport Tcp(rypt 6ernel 8odule
$3 &o. /o.ld li;e to see ho/ NSA and GCHQ agents tr& to ;ill projects li;e this in p.blic- vie/ the video http1/////2tcpcr&pt2org/tal;2php and go to *51** and hear the voice o3 the NSA and then GCHQ2
,)
+re(uently As% ,uestions

Why Full Disclosure9 <e are .nder no obligation to /ithhold this in3ormation 3rom citiHens o3 #.rope- speci=call& /e are not s.bject to an& provisions o3 the (Acial Secrets Act o3 '887 as .e have never been1 a member o3 the sec.rit& and intelligence services a Cro/n servant or a government contractor But more importantly because% 0his in3ormation /as discovered on private propert& As sec.rit& conscio.s .sers o3 the $nternet- /e identi=ed serio.s intentional sec.rit& Ta/s /hich need to be =Eed- and 3ast 0he needs o3 the man& o.t/eigh the needs o3 the 3e/ !nder the r.le o3 la/- the tr.th is an absol.te de3ense and that is /hat /e present here lastl&- Because .e can Who should read this information 0he intended a.dience is citiHens o3 #.rope- b.t an&one /ho is or co.ld be a victim o3 global s.rveillance s&stems- this incl.des ever&bod& in the /orld no/ and in the 3.t.re2 Why does this document e/ist <hen a person(s% or government ta;es a/a& &o.r inalienable ri hts s.ch as &o.r Right to 4rivac& (especiall& in &o.r o/n home%- you ta,e it bac,2 0his is not something that can be negotiated or traded2 What about the debate2 the balance9 0here is no s.ch thing as a balance bet/een privac& and sec.rit&- &o. either have them both or &o. have none2 I'm an !merican2 does this apply to me 0he NSA /o.ld onl& .se this techniC.e in the !2S2 i3 the& reall& tho.ght the& co.ld go .ndetected2 $n the !> the& have gone .ndetected .ntil no/ ( since D:99, as evidenced $y the date of the .r"ware %- &o. sho.ld ass.me that the !2S2 is doing the same to all !mericans and &o. sho.ld .se the de3enses as detailed herein as a preca.tion2 <e can turn oE the li hts o.rselves2
,5
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND Will stoppin BT! ent soft.are stop these !ttac,s
#o2 BT! ent is j.st misdirection2 $t is not reC.ired or directl& .sed in the attac;s2 $t can be .sed to .pdate the =rm/are o3 a target modem sho.ld the attac,er need speci=c 3.nctionalit& on the modem- b.t this /o.ld be .n.s.al2 So- ;illing BT! ent is does not help (yo sho ld kill it anyway%2 Is it possible that BT is una.are of this #o- this is their =rm/are- controlled b& the& also loc; the modems2 0- p.blish b& 0- .pdated b& 0-
8y e'uipment is completely diEerent9 The *ac, is an #S!)$(*+ $lobal Strate y and its architect.re is independent o3 a speci=c ma;e or model o3 modem or mobile phone- it is also independent o3 the method transport e2g2 dial-.p vs2 ADS"- D(CS$S- @DS"Cable modem etc22 $t sits at the top o3 the stac; (0C4/!D4 etc%- so ho/ever &o. connect- it connects2 #ach implementation /ill var& and improve /ith each generation2 :o. sho.ld onl& .se- 3.ll& open so.rce- =rm/are that is p.blicl& veri=ed2 I've never done anythin .ron :es &o. have- &o. have allo/ed hac;ers to enter &o.r home net/or; and plant mal/are that in3ects &o.r comp.ters- /hich ma& no/ have become part o3 a Hombie arm& /ith tentacles controlled b& the NSA/GCHQ2 0his is /orst than an& vir.s or /orm &o. can imagine2 *o. can I verify this myself Bollo/ing the instr.ctions in the 3ollo/ing sections- &o. can also create sim.lations oG-line- b.t that is more technical2 I .ould li,e to donate and support your .or, 0han; &o.- please see the last page o3 this doc.ment 3or details2
,6
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND #ow you can verify 0he 3ollo/ing section eEplains ho/ &o. can con=rm that &o.r modem has the GCHQ/NSA bac; door2 $n these eEamples- /e .se t/o BT 4pen"each /hite modems- ($ t "ore acc rately descri$ed as -T .ver/each% models1 *ua.ei &cho0ife *$F?@ and &(I B-F4(uS CDS0@ modem. 0hese t/o loo; almost identical2 0he HG5'* is an earlier model2
0he process o3 con=rmation is slightl& diGerent 3or each modem2 <e /ill sho/ t/o o3 /a&s to veri3& the bac; door- the =rst is something an&one can do and reC.ires j.st the ping command2 0he second reC.ires reTashing the =rm/are so &o. can login to the modem itsel32
'lai!s of #uawei !ode!s 01eft2 havin3 bac%*doors are false4 the vendor 0e.3. -T2 build and install the .S for these !ode!s. #uawei si!ply provided hardware. E' Teleco! 1td4 is the provider of the second !ode! 0/i3ht2 5 the !ore dan3erous of the two.
,7
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND &asy (onfirmation Step ?. Remove 4o/er 3rom the modem and disconnect the telephone line2 Step @. (n &o.r 4C (ass.med "in.E% add an $4 address '8*2'572'2'++ i2e1 U ifconfi eth>%? ?G@.?FH.?.?>> up Step =. Start to ping '8*2'572'2' 3rom &o.r 4C i2e1 U pin ?G@.?FH.?.? Step A. Connect a net/or; cable to "AN' Step I. 4l.g-in the po/er cable to the modem and /ait 3or abo.t ,+ seconds 3or the device to boot- &o. /ill then notice1 FA bytes from ?G@.?FH.?.?% icmpJse'K??I ttlKFA timeK>.G@= ms FA bytes from ?G@.?FH.?.?% icmpJse'K??F ttlKFA timeK>.AG@ ms FA bytes from ?G@.?FH.?.?% icmpJse'K??L ttlKFA timeK>.I?A ms :o. ma& notice .p to ten responses- then it /ill stop2 <hat is happening is the internal "in.E ;ernel boots- the start .p scripts then con=g.re the internal and virt.al inter3aces and then t.rn on the hidden =re/all at /hich point the pings stop responding2 $n other /ords- there is a short /indo/ (,-'+ seconds% bet/een /hen the ;ernel boots and the hidden =re/all ;ic;s in2 :o. /ill not be able to detect an& other signs o3 the hidden net/or; /itho.t act.all& logging into the modem- /hich is eEplained in the neEt section2
,8
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND *ard (onfirmation 8ethod ?% ;no firm.are modification re'uired< Bor this method- &o. need to connect a !S to serial port to the serial port pins on the modem motherboard as detailed here1 http1//hac;ingecib3oc.sv*3.birevb2/ordpress2com/ $3 &o. are .nable to .se this method beca.se it reC.ires opening the modemplease .se method *2 8ethod @% ;public firm.are modification re'uired< Bor this method- &o. /ill need to re-Tash the modem b& 3ollo/ing the instr.ctions in the doc.ment called h F?@Junloc,JinstructionsJv?-=.pdf /hich is available 3rom1 http1//h.a/eihg5'*hac;ing2=les2/ordpress2com/*+''/''/hg5'*V.nloc;Vinstr. ctionsVv'-,2pd3 (r &o. can navigate to1 http1//h.a/eihg5'*hac;ing2/ordpress2com/ and clic; I5nloc,ed Firm.are Ima es for *ua.ei *$F?@J on the right panel2 (nce &o. have re-Tashed &o.r modem- &o. /ill be able to login to the modem via telnet as 3ollo/s2 #ote% $3 &o.r net/or; is not '8*2'572'2+- &o. /ill need to add the $4 address to &o.r 4C as eEplained previo.sl&- i2e2 U U U U ifconfi eth>%? ?G@.?FH.?.?>> up telnet ?G@.?FH.?.?- then login !sername1 admin- 4ass/ord1 admin then t&pe1 shell to get the .s& oE shell prompt2
:our telephone line ;"M??< cable should remain disconnected. 0o prevent &o.r devices =rm/are 3rom being .pdated- disable the 3ollo/ing components- as the& are not reC.ired 3or con=rmation2 >ill the pid o3 the /bin/sh / 0Agent/ro/start ( See U$*#ac% later% U ;ill pid U ;illall t3tpd sshd 9idServer btagent
?+
:o. /ill be s.rprised to learn there eEists '5 net/or; inter3aces inside the device- most are legitimate- b.t others are part o3 The *ac,2
All $4 P 9AC addresses have been redacted to protect victims identities2
# ifconfig -a br0 Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2 <--redacted MAC address inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 br1 dsl0 eth0 eth0.2 eth0.3 eth0.4 eth0.5 imq0 Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Link encap:UNSPEC [NO FLAGS] MTU:0 HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 Metric:1
Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Link encap:Ethernet BROADCAST MULTICAST Link encap:Ethernet BROADCAST MULTICAST HWaddr 10:C6:1F:C1:25:A2 MTU:1500 Metric:1 HWaddr 10:C6:1F:C1:25:A2 MTU:1500 Metric:1
Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 UP RUNNING NOARP MTU:16000 Metric:1
?'

imq1 imq2 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 UP RUNNING NOARP MTU:16000 Metric:1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 UP RUNNING NOARP MTU:16000 Metric:1
pktcmf_sa Link encap:UNSPEC HWaddr FE-FF-FF-FF-FF-FF-FF-FF-00-00-00-00-00-00-00-00 UP NOTRAILERS RUNNING NOARP MTU:0 Metric:1 pktcmf_sw Link encap:UNSPEC HWaddr FE-FF-FF-FF-FF-FF-FF-FF-00-00-00-00-00-00-00-00 UP NOTRAILERS RUNNING NOARP MTU:0 Metric:1 ptm1 ptm1.101 ptm1.301 Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Link encap:Ethernet HWaddr 10:C6:1F:C1:27:A2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A3 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
?*
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND "ets eEamine the ro.ting table1

# route -n Kernel IP routing table Destination Gateway 192.168.1.0 0.0.0.0 # ip route show 192.168.1.0/24 dev br0
Genmask 255.255.255.0 proto kernel
Flags Metric Ref U 0 0 src 192.168.1.1
Use Iface 0 br0
scope link
# netstat -n Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.1.1:23 192.168.1.100:57483 ESTABLISHED # telnet tcp 0 0 127.0.0.1:2600 127.0.0.1:33287 ESTABLISHED # Z->rip tcp 0 0 127.0.0.1:33287 127.0.0.1:2600 ESTABLISHED # rip->Z Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 3 [ ] STREAM CONNECTED 766 /var/BtAgentSocket # SPIES Socket
$ets see what processes are running% (duplicate and uninteresting lines remove for brevity) # ps PID 1 101 116 127 131 136 146 147 191 193 548 552 570 733 741 762 766 780 Uid 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 VSZ Stat Command 336 S init SW [dsl0] SW [eth0] 504 S mc 380 S /bin/msg msg 1124 S /bin/dbase 1680 S /bin/cms 1148 S /bin/cwmp 328 S zebra -f /var/zebra/zebra.conf 332 S ripd -f /var/zebra/ripd.conf 396 S dhcpc -i ptm1.301 -I ptm1.301 <--HELLO? 504 S monitor 348 S dnsmasq --conf-file=/var/dnsmasq.conf 248 S tftpd -p 69 292 S sshd -E <-- HELLO? 1136 S MidServer 380 S /bin/sh /BTAgent/ro/start 832 S ./btagent
All loo;s innocent at =rst2 No/- lets plu -in the telephone line cable and /ait 3e/ seconds1
?,
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND #4T&% <e have redacted some $4 addresses assigned to .s b& the attac,er EE W redacted address2
# route -n Kernel IP routing table Destination Gateway 192.168.1.0 0.0.0.0 30.150.xx.0 0.0.0.0 0.0.0.0 30.150.xx.1
Genmask 255.255.255.0 255.255.xxx.0 0.0.0.0
Flags U U UG
Metric 0 0 0
Ref 0 0 0
Use 0 0 0
Iface br0 ptm1.301 ptm1.301 <-Default?
# ip route show 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1 30.150.xx.0/21 dev ptm1.301 proto kernel scope link src 30.150.xx.xx default via 30.150.xx.1 dev ptm1.301
<e have a ne/ $4 address on @"AN ,+'- this is be3ore an& comp.ters are connected and be3ore the 444(# discover command has been iss.ed 3rom the "AN connected H.b or 4C2 The default route sends all tra7c to the attac,er by default N =>.?I>.//.? Ho$ c"ose #s the attac+er, ver( c"ose- . /'s
# ping 30.150.xx.1 PING 30.150.xx.1 (30.150.xx.1): 56 data 64 bytes from 30.150.xx.1: seq=0 ttl=64 64 bytes from 30.150.xx.1: seq=1 ttl=64 64 bytes from 30.150.xx.1: seq=2 ttl=64 bytes time=7.174 ms time=7.648 ms time=7.685 ms
NOTE: You are now pinging the NSA/GCHQ

Now lets see what is happening at a socket level (comments on right after #): # netstat -an
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:161 0.0.0.0:* LISTEN # This is BTAgent tcp 0 0 127.0.0.1:2600 0.0.0.0:* LISTEN # This is Zebra Router tcp 0 0 127.0.0.1:8011 0.0.0.0:* LISTEN # Transparent tproxy tcp 0 0 30.150.xx.xx:8081 0.0.0.0:* LISTEN # This NSA/GCHQ Services tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN # This is DNS tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN # This is SSH Server tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN # This is TELNET tcp 0 55 192.168.1.1:23 192.168.1.100:57484 ESTABLISHED # This telnet session tcp 0 0 127.0.0.1:2600 127.0.0.1:36825 ESTABLISHED # This is zebra-rip tcp 0 0 127.0.0.1:36825 127.0.0.1:2600 ESTABLISHED # This is rip->zebra udp 0 0 0.0.0.0:69 0.0.0.0:* # TFTP Server for upgrades Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 3 [ ] STREAM CONNECTED 766 /var/BtAgentSocket # Special Agent BT
The &e'ice is now awaiting the hu()PC to issue a PPPO" &isco'er re*uest+ at which point you will recei'e your ,-eal Pu(lic IP./ At this point the attac+er has complete control of the mo&em an& your $A!+ e#tra 0rewall rules are a&&e& the moment the ptm1/231 4$A! &e'ice is ena(le& (y the dhc!c comman&/
??
The 5#-*!(6
The 5#-*ac, $3 &o. are able to login to &o.r ro.ter (via serial port or "AN%- there is a de3ense /hich /ill prevent !00 the attac;s .sing The *ac,2 0his /ill unhac, the modem and needs to be done a3ter each reboot2 Step ?. !npl.g the telephone cable and boot the 9odem then login and iss.e the 3ollo/ing commands (in bold%- the hash is the prompt (donFt t&pe that%1 >ill the 3ollo/ing processes1 U ,illall Oebra ripd dnsmas' tftpd sshd 8idServer >ill the pids o3 the )bin)sh )BT! ent)ro)start1 U ,ill LFF No/- >ill all o3 the U ,illall bta ent 0Agent processes1
!nmo.nt the 0Agent partition1 U umount )usr)BT! ent Remove the attac;ers @"AN ,+'1 U vconfi rem ptm?.=>? >ill the rog.e dhcpc process /ith 3orce (-8% or it /ill re-spa/n U ,illall -G dhcpc Remove all hidden =re/all r.les U iptables -F -t man le U iptables -F -t nat U iptables -F Step @. 4l.gin the telephone cable and the DS" /ill connect to the NSA/GCHQ listening%2 0 (/itho.t
Step =. No/ start &o.r 444(# session 3rom &o.r second "in.E =re/all machine as per the instr.ctions 3or Inbound Defense and 4utbound Defense as applicable and &nBoy your privacy2
?)
Special ! entBT
Special ! entBT 0his IspecialI so3t/are installed on all modems provided b& BT! ent2 0 called
0his so3t/are listens on port '5'- /hich is the $ANA assigned port 3or Simple Net/or; 9anagement 4rotocol (SN94%- an&one loo;ing at this process /o.ld a.tomaticall& ass.me this to be the case2 SN94 t&pe programs are o3ten re3erred to as SN94 Agents2 0he primar& p.rpose o3 BT! ent is .np.blished- b.t a version has been partiall& reverse engineered and the so3t/are does do/nload =rm/are and .pdate the modems Tash2 0 responses to C.eries abo.t their BT! ent is to claim that the& need to re"otely "anage "ode"s for sec rity ! r!oses%. !ser concerns /ith 0Agent1
9. It)s closed so rce D. @sers cannot t rn it oE F. The secretive nat re and res!onses fro" 0T ?2 !sers cannot .pgrade the =rm/are .sing )2 4ort '5' is open to the p.blic internet 0he second (special% p.rpose o3 the BT! ent is p.rel& reverse reverse ps&cholog& and designed to ;eep &o. /ondering abo.t it- to ca.se &o. to /aste &o.r time reverse engineering it- /hen it ma& /ell be /hat it sa&s on the tin and /hile &o.r thin;ing abo.t BT! ent &o.Fre not thin;ing abo.t the other net/or; inter3aces s.ch as ptm?.=>? and the dhcpc reC.ests /hich all loo; innocent b.t act.all& per3orm the dirt& deeds right in the open2 <hen &o. reverse engineer BT! ent and p.blish &o.r res.lts- this allo/s the NSA/GCHQ to target &o. 3or other t&pe o3 attac,s2 <e sho.ld remember- that /ith a single Birm/are .pdate 3rom BT! ent- it co.ld morph itsel3 and into /hat /e originall& 3earedM ?5 0Agent
-sycholo ical and -hysical Barriers

Barriers 0he NSA/GCHQ /ill do an&thing and ever&thing to stop the The *ac, being discovered2 0he =rst step is to deal /ith the majorit& o3 .sers and prevent them 3rom even thin;ing abo.t opening it .p or even to.ching the modem2 Some o3 the s.ggestions listed here ma& seem eEtreme- b.t the less interest created in this boE- the less attention it receives 3rom cons.mers2 '2 $tFs a /hite boE- ps&chologicall& itFs not a Iblac; boEJ so it sho.ld be sa3e *2 $t comes in a plain bro/n cardboard boE- /hich contain no /ords or graphics /hatsoever- /ith a single /hite bar-code label /ith ma;e/model o3 the modem ,2 0he 0 engineer personall& carries and installs it in &o.r home- /hile other components s.ch as 0 Home H.b- the more eEpensive component are sent thro.gh the postal s&stem2 0 cannot leave this shin& /hite modem hanging aro.nd 3or a /ee; /hile the& allocate &o.r connection&o. ma& tr& to open it or do research abo.t it online- and the& /ant to ;no/ /ho is researching it ?2 0he telephone soc;et (RK''% is designed s.ch that /hen &o. pl.g in the telephone cable- it becomes ver& diAc.lt to remove it- m.ch more so than a standard telephone RK''2 $ts not j.st a case o3 pinching the lever&o. have to pinch and p.sh 3.rther in- then remove2 0his is s.btle- b.t it /ill prevent a lot o3 people 3rom even attempting to disconnect the telephone cable- j.st in case the& brea; it )2 0he older model /as eas& to open- j.st a 3e/ scre/s- the ne/er models is almost impossible to open beca.se it is clip loc;ed closed- meaning that &o. /ill damage it i3 &o. attempt to open it 52 Red <arning Stic;er on the bac; L IDonFt cover Air HolesJ- /ise b.t scar& 62 0he onl& doc.mentation is a single piece o3 /hite paper detailing ho/ it sho.ld be mo.nted- there is no instr.ctions abo.t /hich cables go /here- this is designed never to be to.ched 72 All internal serial port headers are removed so- &o. cant easil& hac; it 82 0he modem is plain /hite and sC.are- eEtremel& .ninteresting- boringI$othin3 to see here4 !ove alon3J!ll of this subtle 1!nti-8ar,etin 3 for the most advanced BT product9
?6
Social !ttac,s on &n ineers

Social !ttac,s on &n ineers Having discovered the attac; architect.re and disabled it- /e decided to visit some 3or.ms online- /e /ere interested to see i3 an&one- an&/here is close to .ncovering The *ac, and ho/ the NSA/GCHQ react to s.ch iss.es2 Generall&- there are engineers chatting and sharing pict.res o3 their modems and ho/ the& solder /ires on to the (.s.all& hidden% serial ports- the disc.ssions .s.all& leads to login and gaining root access o3 the modem or replacing the =rm/are altogether2 <hen engineers start to get reall& close- something .s.all& eEtra-ordinar& happens- almost li;e Isuper!an to the rescue6- someone /ho is highl& C.ali=ed- someone /ho has b.ilt .p a rep.tation o3 being a ethical hac;er/sec.rit& eEpert- introd.ces themselves and prod.ces /hat appears to be major brea;-thro.gh in gaining access to the modems2 Ho/ever- beca.se o3 the IethicalJ element- superman instead o3 sharing the method contacts 0- or 0 contacts superman- directl& and the& agree to allo/s 0 to =E the Ta/ (e.g. giving 0T a F: days head start% a3ter /hichsuperman /ill p.blish the method he .sed2 All things being eC.al- this is 3air eno.gh- b.t things are not all eC.al beca.se this /as a complete smo;e screen- pla&ed o.t to disco.rage the engineers 3rom 3.rther development ;no/ing that in a 3e/ /ee;s I supermanJ /ill give them access2 9an& o3 the engineers/enth.siast /aiting end-.p getting ca.ght b& .pgrades o3 their modems =rm/are /hich then loc;s them o.t o3 the game2 0his is a cat and mo.se game- and engineers sho.ld be ver& /ar& o3 those bearing gi3ts- their agenda is to slo/ &o. do/n and prevent &o. 3rom ma;ing an& progress hoping &o. /ill j.st give .p2 :o. can clearl& see this on the 0 3or.ms as /ell others s.ch as http1/////2psidoc2com- http1/////2;itH2co2.;/- http1//http1//comm.nit&2bt2comand others2 Reverse engineering is legal- legitimate and it is a great so.rce o3 innovation2
?7
(ounter-Intelli ence
'ounter* ntelli3ence 0he NSA/GCHQ et al2 have being /atching and attac;ing .s- itFs abo.t time /e t.rned the tables- started de3ending o.rselves and also /atching them2 0his section is not going to detail speci=c techniC.es- b.t rather s.ggest overall approaches- some o3 /hich /e have done over a period o3 months2 #S! *oneypots No/ /e .nderstand the attac; architect.re- /e can sim.late the modem in a 9$4S @irt.al 9achine (0TAgent is not re# iredB. <e can ro.te the NSA/GCHQ traAc to &o.r lab and j.st let them hac; a/a& in a private clo.d /hile /e log traAc incl.ding ho/ the& attempt to .se their bac; doors and other dirt& tric;s2 :o. /ill need to 3or/ard and tap @"AN =>? (in the case of 0T et al% to the virt.al modem /here &o. can anal&He its traAc in real-time or oXine- &o. sho.ld al.ays store /hatever in3ormation &o. gather 3orever- ( 4 st like they do%2 A3ter gathering eno.gh evidence- &o. can then p.bliciHe it and ta;e legal action- &o.r logs can be .sed in co.rt /hen &o. s.e the conspirators and coconspirators .nder the I'o!puter Misuse Act 7889J as /ell as other la/s2
?8
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND About the Authors 0he a.thors o3 this doc.ment /ish to remain anon&mo.s2 Ho/ever /e are 3.ll& prepared to stand in a co.rt o3 la/ and present o.r evidence2 <e are a gro.p o3 technical engineers- /e are not associated /ith an& activists gro.ps /hatsoever2 <e donFt have a name- b.t i3 /e did it /o.ld probabl& be IThe !dversariesJ according to NSA/GCHQ2 4ur 8ission Greedo" is only a!!reciated when lost. *e are on the $rink of a irreversi$le totalitarian " lti-govern"ent regi"e and even tho gh the 1 ro!ean /arlia"ent has stated that citi2ens sho ld not have to defend the"selves against state s!onsored =y$ercri"e, the fact re"ains that o r own 3overn"ents contin e to attack s in o r own ho"es while we slee!. (.r mission is de3ensive and legal2 (.r objectives are to eEpose the so.rces and methods .sed b& those that harm o.r personal 3reedoms and rights and to provide practical in3ormation to individ.als aro.nd the /orld allo/ing them to de3end themselves against s.ch c&ber attac;s2 *e $elieve this as well as f t re disclos res to $e in the ! $lic interest. Donations (.r ongoing /or; is technical- slo/- tedio.s and eEpensive an& donations are ver& /elcome2 <e onl& accept bitcoins at this time2
bitcoin1'D5Hj,6DS*m404m8.60CS)ocdd4HRjma.7 :o. can also s.pport .s b& sendin &o.r /ebsite2 this document to a friend or host it on :-ND%
"icensed .nder the (reative (ommons !ttribution-#oDerivs (CC
)+
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND UP&ATE 2 Doc.ments released b& Der Spiegel have con=rmed o.r o/n =ndings- original so.rces can be 3o.nd here1 http1/////2spiegel2de/international/topic/.nitedV;ingdom/ http1/////2spiegel2de/international/topic/.nitedVstates/ 0he ver& 3act that /e reported these bac;-doors eEactl& as described in these ne/ lea;s proves that o.r claims are legitimate and tr.e2 0his is eEactl& /hat /e .ncovered in 0Fs modems- the architect.re- design and attac,ers net/or;s are eEactl& as /e ill.strated in o.r diagrams and descriptions and list o3 capabilities2 <e veri=ed o.r res.lts b& p.rchasing and testing man& modems directl& 3rom the 0 as /ell as third part& so.rces- all o3 /hich had the bac; doors as described2 $ndivid.al Der Spiegel doc.ments relating to o.r claims can be 3o.nd here1
Bac,doors Bire/alls Ro.ters #S!$(*+ Cerification Document
http1//cr&ptome2org/*+',/'*/nsa-ant-=re/alls2pd3 http1//cr&ptome2org/*+',/'*/nsa-ant-ro.ter2pd3
QB$R# Attac; Net/or;s http1//cr&ptome2org/*+',/'*/nsa-C=re2pd3 !""R!N-NSA #DH#H$"" !""R!N-GCHQ 4.blic Comments

http1//cr&ptome2org/*+',/+8/nsa-b.llr.n-*-'5-g.ardian-',-+8+)2pd3 http1//cr&ptome2org/*+',/+8/nsa-decr&pt-g.ardian-',-+8+)2pd3 http1//cr&ptome2org/*+',/+8/nsa-b.llr.n-brie3-n&t-',-+8+)2pd3 http1//cr&ptome2org/*+',/'*/3.ll-disclos.re-comments2htm
)'
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND 5.S. D4D I- !ddresses <e have al/a&s enco.raged ever&one to con=rm o.r claims 3or themselves&et so called ISecurity E)pertsJ disp.te o.r claims in de3ense o3 0- 3or eEample- Robert Graham o3 &rrata Security- his 0 de3ense is here1 http1//blog2erratasec2com/*+',/'*/dod-address-space-its-not-conspirac&2html Robert states1
I0o be clear- that paper contains nothing that is evidence o3 NSA sp&ing2 $ ma& have missed something- because only s%i!!ed itJ2
5o$ert, Sec rity 1(!erts don)t "iss things like h ge o!en $ackdoorsH Robert even s.ggests that /e sho.ld disregard RBCs and C4s in 3avor o3 j.st re-.sing so called .n-allocated net/or; address space L thatFs allocated to the Government as IThe way to 3oJ2 0han; &o. Special Agent Robert2 <e advise he read RBC '8'7 http1//tools2iet32org/html/r3c'8'72 At least /hen Sprint /as ca.ght o.t in *+''- the& admitted to ro.ting cons.mer traAc thro.gh the D2(2D1 http1/////2androidcentral2com/sprint-internet-dept-de3ense-and-&o. 5.6. 84D I- !ddresses 9ore recentl&- a :o.0.be video /as p.blished in /hich !2S2 mobile phone .sers are starting to chec; their $4 addresses and discovering the& belong to the 5.6. 8inistry of Defence (9(D% as /ell as the !2S2 D(D net/or;2 http1/////2&o.t.be2com//atchDvW+<'&c3b>gCc (!ser comments list man& s.ch address bloc;s- not j.st ,+/7 Y *)/7%2 0he C.estion a I/eal Security E)pertJ sho.ld as; is- /h& provide !2>2 $4 addresses to Americans and !2S2 $4 addresses to the ritishD 0he ans/er is o3 co.rse simple- $t allo/s the Government to b&-pass the la/s o3 both co.ntries2 #ssentiall&- this is the eC.ivalent o3 creating a 3alse paper trail2 Allo/ing the NSA to get the GCHQ to b&-pass the 5.S. (onstitution and the GCHQ to get the NSA to b&-pass &uropean (onvention on *uman "i hts2 As /e ;no/ the& do- 3rom other p.blished revelations2
)*
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND $4 traAc is not act.all& ro.ted 3rom the !2S2 to the !2> or vice versa beca.se the latenc& (ro nd tri! delay% /o.ld be too high2 .t .sing $4 bloc;s 3rom partner co.ntries allo/ these Governments to claim that the& do not sp& on their o/n citiHens- 3or eEample- GCHQ /o.ld not attac; a p.blic !2>2 $4 address- b.t ma& attac; a !2S2 $4 address2 0he opposite is also tr.e- the !2S2 can claim that the& do not attac; !2S2 $4 addresses- b.t ma& attac; !2>2 $4 addresses L get the pict.reM 0he Governments proo3 it does not sp& on its o/n citiHens /ill be that the& .se ind.str& standard tools s.ch as 9aE9ind $4 geo-location databases etc2 to con=rm 3oreign j.risdiction $4 addresses- knowing f ll well that American targets have been assigned 3oreign $4 addresses allo/ing the NSA/C$A to legitimatel& target Americans2 0ocations of !ttac,er #et.or,s <hile an $4 address ma& /ell be 3oreign- it is .nder the control o3 the NSA SCS SC$B site operating /ithin local #mbassies and Cons.lates ( according to their doc "ents%2 <ithin the !>- itFs probabl& located /ithin the GCHQ2
<e no/ ;no/ /here the attac;ers net/or;s in3rastr.ct.res are located2 0his also eEplains the lo/ latenc& ping times /e reported (7 ms% /ithin !>2 ),
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND $n the 3ollo/ing NSA diagram1
'2 :ello/ Dots depict compromised =re/alls- ro.ters i2e2 &o.r modem *2 Red Dots are the location o3 the attac;ers net/or;s as per SCS Global ,2 Red Dashed "ines represent hidden net/or; paths ?2 lac; Solid "ines represent Bibre (ptic Cables
0he above diagram is 3rom *+'* and states that Z)+-+++ implants- b.t this list does not incl.de the !>- CAN- NQ" and A!S (the other #&es%2 Given 0 et al2 is the largest provider o3 compromised =re/all/ro.ter modems in the !>the act.al n.mber is in the millions2 As a side note- /e stated1 I
.t /orse- is the 3act that this architecture is designed 3or C&ber Attac;ing in addition to passive monitoring as /e /ill detail neEt2J
No/ /e discover- the& even have a logo 3or thisM )?
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND NeEt- /e see
'2 DoD #et.or, - :o. ;no/ the one thatFs .n.sed- &ep- that one2 *2 Green Dots L 4assive S$G$N0 (Real-0ime Active 0raAc 9onitors% ,2 Red Dots L Active De3ense L Ai.e. Attac%:B ?2 l.e Dots - Compromised ro.ter/=re/all/modems I$mplants (0A(%J being remotel& controlled b& the attac,ers2 0itled1 I4rovides CentraliHed a.tomated command/control o3 large net/or; o3 active implantsJ2 No/ do &o. believe o.r claims abo.t &o.r second hidden net.or,D- no- /ell read on2
))
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND 0he 3ollo/ing diagram is /ithin the attac,ers net/or; directl& attached to &o.r 0 (or other IS/% modem2 ?. 0op le3t corner is the !ttac,ers gate/a&- (i.e. 0T "ode"s defa lt ro te% @. 0hic; l.e "ines are the !ttac,ers net/or; located in SCS SC$B site operating /ithin local #mbassies and Cons.lates =. 0he virt.al machines (@9'-@9?% is the command and control logic- this sends reC.ests to &o.r 0 modem via the hidden net.or, to inject ro.tes or iss.e other reC.ests to ro.te speci=c or all traAc 3or 9$09 attac;s2 $t sho.ld be noted that the attac;er can also simpl& telnet/ssh to &o.r modem as /ell2
<e previo.sl& stated the 3ollo/ing1

tcp 0 0 30.150.xx.xx:8081 0.0.0.0:* LISTEN # This NSA/GCHQ Services
<hich is the R4C/R9" receiver tcp port (7+7'% on the 0 modems hidden $4 address to receive the above command and control reC.ests 3rom the !ttac,er2 Still not convincedD read on222 )5
5nclassified T!4 (overt #et.or, CovertWhidden Remember 0 C0!# =>?D- $t goes 3rom &o.r home ro.ter to 0 to GCHQ (or yo r local NSA S=S% as sho/n in previo.s and right diagrams2 0he 'st generation modems- donFt .se a @4N/hich is /h& /e did not mention it2 Ho/everthe *nd generation do have a $4Sec @4N b.iltin (and other interesting st.G%2 0he .se o3 a @4N is to hide the attac,ers activities 3rom co.nter s.rveillance2
0he same doc.ment also re3ers to the T!4 (overt #et.or, as (ov#et a2;2a2 8IDD0&8!# (8an In The 8iddle%2
S.rel&- &o.r convinced no/D- no- read on2
)6
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND $n this diagram /e see &o.r 0 9odemM (bottom right%
"e3t hand side is the !ttac,er net/or; in3rastr.ct.re2 0he IInternet 4ption !J is almost certainl& .sed eEcl.sivel& 3or GS9 t&pe (RBWRadio BreC.enc&% mobile phones and GS9 based control devices2 4ption ! devices can onl& receive commands- the& cannot ret.rn data directl&- the& can do things li;e T rn on Micro!hone- 0a;e 4ict.re- 0ransmit S9S protected data via S9S etc2 As; &o.r mobile phone provider/ma;er 3or a complete list o3 3eat.res in &o.r phone (good case for &SS 3SM "od le%2 4ption B concerns ro.ters/=re/alls/modems- no/ ta;e a close loo;- &o. /ill see <ireless Access 4oint (<A4% i2e2 <$B$- slightl& gra&ed L meaning the .ser ma& not have it or itFs disabled- other/ise the attac;er can tal; to &o.r /ireless tablet/phone via &o.r <$B$ net/or;2 #!T-$W is &o.r oAcial 0 4.blic $4 net/or;2 "astl&- &o. see I/ired clientsJ
connected to an& s/itch ports connected to &o.r modem2 !ll of this is e/actly ho. .e described it ? month a o. Still not s.reD- read on2 )7
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND <e stated that IThe *ac,J as /e call it- is an !rchitecture and regardless o3 ro.ter or =re/all- the architect.re /o.ld remain the same- this strateg& is ;no/n as architect.ral design patterns- 3or eEample1
$n the above NSA diagram- the Ibac;doorJ is a hidden net.or, to the !ttac,ers (NSA/GCHQ% net/or; (Remote (perations Centre- "4(%2 $3 &o. read all o3 the ro.ter and =re/all doc.ments released- &o. /ill notice the same methods and design is re-.sed over and over2 0hese slides are approE2 ) &ears old and are 'st gen commercial ro.ters- b.t in *+''- the *nd gen cons.mer =rm/are /as installed (at least in the @I% and in K.ne *+', the ,rd gen /as installed in the !>2 $n all generations IThe *ac,J is the same- a covert bac;door hidden net.or,2 I years on2 you can bet your bottom dollar2 this includes every smartphone .hich is eEectively a broadband routerPphone. )8
Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND "esponse to BT <e discovered all o3 these details and p.blished them on December ? th *+',almost a month be3ore these ne/ slides /ere released /ith the eEact same detail (act ally " ch "ore detail% and /e have no/ been proven to be correct b& !2S2 Government doc.mentation2 Ho/ co.ld this be possible had /e not discovered ( and e(!lained how and why we discovered% this bac;door inside all o.r 0 modemsD <e ;no/- &o. ;no/- that /e no/ ;ne/ the tr.th (that)s s!y s!eekH%- the 3act is this /as never a IConspirac& 0heor&J as has been claimed- /e are S&stems Architects- S&stem Administrators- Sec.rit& #ngineers- 4rogrammers- 4en 0esters- Cr&ptographers- $nventors and $nnovators /ho gre/ .p /ith a 3ree $nternet in the da&s o3 S"$4[85++bps and Topp& dis;s2 <e ;no/ bac;doors /hen /e see them- a3ter all o.r emplo&ers pa& .s to sec.re some o3 the !2>2Fs most s.ccess3.l online b.sinesses- j.st li;e 02 0he $nternet /ill al/a&s be 3or the neEt generation and cannot be o/ned or .sed as a /eapon against the peoples o3 the /orld2 .t o.r Governments are not listening to .s (well, e(ce!t for the NSA<3=8>%- than;s to 9r #d/ard Sno/den- /e are reclaiming the $nternet2 #ver&one 3.ll& .nderstands that 0 and other $S4 b.sinesses are someho/ compelled to act in the /a& the& have and this can be 3orgiven and tr.st can be restored- i3 0 demonstrate their b.siness is /orth& o3 o.r tr.st once again2 9eaning- nothing short o3 /hat &o. /o.ld eEpect 3rom .s- complete openness- namel& .nloc; all &o.r modems- remove these bac;doors as other major s.ppliers o3 ro.ters/=re/alls have agreed to do- aid innovation once again- then it /ill be good to tal;2
#otes%
r.ce Schneier did not contrib.te in an& /a& to o.r research- he did ho/ever- inspire its name IB.ll Disclos.reJ- beca.se he called 3or that2 I0he $nternet Dar; AgeJ - that re3ers to the place the NSA/GCHQ and other #&es /ill soon be living2
5+

NSA Full Disclosure

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NSA Full Disclosure

Uploaded by

Copyright:

Available Formats

Full Disclosure

The Internet Dark Age

The Adversaries Update 2

Spread the Word

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

(n September )th *+',-

r.ce Schneier- /rote in 0he G.ardian1

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Dedicated to the *histle-0lower

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND Source of this nfor!ation

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

"ets eEamine the diagram one last time2

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

NSA doc.ments- describe this means o3 S$G$N0 collection as1

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

:our "eal #et.or,

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

The 8obile *ac,

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

0et's et all T(- connections &ncrypted by defaultD

http1/////2tcpcr&pt2org/ >ernel Developers - please s.pport Tcp(rypt 6ernel 8odule

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

+re(uently As% ,uestions

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND "ets eEamine the ro.ting table1

Genmask 255.255.255.0 proto kernel

Flags Metric Ref U 0 0 src 192.168.1.1

Use Iface 0 br0

Genmask 255.255.255.0 255.255.xxx.0 0.0.0.0

Iface br0 ptm1.301 ptm1.301 <-Default?

NOTE: You are now pinging the NSA/GCHQ

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

-sycholo ical and -hysical Barriers

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Social !ttac,s on &n ineers

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

"icensed .nder the (reative (ommons !ttribution-#oDerivs (CC

QB$R# Attac; Net/or;s http1//cr&ptome2org/*+',/'*/nsa-C=re2pd3 !""R!N-NSA #DH#H$"" !""R!N-GCHQ 4.blic Comments

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND $n the 3ollo/ing NSA diagram1

No/ /e discover- the& even have a logo 3or thisM )?

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND NeEt- /e see

<e previo.sl& stated the 3ollo/ing1

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

S.rel&- &o.r convinced no/D- no- read on2

You might also like

QB$R# Attac; Net/or;s http1//cr&ptome2org/+',/'/nsa-C=re2pd3 !""R!N-NSA #DH#H$"" !""R!N-GCHQ 4.blic Comments