Full Disclosure

The Internet Dark Age
• Removing Governments on-line stranglehold • Disabling NSA/GCHQ major capabilities ( !""R!N / #DG#H$""% • Restoring on-line privac& - immediatel&


The Adversaries Update 2

Spread the Word


(n September )th *+',-

r.ce Schneier- /rote in 0he G.ardian1

“The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to s rre!titio sly t rn the" on. This is an es!ecially fr itf l aven e of attack; ro ters are !dated less fre# ently, tend not to have sec rity software installed on the", and are generally ignored as a v lnera$ility%. “The NSA also devotes considera$le reso rces to attacking end!oint co"! ters. This kind of thing is done $y its TA& ' Tailored Access &!erations ' gro !. TA& has a "en of e(!loits it can serve ! against yo r co"! ter ' whether yo )re r nning *indows, Mac &S, +in (, i&S, or so"ething else ' and a variety of tricks to get the" on to yo r co"! ter. ,o r anti-vir s software won)t detect the", and yo )d have tro $le .nding the" even if yo knew where to look. These are hacker tools designed $y hackers with an essentially nli"ited $ dget. *hat I took away fro" reading the Snowden doc "ents was that if the NSA wants in to yo r co"! ter, it)s in. /eriod%.

http1/////2theg.ardian2com//orld/*+',/sep/+)/nsa-ho/-to-remain-sec.res.rveillance The evidence provided by this Full-Disclosure is the first independent technical verifiable proof that Bruce Schneier's statements are indeed correct.

(previo.s readers sho.ld start on page )'% 0his .pdate incl.des '+ pages o3 additional proo32 Co.rtes& o3 !2S2 Government2



Full Disclosure
NSA/GCHQ Sources and Methods Uncovered
We e !"a#n ho$ NSA/GCHQ% • Are Internet wiretapping you • Break into your home network • Perform 'Tailored Access Operations' (TAO) in your home • Steal your encryption keys • Can secretly plant anything they like on your computer • Can secretly steal anything they like from your computer • ow to STOP this Computer !etwork "#ploitation

WA !"!#$
BT Broadband %&uipment 'ontain !SA(#')* Bac+ Doors

We e !ose NSA/GCHQ&s 'ost Secret Wea!on - Contro" and ho$ (ou can de)eat #t*
Dedicated to the *histle-0lower

Mr Edward J. Snowden.


Table of 'ontents
4re3ace22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222225 Disclos.res22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222225 So.rce o3 this $n3ormation22222222222222222222222222222222222222222222222222222222222222222222222222222226 (.r "a/s22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222226 Companies22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222227 0echnical Nat.re o3 this $n3ormation222222222222222222222222222222222222222222222222222222222227 Credibilit& o3 this Research222222222222222222222222222222222222222222222222222222222222222222222222228 4rivac& vs Sec.rit&2222222222222222222222222222222222222222222222222222222222222222222222222222222222222'+ 9otivation222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222'' 0erminolog&222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222'* :o.r Home Net/or;22222222222222222222222222222222222222222222222222222222222222222222222222222222222222', 0he Hac;22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222'5 Ho/ it <or;s2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222'5 0he Attac;s2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222*' $nternal Net/or; Access2222222222222222222222222222222222222222222222222222222222222222222222222222*' 9an-$n-0he-9iddle Attac;22222222222222222222222222222222222222222222222222222222222222222222222222** All SS" Certi=cates Compromised in Real-0ime2222222222222222222222222222222222222222*, 0he3t o3 4rivate >e&s2222222222222222222222222222222222222222222222222222222222222222222222222222222222*? 0he >ill S/itch22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222*5 !ploading/Do/nload Content22222222222222222222222222222222222222222222222222222222222222222222*5 Hac;ing in to a @($4/@ideo Con3erences in Real-0ime222222222222222222222222222222*5 0or !ser/Content Discover&22222222222222222222222222222222222222222222222222222222222222222222222*6 #ncr&pted Content22222222222222222222222222222222222222222222222222222222222222222222222222222222222222*6 Covert $nternational 0raAc Ro.ting2222222222222222222222222222222222222222222222222222222222*6 Activists222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222*6 Destro& S&stems22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222*6 Censorship22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222*7 9obile <$B$ Attac;s22222222222222222222222222222222222222222222222222222222222222222222222222222222222*7 Doc.ment 0rac;ing222222222222222222222222222222222222222222222222222222222222222222222222222222222222*7 *G/,G/?G 9obile Attac;s222222222222222222222222222222222222222222222222222222222222222222222222222*8 asic De3ense222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222,+ Sec.re &o.r end-points2222222222222222222222222222222222222222222222222222222222222222222222222222222222,+ $nbo.nd De3ense22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222,' (.tbo.nd De3ense22222222222222222222222222222222222222222222222222222222222222222222222222222222222222,* 9ore De3ense 0ips22222222222222222222222222222222222222222222222222222222222222222222222222222222222222,, 9$09 De3ense22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222,? 0C4CR:4022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222,) BreC.entl& As; Q.estions222222222222222222222222222222222222222222222222222222222222222222222222222222,5 <h& B.ll Disclos.reD2222222222222222222222222222222222222222222222222222222222222222222222222222222222,5 <ho sho.ld read this in3ormation22222222222222222222222222222222222222222222222222222222222222,5 <h& does this doc.ment eEist22222222222222222222222222222222222222222222222222222222222222222222,5 <hat abo.t the debate- the balanceD222222222222222222222222222222222222222222222222222222222,5 $Fm an American- does this appl& to me22222222222222222222222222222222222222222222222222222,5 ?

Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND <ill stopping 0Agent so3t/are stop these Attac;s2222222222222222222222222222222222,6 $s it possible that 0 is .na/are o3 this22222222222222222222222222222222222222222222222222222,6 9& eC.ipment is completel& diGerentD222222222222222222222222222222222222222222222222222222,6 $Fve never done an&thing /rong22222222222222222222222222222222222222222222222222222222222222222,6 Ho/ can $ veri3& this m&sel322222222222222222222222222222222222222222222222222222222222222222222222,6 $ /o.ld li;e to donate and s.pport &o.r /or;2222222222222222222222222222222222222222222,6 Ho/ &o. can veri3&2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222,7 #as& Con=rmation22222222222222222222222222222222222222222222222222222222222222222222222222222222222222,8 Hard Con=rmation22222222222222222222222222222222222222222222222222222222222222222222222222222222222222?+ 0he !N-Hac;2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222?) arriers2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222?6 Social Attac;s on #ngineers22222222222222222222222222222222222222222222222222222222222222222222222?7 Co.nter-$ntelligence22222222222222222222222222222222222222222222222222222222222222222222222222222222222222?8 NSA Hone&pots2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222?8 Abo.t the A.thors222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222)+ (.r 9ission222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222)+ Donations2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222)+ !4DA0# *222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222)' !2S2 D(D $4 Addresses2222222222222222222222222222222222222222222222222222222222222222222222222222222)* !2>2 9(D $4 Addresses222222222222222222222222222222222222222222222222222222222222222222222222222222)* "ocations o3 Attac;er Net/or;s22222222222222222222222222222222222222222222222222222222222222222), Notes122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222225+



Preface <hen the Government- 0elecomm.nications companies and $nternet Service 4roviders- implant secret sp&ing eC.ipment in &o.r home /itho.t &o.r ;no/ledge or consent .nder the g.ise o3 something else- then .se that eC.ipment to in3ect &o.r comp.ters and sp& on &o.r private net/or; activit& (not the internet%- /e believe &o. have a ri-ht to +no.2 $t is not possible to ma;e these claims /itho.t act.al proo3 and /itho.t naming the act.al companies involved2 0hese events coincide /ith the global s.rveillance s&stems recentl& disclosed and the& 3.rther con=rm the mass scale o3 the s.rveillance and ho/ deepl& entrenched the Governments are in o.r personal lives /itho.t o.r ;no/ledge2 0he methods /e disclose are a violation o3 sec.rit& and tr.st2 Good $n3ormation Sec.rit& ($n3oSec% dictates that /hen /e discover s.ch bac; doors and activit&- /e anal&He- .nderstand- p.bliciHe and =E/patch s.ch sec.rit& holes2 Doin- other.ise is morally .ron-2 <hat is revealed here is the missing piece to the global s.rveillance p.HHlethat ans/ers ;e& $n3oSec C.estions /hich incl.de1 Ho/ do the NSA/GCHQ per3orm Comp.ter Net/or; #EploitationD <e reveal the act al "ethods .sed b& the NSA/GCHQ and others that allo/s them to instantly peer into &o.r personal eGects /itho.t regard 3or &o.r privac&- /itho.t &o.r ;no/ledge and /itho.t legal d.e process o3 la/- th.s violating &o.r H.man Rights- simpl& beca.se they can2 Disclosures 0he ris;s ta;en /hen s.ch activit& is .nderta;en is I Bein- DiscoveredJ and the activit& being I,ublicly %/posedJ- as /ell as the I0oss of 'apabilityJ2


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND Source of this nfor!ation
1The simple +no.led-e that .e may be clandestinely observed in our o.n homes provided the determination to find the truth2 .hich .e did.3

0his in3ormation is not the res.lt o3 an& ;no/ledge o3 classi=ed doc.ments or lea;s- b.t based on in3ormation in the p.blic domain and o.r o/n 3act =nding mission d.e to Borensic and Net/or; Anal&sis $nvestigations o3 private S(H( net/or;s located in the !>2 As /e detail the methods .sed- &o. /ill see that in3ormation /as .ncovered fairly- honestly and le-ally and on private propert& .sing privatel& o/ned eC.ipment2 4ur 0a.s 0here is no la/ that /e are a/are o3 that grants to the !> Government the abilit& to install d.al .se s.rveillance technolog& in millions o3 homes and b.sinesses in the !>2 B.rthermore- there is no la/ /e are a/are o3 that 3.rther grant the !> Government the abilit& to .se s.ch technolog& to sp& on individ.als- 3amilies in their o/n homes on the mass scale that this s&stem is deplo&ed2 $3 there are s.ch hidden la/s- the citiHens o3 the !> are certainl& .na/are o3 them and sho.ld be .arned that s.ch la/s eEist and that s.ch activit& is being engaged in b& their o/n Government2 All o3 the evidence presented is 3.ll& reprod.cible2 "t is our belief that this activity is !4T limited to the 56.


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND 'ompanies 0 are directl& responsible 3or covertl& embedding secret sp& eC.ipment in millions o3 homes and b.sinesses /ithin the !> as o.r evidence /ill demonstrate2 0 have directl& enabled 'omputer !et.or+ %/ploitation (CN#% o3 all its home and b.siness c.stomers2 Technical !ature of this "nformation 0he in3ormation described here is technical- this is beca.se- in order to s.bvert technolog&- the attac;ers need to be able to 3ool and con3.se eEperts in the =eld and ;eep them b.s& slowing the" down- b.t regardless- the impact and eGect can be .nderstood b& ever&bod&2 :o.r main ta;e a/a& 3rom this disclos.re is to .nderstand concept.all& ho/ these attac;s /or;- &o. can then p.t sec.rit& meas.res in place to prevent s.ch attac;s2


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND 'redibility of this esearch

<e =rst made o.r discoveries in K.ne *+', and ;ept silent so that /e co.ld research the capabilities /itho.t being detected2 As more #d/ard Sno/den disclos.res /ere p.blished it became cr&stal clear that /hat /e discovered is a major component o3 the s.rveillance s&stem2 0hose /ho /ish to discredit o.r evidence- 3eel 3ree to do so- b.t do so on a technical level- simpl& claiming it Iit)s not tr e% or per3orming some social attac; simpl& re-en3orces it and identi=es the IdiscreditorJ as an agent o3 the NSA/GCHQ or an agent o3 the global s.rveillance s&stem2 (.r evidence is based on p.blic available !N9(D$B$#D =rm/are images2 0o veri3& o.r claims .sing !N9(D$B$#D images reC.ires connecting a !S to serial port to the modem motherboard board /hich allo/s &o. to login (admin/admin% and veri3& &o.rsel32 As most people /ill =nd this diAc.lt- /e provided a lin; to third part& 9(D$B$#D images based on o7cial BT release GN! so.rce code that allo/ &o. to telnet to the device ('8*2'572'2'%- this modi=ed version incl.des the same bac;door2 0hese can be 3o.nd here1 http1//h.a/eihg5'*hac;ing2/ordpress2com/ and http1//hac;ingecib3oc.sv*3.birevb2/ordpress2com/ 0he 9(D$B$#D images have been p.blicl& available since A.g.st- *+'*- long $efore the 1dward Snowden disclos res2 0he methods /e p.blished- allo/s con=rmation witho t having to o!en the device2 Ho/ever i3 &o. are s.spicio.s o3 the 9(D$B$#D =rm/are 3rom A.g.st *+'*- simpl& connect to the !S serial port o3 &o.r o/n eEisting .nmodi=ed modem and login to veri3&- either /a& the res.lts /ill be the same2


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND ,rivacy vs Security "oss o3 privac& is a breach o3 personal sec.rit& and the legal violation o3 privac& is p.rel& a conseC.ence o3 that sec.rit& loss2 <eFve 3oc.sed on the technical breach of security i2e2 the Comp.ter Net/or; #Eploitation itsel3 and b& =Eing that &o. can restore at least some o3 &o.r personal privac&2 0his ill.strates that there is no s.ch thing as a balance bet/een sec.rit& and privac&- &o. have them both or &o. have none2



8otivation A3ter st.d&ing in detail the revelations b& the #d/ard Sno/den- /e realiHed there /as a large "issing !art of the ! 22le2 0here has been little to nothing p.blished on speci=call& ho/ the attac;ers technicall& achieve their goals2 9ost in3ormation p.blished is based on theoretical sit.ations2 $3 /e donFt ;no/ ho/ hac;ers act.all& achieve these sec.rit& breaches- /e cannot de3end against s.ch breaches2 Bor eEample- a slide similar to the 3ollo/ing /as p.blished- o3 all the slides released- itFs .ninteresting and easil& dismissed- as it simpl& describes /hat is commonl& ;no/n as a theoretical 9an-$n-0he-9iddle attac;2

0he media 3oc.s o3 the slide is o3 co.rse the #oo-le's Servers- and &o.r =rst tho.ght might be- Fthis is 3oogle)s !ro$le" to solveF- b.t /hat i3 - F#oo-le ServerF /as F8y Ban+s ServersF- &o. /o.ld probabl& be more concernedbeca.se that ma& directl& eGect &o.2 But .e thou-ht2 .hat if2 '#oo-le Server'2 .as 'Any Server2 Any.here9' ''


(.r investigation led to .s .ncover- and .nderstand ho/ this attac; reall& /or;s in practice- ho/ it is implemented and the hair-raising realit& o3 its tr.e nat.re and that is- this not j.st a bac; door- b.t an entire attac; plat3orm and distrib.ted architect.re2 Terminolo-y 0o ease eEplanation- /e are going to .se standard sec.rit& terms 3rom here on2 Attac+er - GCHQ- NSA0 Gro.p or an& combination2

The )ac+ L 0he technical method .sed b& the attac;ers to illegall& brea; into &o.r home net/or; comp.ters and phones2



Basic Security
"our #o!e $etwor% $n order to eEplain ho/ these Comp.ter Net/or; #Eploitation attac;s /or;and ho/ this aGects &o. personall&- /e m.st =rst loo; at the architect.re o3 a t&pical home or oAce net/or;2 "oo; 3amiliar to &o.D

9ost $nternet connections consists o3 an DS" t&pe modem and one or more #thernet ports attached to the modem that &o. connect &o.r comp.tersdevices and add-on s/itches etc2 0here are t/o sec.rit& 3actors in operation here1 a% NA0 based net/or;ing- meaning that &o.r home comp.ters are hidden and all share a single p.blic $4 address b% :o.r modem has a b.ilt-in =re/all /hich is bloc;s inbo.nd traAc2 The inherent sec rity ass "!tion is that data cannot !ass fro" the in$o nd DS+ line to a +AN switch !ort witho t .rst $eing acce!ted or re4ected $y the $ ilt-in .rewall ',

Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND Bor the technical minded- these sec.rit& ass.mptions are 3.rther re-enforced i3 the modems so3t/are is open so.rce e2g2 .sing "in.E and that its so.rce code is 3reel& and openl& available as per the GN! G4" reC.irements2 Given that the above is the most common architect.re on the $nternet as it applies to almost ever& home and oAce- ever&/here- lets no/ revisit that =rst slide- b.t this time- .e as+ one simple &uestion1 )o. do the attac+ers -et bet.een :ou and #oo-le or some other service9 (n closer inspection o3 the diagram &o. /ill notice that I #oo-le e&uestJ and the Attac+er (+og into 5o ter% share the same router- /hen this slide /as released- /e all ass.med that this ro.ter /as either GoogleFs o/n ro.ter or some .pstream ro.ter- that /a& the attac+er co.ld intercept pac;ets and per3orm a 8an-"n-The-8iddle (9$09% attac;2 Ho/ever- this /o.ld not /or; 3or ever& /ebsite or service on the $nternet2 0he attac+er /o.ld need to be .pstream everywhereM

So .here does the attac+er hide9 Where is this 'ommon outer9 a-ain .e as+$ )o. do the attac+ers -et bet.een :ou and #oo-le or some other service9 "ets eEamine the diagram one last time2



:ou -uessed it2 it's ri-ht inside your house. "t's the router supplied by your trusted "nternet Service ,rovider ;"S,<.
$3 this is tr.e- it means that &o. are being $nternet /iretapped- beca.se the attac+er has as entered &o.r private propert& and .nla/3.ll& accessed &o.r comp.ter eC.ipment2 !nli;e a la/3.l interception in /hich a /arrant is served on the third part& ($S4%- the intercept happens at the $S4s propert& .pstream and o.tside &o.r propert&2 0his is happening in &o.r home or oAce- /itho.t &o.r ;no/ledge- /itho.t &o.r permission and &o. have not been served /ith a search /arrant as is reC.ired la/2 .t /orse- is the 3act that this architecture is designed 3or C&ber Attac;ing in addition to passive monitoring as /e /ill detail neEt2



The )ac+
The )ac+ 0his eEample is based on the !> version o3 /hat /e are calling The )ac+ .sing BT $nternet services2 $3 &o. are not in the !> and regardless o3 the service- &o. should al.ays ass.me that the eEact same principles detailed here are al.ays being .sed against &o. regardless o3 &o.r co.ntr& or $S4 2 The )ac+ is based on the fact that a second secret/hidden net/or; and second $4 address is assigned to &o.r modem2 !nder normal .se- &o. cannot detect or see this 3rom &o.r "AN- b.t the attac+er has direct access to &o.r modem and "AN in &o.r ho.se 3rom the $nternet2 )o. it Wor+s <hen the DS" connection is established a covert &#'P re(uest is sent to a secret military net.or+ o/ned b& the 5.S. #overnment D.4.D. :o. are then part o3 that 5.S. D.4.D. militar& net/or;- this happens even be3ore &o. have been assigned &o.r p.blic $4 address 3rom &o.r act.al $S4 2 0his sp& net/or; is hidden 3rom the "AN/s/itch .sing =re/all r.les and traAc is hidden .sing @"ANs in the case o3 0 et al- it .ses @"AN =>?- b.t other vendors modems ma& /ell .se diGerent @"ANs2 0he original slide has a strange n.mber @A@ /ith gre& bac;gro.nd- /e thin; this represents the @"AN n.mber/@endor n.mber so 0 /o.ld be =>?2 0his hidden net/or; is not visible 3rom &o.r N Mode")s *e$ InterfaceN and not subBect to your fire.all rules- also not s.bject to an& limitations as 3ar as the s/itch portion o3 &o.r modem is concerned and the hidden net/or; also has all ports open 3or the attac%er2 (ther tools and services are permanentl& enabled inside the modem- /hich greatl& aid the attac+er- s.ch as 6e$ra 7 5i!d ro ting dae"ons, i!ta$les .rewall, SS8 re"ote shell server, along with a dhc! client. These tools allow the attac+er to control 9::; of the "ode" f nctionality 3rom the $nternet and in an .ndetectable manner2 e2g2- the attac+er can '5

Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND 3or/ard all &o.r DNS reC.ests to their private net/or;- the& can selectivel& ro.te speci=c protocols- ports or net/or;s or ever&thing to their net/or; and b& de3a.lt the& do2 Altho.gh the hidden net/or; is o/ned b& 5.S. D.4.D.- it is located /ithin the !> as the ping time to the attac+er's $4 gate/a& is O 7ms 3rom /ithin the !>2 0his clearl& demonstrates that the !> Government- !2S2 Government- !2S2 9ilitar& and 0 are co-operating together to secretl& /iretap all $nternet .sers in their o/n homes (with few e(ce!tions%2 0he modems are provided b& 0 and loc%ed down2 $3 &o. cannot con=rm other/ise- &o. m.st ass.me that all $S4s in the !> b& polic& have the same techniC.es deplo&ed2 :o.r home net/or; act.all& loo;s something li;e the 3ollo/ing diagram2 0o the right is the <H($S record o3 the net/or; o.r modems are a.tomaticall& connected- &o.rs ma& var&2

0he above hidden net/or; is created a.tomaticall& in all o.r test cases across a /ide range o3 modems2 $t sho.ld be noted that even be3ore &o.r 4oint-to-4oint over #thernet (444(#% reC.est is iss.ed- this hidden net/or; is already fully operational2 So m.ch so- that &o.r "AN can be directl& accessed even /hen &o. thin; &o.r modem is oG-line2 0his is an eEtremel& compleE and covert attac; in3rastr.ct.re and itFs b.ilt '6

Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND right into &o.r modems =rm/are /hich can also be .pdated remotel& as reC.ired b& the attac+er .sing the b.ilt-in BTA-ent2 The )ac+ attac; is t.rned on b& de3a.lt- b.t is selectivel& t.rned oG 3or special p.rposes or specific dan-erous customers- 3or eEample- 3or certain so3t/are- =rm/are and hard/are developers/engineers ( which "ay incl de yo %- so that these people donFt discover The )ac+2 0he attac+er identi=es these speci=c IthreatsJ and mar;s their $nternet connections as IN( DHC4J- s.ch that the same dhcpc reC.ests 3rom their telephone lines are ignored and /hile these reC.ests are ignored- the hidden net/or; /ill not appear inside their modem and is m.ch harder to discover2 Birm/are engineers .s.all& /ant to ;no/ i3 the modems are .sing (pen So.rce so3t/are s.ch as "in.E and .s&boE- in /hich case the& are s.bject to the terms o3 the GN! 4.blic "icense2 0hese engineers as /ell as tech savv& .sers ma& /ish to p.t their o/n so3t/are (e2g2 (pen<R0% on these modems- ma&be beca.se the& donFt tr.st their $S4 - b.t are prevented b& their $S4 3or obsc.re reasons2 9ost modem providers .s.all& violate cop&right la/ b& not releasing the so.rce code and 0 /as no eEception to this r.le2 (nl& b& the threat o3 legal action did the& release the so.rce code2 Ho/ever- 0 still prevents the modems 3rom being .pdated b& their c.stomers or third parties2 0 goes to eEtreme lengths to prevent anyone 3rom changing the =rm/areand those that come close are =rst s.bjected to ,hysical and ,sycholo-ical Barriers eEplained later and the 3e/ that overcome that- are s.bjected to a separate NSA/GCHQ targeted Social Attac+ designed speci=call& to derail an& engineering progress made- this is also eEplained later2 0hese attac;s are almost al/a&s s.ccess3.l2 D.ring these attac;s- 0 .ses all the in3ormation discovered b& the engineers to prod.ce =rm/are .pdates that prevent an&one else .sing those same techniC.es .nder the g.ise o3 sec.rit& and protecting the c.stomer and this is per3ormed /itho.t notice to an& c.stomers2 As /e move to ne/ generations o3 hard/are- the modems are ver& '7

Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND sophisticated and ver& covert- the engineers capable o3 even attempting to replace the =rm/are become practicall& non-eEistent2 As /e detail- the sole p.rpose o3 loc;ing the modem is to prevent people discovering that the& are act.all& being /iretapped b& 0 on behal3 o3 NSA/GCHQ2
As a side note NSA describe "in.E/(pen So.rce as $ndigeno.s and a S$G$N0 target2

NSA doc.ments- describe this means o3 S$G$N0 collection as1

(thers incl.de1




:our eal !et.or+

eal !et.or+

0he 3ollo/ing is a more realistic vie/ o3 &o.r home net/or; and /hat is no/ possible- given the attac+er no/ has secret access to &o.r home "AN2

$t is no/ a simple matter to .se other tools and methods available to the attac+er to penetrate &o.r internal comp.ters- this incl.des1
• • • • • • Steal private @4N/SSH/SS"/4G4 ;e&s $n3ect machines /ith vir.ses $nstall ;e& loggers $nstall screen loggers Clone/destro& hard drives !pload/destro& content as reC.ired • • • • • • Steal content as reC.ired Access Corporate @4Ns Clean .p a3ter operations Ro.te traAc on demand (e2g2 9$09% Censorship and >ill S/itch 4assive observation



The Attac+s
The Attac+s 0his section lists the attac;s on &o. that are no/ possible b& the NSA/GCHQ2 "ater- /e sho/ ho/ &o. can de3end against these attac;s and it /o.ld be /ise to implement o.r de3enses /ith immediate eGect2 !nli;e the reval.ations so 3ar b& Sno/den /here the attac;s occ.r o.t there some/here on the $nternet- these attac+s happen in your home(o7ce2 0he attac;s listed are the most obvio.s attac;s- some are mentioned in #d/ard Sno/den revelations and re3erred to as 'o!puter $etwor% E)ploitation (CN#%2 "nternal !et.or+ Access 0he attac;er has direct access to &o.r "AN and is inside &o.r =re/all2 :o.r modem acts as a server- it listens on lots o3 ports s.ch as SSH (**% and 0#"N#0 (*,%- so the attac;er can j.st hop on to it (b.t &o. cannot%2 0his is possible beca.se another hidden bridged inter3ace eEists /ith its o/n @"AN2 Bire/all r.les do not appl& to this inter3ace- so the attac+er can see &o.r entire "AN and is not s.bject to your =re/all r.les beca.se those r.les appl& to the 0 lin; (blac+ line% not the attac+ers lin; (red lines%2 <hen &o. scan &o.r 0 4.blic $4 address 3rom o.tside- &o. ma& /ell onl& see port '5' open (BTA-ent- more on this later%- b.t /hen scanned 3rom the attac+ers net/or;- all necessary ports are open and /ith an SSH daemon r.nning (even the serna"e and !assword are the $asic ad"in:ad"in %2 asicall& the attac;er is inside &o.r home net/or;- and ironicall&- in most cases- right $ehind yo r act al c rtain (where the "ode"s are s ally located%2 0his is the digital version o3 8artial 0a. /ith a C&ber Attac; Soldier in ever& home in the co.ntr&2 0he =rst tas; o3 the attac+er is to per3orm a site s.rve& and learn as m.ch as *'

Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND possible abo.t all the devices attached to &o.r net/or;2 All &o.r hard/are can be identi=ed b& the speci=c 9AC addresses and then =ngerprinted 3or speci=c protocols and so3t/are versions2 All this cannot be detected .nless &o. are logged into &o.r loc%ed modem2 0he above is j.st the base plat3orm o3 the NSA/GCHQ 3rom /hich h.ndreds o3 t&pes o3 attac;s are no/ possible- /hich no/ incl.de all o3 the 3ollo/ing1 8an-"n-The-8iddle Attac+ 0he attac+er controls all o.tbo.nd routes- he can easil& per3orm an H004S 9an-$n-0he-9iddle attac; b& 3or/arding speci=c traAc 3or port ??, or destination net/or; to a dedicated 9$09 net/or; /hich he controls ( as !er !revio s slides%2 0he onl& thing reC.ired is a valid SS" certi=cates P ;e&s 3or a speci=c domain (.hich he already has2 see belo.%- 0he attac+er is bet/een &o. and an& site &o. visit or an& service &o. .se (not 4 st we$sites%2 e2g2 S;&pe- @($4 - SSH etc2 0he attac+er simpl& creates a static ro.te or more easil& p.blishes a Ro.ting $n3ormation 4rotocol ReC.est (R$4% reC.est to the Qebra daemon r.nning in the ro.ter 3or the target net/or; address and &o.r traAc 3or that net/or; /ill then be ro.ted to the attac+ers net/or; .ndetectable b& &o.2 0he attac+er can then .se as&mmetric ro.ting and .pon eEamination o3 the reC.ests he can =lter speci=c reC.ests he is interested in and respond to those- b.t let the target /ebsite server or service respond to ever&thing else2 0he ;e& here- is- traAc 3rom the target /ebsite bac; to the .ser does not then have to go via the attac%ers hidden network- it can go directl& bac; to .sers p.blic $4 (/hich /o.ld be logged b& the $S4%2 8"T8 can be on an& port or protocol not j.st H004S (??,%- 3or eEample &o.r SSH connections- all !D4 or GR#- 4404 - $4Sec etc2 or an& combination o3 an&thing2


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND All SS0 'ertificates 'ompromised in eal-Time

0he sec.rit& o3 4.blic >e& $n3rastr.ct.re (4>$% is based primaril& on the sec.rit& o3 the o/ners private ;e&s2 0hese private ;e&s are not necessaril& reC.ired in order to per3orm a 9$09 attac;2 All that is reC.ired is an act.al d.plicate signed certi=cate .sing NSA/GCHQ o/n private ;e&s2 0he 9$09 attac; can be as simple as r.nning a transparent proE& and &o. /ill al/a&s see a valid certi=cate b.t .nable to detect the attac;2 At the point o3 the proE& all &o.r traAc is decr&pted in real-time- at /hich point targeted pac;et injection can occ.r or simpl& monitored2 $t ma;es per3ect sense that the tr.sted Certi=cate A.thorit& (CA% act.all& ma;e a second d.plicate SS" certi=cate /ith a separate set NSA provided private ;e&s- as the CA never sees the real certi=cate o/ners private ;e&s2 <hen &o. send &o.r Certi=cate Signing ReC.est (CSR% and order &o.r SS" Certi=cate- a d.plicate signed certi=cate is then a.tomaticall& sent to the NSA and stored in their IC#S 4aring databaseJ as per Sno/den releases2 <e m.st there3ore ass.me that NSA/GCHQ alread& have a d.plicate o3 ever& 4>$ certi=cateP;e& (;e& diGerent 3rom &o.rs%2 0his means as soon as &o. revo;e or rene/ &o.r certi=cate- the NSA is read& and /aiting again- allo/ing them to do real-time decr&ption on almost an& site an&/here across an& protocol that .ses 4>$2


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND Theft of ,rivate 6eys Home net/or;s are .s.all& ver& insec.re- mainl& beca.se onl& &o. or 3amil& .se them- &o.r g.ard is do/n and &o.r SSH- @4N- 4G4 - SS" ;e&s are all v.lnerable to the3t b& the attac+er and his available methods2 The )ac+ is the ;e& mechanism that enables these the3ts2 As an eEample o3 the above- i3 &o. .se the modems b.ilt-in @4N 3eat.re- &o. .s.all& add &o.r certi=cate and private ;e& to the modem or generate them both via its /eb inter3ace- at some later time- the attac+er can j.st cop& these ;e&s to the IC#S 4airing databaseJ via his private net/or;- the data collected 3rom S$G$N0 can later be decr&pted oG-line or in real-time2 $n the case o3 ;e&s eEtracted 3rom the modems b.ilt-in @4N- the IC#S 4aring databaseJ no/ contains the real ;e&/cert pair- meaning the attac;er can no/ attac; the @4N server environment directl& /hen that server /o.ld have not being eEploitable other/ise2 0he attac+er can also mas; as the gen.ine .ser b& per3orming the server attac; 3rom /ithin the .sers modem ( sing the correct so rce I/ address%this /a& nothing .n.s.al /ill appear in the @4Ns logs2 (nce inside the parameter o3 the @4N server the c&cles repeats2 :o. sho.ld assume that all I ig randJ @4Ns and ro.ters .se the eEact same attac; strateg& and architect.re /ith variances in the speci=c implementation e2g2 ig rand s.pports $4Sec- "ittle rand s.pports 4404 2 0he NSA .llr.n G.ide states1

I0he 3act that Cr&ptanal&sis and #Eploitation Services (C#S% /or;s /ith NSA/CSS Commercial Sol.tions Center (NCSC% to leverage sensitivecooperative relationships /ith speci=c ind.str& partnersJ2 Speci=c implementations ma& be identi=ed b& speci3&ing #C.ipment 9an.3act.rer (0ig 0rand<Make<Model%- Service 4rovider (IS/% or 0arget $mplementation (s!eci.c "ode"<ro ter i"!le"entation%2 $n this disclos.re- /e are interested in I0arget $mplementationJ- beca.se in o.r eEample case- 0 has covertl& implanted these devices in homes /here there is an a$sol te e(!ectation of !rivacy- /hereas the other implementations eEist /ithin the $S4 or large corporations in /hich &o. cannot eEpect privac&2 $tFs important to remember that I ig randsJ also ma;e small S(H( DS" and *?

Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND cable modems2 B.rther evidence o3 the mass global distrib.tion o3 this technolog& to at least the '? #&es1 !SA- G R- CAN- A!S- NQ"- BRA- D#!- DN>- N"D- N(R- #S4 $0A- #"- S<# and almost certainl& man& more co.ntries1 Q.ote 3rom GCHQ regarding their abilit& to steal &o.r private ;e&s1 It is i"!erative to !rotect the fact that 3=8>, NSA and their Sigint !artners have ca!a$ilities against s!eci.c network sec rity technologies as well as the n "$er and sco!e of s ccesses. These ca!a$ilities are a"ong the Sigint co"" nity?s "ost fragile, and the inadvertent disclos re of the si"!le “fact of% co ld alert the adversary and res lt in i""ediate loss of the ca!a$ility. =onse# ently, any ad"ission of “fact of% a ca!a$ility to defeat encry!tion sed in s!eci.c network co"" nication technologies or disclos re of details relating to that ca!a$ility " st $e !rotected $y the 0@++5@N =&I and restricted to those s!eci.cally indoctrinated for 0@++5@N. The vario s ty!es of sec rity covered $y 0@++5@N incl de, $ t are not li"ited to, T+S<SS+, htt!s Ae.g. we$"ailB, SS8, encry!ted chat, C/Ns and encry!ted C&I/ . And 5e!orts derived fro" 0@++5@N "aterial shall not reveal Aor i"!lyB that the so rce data was decry!ted. The network co"" nication technology that carried the co"" nication sho ld not $e revealed. Brom the NSA1


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND The 6ill S.itch Act.al capabilities .ncovered here incl.de the act.al abilit& to appl& ph&sical censorship on the $nternet b& governments directed at individ.als- gro.pscompanies- entire co.ntries or the majorit& o3 the .sers o3 the $nternet at once (given a coordinated govern"ent agree"ent%2 0his is something that can be t.rned on globall& /ithin min.tes2 0his I;ill s/itchJ is onl& a small portion o3 the total capabilities available that are in place right no/2 #ssentiall&- an& operation that can be applied .sing a single =re/all or R$4 ro.ter- can be applied to ever& c.stomer at once2 5ploadin-(Do.nload 'ontent 0he attac;er can .pload or do/nload content via either &o.r p.blic $S4s net/or; or via his private hidden net/or;2 0he diGerences is that &o.r $S4 co.ld con=rm or den& 3rom their logs the .ser did or did not .pload/do/nload content 3rom/to a partic.lar so.rce2 $n other /ords- the possibilities and abilit& to 3rame someone cannot ever be overloo;ed2 <hen the attac+ers steal content- that in3ormation al/a&s travels via the private net/or;2 )ac+in- in to a C4",(Cideo 'onferences in eal-Time As an eEample- itFs a trivial matter 3or the attac%er to ro.te speci=c traAc 3or speci=c media protocol s.ch as @($4 (S$4/H2,*,/R0S4% etc2 to his net/or; in real-time these protocols are .s.all& not encr&pted so no ;e& the3t is reC.ired2 $n the case o3 S;&pe- itFs no stretch o3 the imagination to ass.me that 9icroso3t handed over the ;e&s on da& one2 0hose the& do not redirect in real-time as /e ;no/- /ill be collected via .pstream S$G$N02


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND Tor 5ser('ontent Discovery !sers o3 the 0or net/or; can easil& be discovered b& "AN pac;et =ngerprinting- b.t also b& those /ho do/nload the 0or client2 0he attac;er can stain pac;ets leaving &o.r net/or; and be3ore entering the 0or net/or;ma;ing traAc anal&sis m.ch easier than /as previo.sl& ;no/n2 All 0or traAc can be redirected to a dedicated private Tor net.or+ controlled b& the attac+er- in this /a& the attac;er controls A"" 0or nodes and so can see ever&thing &o. do 3rom end-to-end2 0his is not something the 0or project can =E- it can onl& be =Eed b& the .ser 3ollo/ing o.r methods2 0or hidden services sho.ld drop all traAc 3rom .n-tr.sted 0or nodes- this /a& clients r.nning in the sim.lated 0or net/or; /ill 3ail to connect to their destination2 %ncrypted 'ontent 0he attac+er is in &o.r net/or; and has all the tools necessar& (s.ch as operating s&stem bac; doors% or Hero da& v.lnerabilities to hac; into &o.r comp.ters and steal &o.r @4N- 4G4 - SSH ;e&s as /ell as an& other ;e&s the& desire2 Also- content that is encr&pted can be capt.red be3ore encr&ption via an& n.mber o3 methods /hen the attac;er is alread& inside &o.r net/or;2 'overt "nternational Tra7c outin-

0he attac+er can secretl& ro.te &o.r traAc to the !2S2 /itho.t &o.r permission- consent or ;no/ledge th.s b& passing an& #.ropean data protection or privac& la/s2 Activists <e have seen man& activist gro.ps- protest organiHers identi=ed and silenced over the 3e/ &ears- /e believe this is the primar& method .sed to capt.re activists2 >no/ing the victims $S4 /o.ld indicate /hich $S4s are involved2 Destroy Systems Released doc.ments state that the !2S2 C&ber Command have the abilit& to disable or completel& destro& an adversaries net/or; and s&stems- the =rst step to this /o.ld be to penetrate the adversaries net/or; =re/all ma;ing secondar& steps m.ch easier2


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND 'ensorship 0he attac+er has control o3 the hidden =re/all- it is eas& 3or the attac+er to simpl& bloc; traAc based on speci=c ports or based on destination address or net/or; ro.te- 3or eEample- the government can bloc; port 7,,, at so.rce and there3ore bloc; all itcoin transactions2 A coordinated attac; on the itcoin net/or; is possible b& bloc;ing ports o3 9inors aro.nd the /orld2 Red.cing the hash rate and bloc;ing transactions2 8obile W"F" Attac+s 9obile devices phones/tablets etc- are as easil& accessible once the& connect to &o.r <$B$ net/or; /hich is- 3rom the attac;ers perspective- j.st another node on the &o.r "AN that the attac+er can ab.se2 0he level o3 sophistication or advanced encr&ption in .se b& &o.r <$B$ is no de3ense beca.se the attac;er has gained a tr.sted position in &o.r net/or;2 All 9AC addresses gathered 3rom &o.r "AN are stored in the R>#:SC(R# database so the& can be .sed to identit& speci=c devices and speci=c locations- allo/ing the attac;er to trac; &o. /itho.t the aid o3 G4S or /here no G4S signal eEists2 Document Trac+in9icroso3t embeds the ph&sical 9AC addresses o3 the comp.ter inside doc.ments it creates2 0his allo/s the so.rce o3 a doc.ment to be identi=ed easil&2 0he 3ollo/ing is 3rom the R>#:SC(R# 4o/er4oint2



The 8obile )ac+
@#(=#(A# 8obile Attac+s Given the NSA/GCHQ plan to sp& on 1any phone2 any.here2 any time32 The )ac+ detailed in this doc.ment is a carrier independent method to achieve that goal that /or;s ver& /ell2 0he attac+er /ill almost certainl& re.se the same strateg& 3or all 9obile phones or /ireless broadband devices2 :o.r mobile phone (*G/,G/?G% is almost certainl& s.bject to this same attac; architect.re beca.se 3rom the attac+ers perspective- his side o3 the in3rastr.ct.re /o.ld remain the same regardless o3 device being attac;ed2 A mobile phone these da&s is simpl& a /ireless broadband modem P phoneso an& encr&pted messaging s&stem 3or eEample can be capt.red be3ore encr&ption2 0here3ore mobile phones are s.bject to all the same and "any "ore attac;s as per The )ac+2 This wo ld "ean that "o$ile !hone "akers "ay well $e in coll sion with the NSA<3=8> $eca se they wo ld need to i"!le"ent the e# ivalent ro ting and .rewall a$ility in each "o$ile !hone as !art of the &S if it was to re"ain hidden. 0he mobile phone version o3 The )ac+ is also m.ch more diAc.lt to detect than the broadband version2 9obile phones ma;e more .se o3 $4v5 and the overall compleEit& o3 $4v5 means that even eEperts ma& not ;no/ /hat the& are loo;ing at in the ro.ting tables even i3 the& co.ld see them2 Carriers o3ten have m.ltiple $4s 3or diGerent services the& provide2 #ven top-.p mobile phones /itho.t an& credit can be accessed- 3or eEamplethe mobiles phones top-.p services are al/a&s available and their DNS servers are al/a&s accessible regardless o3 &o.r top-credit state2 9odern ;ernels .se m.ltiple ro.ting tables (e2g2 ip r.le sho/% 3or polic& based ro.ting- so again .nless &o. con=rm /ho o/ns a speci=c $45 range- it /ill be diAc.lt to spot- especiall& as =rm/are hac;ers are not even loo;ing 3or s.ch bac; doors2 9a&be no/ the& /ill2 <e do not provide de3ense methods 3or 9obile 4hones at this time2 *8


Basic Defense
Basic Defense >no/ing ho/ &o. are being attac;ed is hal3 the battle- b.t in this case- d.e to the attac+ers ab.se o3 a privileged position and the 3act that the attac+er is &o.r o/n government and its 3oreign partners- de3ense is m.ch more diAc.ltcompared to a common vir.s- /orms or hac;ers2 (ne o3 the best de3enses is to ta;e "egal action against 0 or &o.r $S4 2

$3 &o. are serio.s abo.t &o.r privac&- donFt eEpect an& help 3rom &o.r attac+ers (as attac;ers never help their victims%2 :o. m.st ens.re &o.r o/n privac&2 e3ore /e eEplain practical de3enses- here are some good tips2 Secure your end*points • Never ever tr.st $S4 s.pplied eC.ipment (e2g2 ro.ter- =re/all- S0 s%al/a&s consider s.ch devices as hostile and position them in &o.r net/or; architect.re accordingl& i2e2 in the 9ilitariHed Qone (9Q% • Do not .se an& b.ilt-in 3eat.res o3 $S4 eC.ipment (e2g2 Bire/alls- @4Ns% • Never ever tr.st a device that has an& closed so.rce =rm/are or other elements- regardless o3 the eEc.ses the &o.r attac+er gives &o. • Never tr.st a device that &o. cannot change the =rm/are &o.rsel3regardless o3 Ibig brandJ names • Disable all protocols that &o. donFt .se or donFt .nderstand- especiall& 0R-+58 and an& other Remote 9anagement 3eat.res- these are all part o3 the s.rveillance control s&stem (e.g. 0TAgent .r"ware !date% • Al/a&s .se a second "in.E =re/all /hich &o. control- that &o. have b.ilt • Control all &o.r NA0 on &o.r second "in.E =re/all not the $S4s s.pplied ro.ter • 9a;e s.re &o. control all end-points /henever possible • #ns.re that '++S o3 pac;ets !D4/0C4 (e.g. incl ding DNS% are encr&pted leaving &o.r second =re/all (this is the %ey to end*point security%- this reC.ires .sing 4utbound Defense method described later • Al/a&s .se a @4N and remote proE& that &o. control or tr.st- disable logging altogether to protect privac&2 0his reC.ires .sing 4utbound Defense method described later ,+


"nbound Defense
"nbound Defense 0his de3ense method against most NSA/GCHQ "nbound attac;s is 3airl& eas& to implement and not too technical- ever&bod& at a minim.m sho.ld incl.de this method in their de3ense strateg&2 0he strateg& /ill only prevent NSA/GCHQ 3rom hacking into &o.r home/oAce "AN2 $t cannot prevent other direct attac;s beca.se the attac+er can still intercept and ro.te all pac;ets leaving &o.r propert&2

A second "in.E =re/all device (blue% that you control and mana-e is placed in 3ront o3 the $S4 ro.ter eGectivel& placing the $S4s ro.ter in the 9ilitariHed Qone (9Q% i2e2 the $nternet2 A single cable ( red% is .sed to lin; the "AN o3 the $S4 ro.ter to the $nternet "AN port o3 the "in.E =re/all2 loc; all inbo.nd access incl.ding m.lticast pac;ets 3rom the $S4 ro.ter- r.n DHC4 and NA0 on &o.r "in.E =re/all2 :o.r second =re/all can then iss.e 444(# reC.ests via its $nternet port and create a local ppp+ device /hich /ill be its ne/ $nternet connection2 All pac;ets leaving the =re/all /ill no/ be 444(# encaps.lated2 ,'


4utbound Defense
4utbound Defense 0his de3ense method sho.ld be .sed against all NSA/GCHQ "nbound and 4utbound attac;s2 0his is the onl& s.re =re method to protect 0or clients2 0his de3ense reC.ires that &o. (control/own<rent% a Server or @9 else/here on the $nternet (3ar a/a& 3rom &o.r "S,% and pre3erabl& in a diGerent co.ntr&2 R.n a @4N s.ch as (pen@4N bet/een &o.r "in.E Bire/all ( blue% and the &o.r @4S server (-reen cloud%- there- &o. r.n SC.id 4roE& and DNS and bloc; all inbo.nd access eEcept 3rom &o.r @4N2 Al/a&s r.n &o.r o/n DNS service on &o.r @9/Server2


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND An alternative short-term de3ense is to .se 4penW T ro.ter so3t/are that &o. install into the modem &o.rsel3 so that &o. can con=rm no hidden net/or;s or $4 addresses eEists and that the =re/all act.all& 3.nctions2 Ho/ever- this is technicall& impossible 3or m.st .sers2 Bor open so.rce ro.ter so3t/are visit https1//open/rt2org/ 8ore Defense Tips • $solate &o.r <$B$ 3rom &o.r "AN and limit b& 9AC address P strong pass/ords alternatively- $solate &o.r <$B$ 3rom &o.r "AN and leave it open as a 3ree hot-spot2 • $3 &o. are capable- install &o.r o/n ro.ter =rm/are (open/rt% • 0ell &o.r $S4 &o. do N(0 /ant a ro.ter /ith bac; doors or mal/are in itas; them to con=rm in /riting that bac; doors do not eEist- this /ill help &o. in co.rt /hen s.ing them • Stop .sing an& operating s&stems that is ;no/n to contain bac; doors • (nl& .se 0or i3 &o. are .sing 4utbound Defense method- other/ise &o. co.ld be .sing a NSA/GCHQ /onderland version o3 the 0or net/or; • $t cannot be emphasiHed eno.gh- never tr.st closed so.rce ro.ters • Never .se &o.r $S4 DNS servers



8"T8 Defense
8"T8 Defense !ntil no/- it /as not 3.ll& .nderstood ho/ a 9$09 act.all& /or;ed /ith regard to ho/ the attac+er co.ld get in the middle o3 any connection2 No/ /e ;no/ /ith '++S con=dence that the man is not in the middle- b.t in the modem and thatFs ho/ any individ.al can be s.bjected to 9$09 attac;2 <e hereb& rename this attac; 8an-"n-The-8odem attac;2 As an alternative de3ense 3or the 3.t.re in place o3 the previo.s ( ad"ittedly co"!le( o t$o nd defense%- &o. co.ld .se 0cpCr&pt2 :o. can prevent this attac; b& ens.ring that &o.r client and servers are r.nning 0cpCr&pt- /hich is a 0C4 protocol eEtension2 $t /or;s /itho.t an& con=g.ration and a.tomaticall& encr&pts 0C4 connections i3 both server and client s.pport it or it /ill 3all bac; to no encr&ption2 $tFs also '++S !AT friendly2

(nce installed- this /or;s 3or an& port not j.st port 7+- it /ill also protects H004S- S904 - SSH and ever& other service2 ,?


T',' :,T
T',' :,T 0cpCr&pt is a ver& sec.re approach to man& o3 the problems posed b& the NSA/GCHQ beca.se its tr.e native end-to-end encr&ption and does not reC.ire a certi=cate a.thorit& and is 3ree open so.rce so3t/are2 0he NSA have tried to ;ill this project a n.mber o3 times and /ill contin.e to do so or limit its .se- &o. m.st not let that happen2

0et's -et all T', connections %ncrypted by defaultD
Available no/ 3ree open so.rce 3or "in.E- <indo/s and (SR visit1

http1/////2tcpcr&pt2org/ >ernel Developers - please s.pport Tcp'rypt 6ernel 8odule

$3 &o. /o.ld li;e to see ho/ NSA and GCHQ agents tr& to ;ill projects li;e this in p.blic- vie/ the video http1/////2tcpcr&pt2org/tal;2php and go to *51** and hear the voice o3 the NSA and then GCHQ2



+re(uently As% ,uestions
Why Full Disclosure9 <e are .nder no obligation to /ithhold this in3ormation 3rom citiHens o3 #.rope- speci=call& /e are not s.bject to an& provisions o3 the (Acial Secrets Act o3 '887 as .e have never been1 • a member o3 the sec.rit& and intelligence services • a Cro/n servant or a government contractor But more importantly because$ • 0his in3ormation /as discovered on private propert& • As sec.rit& conscio.s .sers o3 the internet- /e identi=ed serio.s intentional sec.rit& Ta/s /hich need to be =Eed- and 3ast • 0he needs o3 the man& o.t/eigh the needs o3 the 3e/ • !nder the r.le o3 la/- the tr.th is an absol.te de3ense and that is /hat /e present here • lastl&- Because .e can Who should read this information 0he intended a.dience is citiHens o3 #.rope- b.t an&one /ho is or co.ld be a victim o3 global s.rveillance s&stems- this incl.des ever&bod& in the /orld no/ and in the 3.t.re2 Why does this document e/ist <hen a person(s% or government ta;es a/a& &o.r inalienable ri-hts s.ch as &o.r Right to 4rivac& (especiall& in &o.r o/n home%- you ta+e it bac+2 0his is not something that can be negotiated or traded2 What about the debate2 the balance9 0here is no s.ch thing as a balance bet/een privac& and sec.rit&- &o. either have them both or &o. have none2 "'m an American2 does this apply to me 0he NSA /o.ld onl& .se this techniC.e in the !2S2 i3 the& reall& tho.ght the& co.ld go .ndetected2 $n the !> the& have gone .ndetected .ntil no/ ( since D:99, as evidenced $y the date of the .r"ware %- &o. sho.ld ass.me that the !2S2 is doing the same to all Americans and &o. sho.ld .se the de3enses as detailed herein as a preca.tion2 <e can turn oE the li-hts o.rselves2


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND Will stoppin- BTA-ent soft.are stop these Attac+s !o2 BTA-ent is j.st misdirection2 $t is not reC.ired or directl& .sed in the attac;s2 $t can be .sed to .pdate the =rm/are o3 a target modem sho.ld the attac+er need speci=c 3.nctionalit& on the modem- b.t this /o.ld be .n.s.al2 So- ;illing BTA-ent is does not help (yo sho ld kill it anyway%2 "s it possible that BT is una.are of this !o- this is their =rm/are- controlled b& the& also loc; the modems2 0- p.blish b& 0- .pdated b& 0-

8y e&uipment is completely diEerent9 The )ac+ is an !SA(#')* #lobal Strate-y and its architect.re is independent o3 a speci=c ma;e or model o3 modem or mobile phone- it is also independent o3 the method transport e2g2 dial-.p vs2 ADS"- D(CS$S- @DS"Cable modem etc22 $t sits at the top o3 the stac; (0C4/!D4 etc%- so ho/ever &o. connect- it connects2 #ach implementation /ill var& and improve /ith each generation2 :o. sho.ld onl& .se- 3.ll& open so.rce- =rm/are that is p.blicl& veri=ed2 "'ve never done anythin- .ron:es &o. have- &o. have allo/ed hac;ers to enter &o.r home net/or; and plant mal/are that in3ects &o.r comp.ters- /hich ma& no/ have become part o3 a Hombie arm& /ith tentacles controlled b& the NSA/GCHQ2 0his is /orst than an& vir.s or /orm &o. can imagine2 )o. can " verify this myself Bollo/ing the instr.ctions in the 3ollo/ing sections- &o. can also create sim.lations oG-line- b.t that is more technical2 " .ould li+e to donate and support your .or+ 0han; &o.- please see the last page o3 this doc.ment 3or details2


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND #ow you can verify 0he 3ollo/ing section eEplains ho/ &o. can con=rm that &o.r modem has the GCHQ/NSA bac; door2 $n these eEamples- /e .se t/o BT 4pen each /hite modems- ($ t "ore acc rately descri$ed as -T .ver/each% models1 )ua.ei %cho0ife )#F?@ and %'" B-F4'uS CDS0@ modem. 0hese t/o loo; almost identical2 0he HG5'* is an earlier model2

0he process o3 con=rmation is slightl& diGerent 3or each modem2 <e /ill sho/ t/o o3 /a&s to veri3& the bac; door- the =rst is something an&one can do and reC.ires j.st the ping command2 0he second reC.ires reTashing the =rm/are so &o. can login to the modem itsel32
'lai!s of #uawei !ode!s 01eft2 havin3 bac%*doors are false4 the vendor 0e.3. -T2 build and install the .S for these !ode!s. #uawei si!ply provided hardware. E' Teleco! 1td4 is the provider of the second !ode! 0/i3ht2 5 the !ore dan3erous of the two.


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND %asy 'onfirmation Step ?. Remove 4o/er 3rom the modem and disconnect the telephone line2 Step @. (n &o.r 4C (ass.med "in.E% add an $4 address '8*2'572'2'++ i2e1 U ifconfi- eth>$? ?G@.?FH.?.?>> up Step =. Start to ping '8*2'572'2' 3rom &o.r 4C i2e1 U pin- ?G@.?FH.?.? Step A. Connect a net/or; cable to "AN' Step I. 4l.g-in the po/er cable to the modem and /ait 3or abo.t ,+ seconds 3or the device to boot- &o. /ill then notice1 FA bytes from ?G@.?FH.?.?$ icmpJse&K??I ttlKFA timeK>.G@= ms FA bytes from ?G@.?FH.?.?$ icmpJse&K??F ttlKFA timeK>.AG@ ms FA bytes from ?G@.?FH.?.?$ icmpJse&K??L ttlKFA timeK>.I?A ms :o. ma& notice .p to ten responses- then it /ill stop2 <hat is happening is the internal "in.E ;ernel boots- the start .p scripts then con=g.re the internal and virt.al inter3aces and then t.rn on the hidden =re/all at /hich point the pings stop responding2 $n other /ords- there is a short /indo/ (,-'+ seconds% bet/een /hen the ;ernel boots and the hidden =re/all ;ic;s in2 :o. /ill not be able to detect an& other signs o3 the hidden net/or; /itho.t act.all& logging into the modem- /hich is eEplained in the neEt section2


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND )ard 'onfirmation 8ethod ?$ ;no firm.are modification re&uired< Bor this method- &o. need to connect a !S to serial port to the serial port pins on the modem motherboard as detailed here1 http1//hac;ingecib3oc.sv*3.birevb2/ordpress2com/ $3 &o. are .nable to .se this method beca.se it reC.ires opening the modemplease .se method *2 8ethod @$ ;public firm.are modification re&uired< Bor this method- &o. /ill need to re-Tash the modem b& 3ollo/ing the instr.ctions in the doc.ment called h-F?@Junloc+JinstructionsJv?-=.pdf /hich is available 3rom1 http1//h.a/eihg5'*hac;ing2=les2/ordpress2com/*+''/''/hg5'*V.nloc;Vinstr. ctionsVv'-,2pd3 (r &o. can navigate to1 http1//h.a/eihg5'*hac;ing2/ordpress2com/ and clic; I5nloc+ed Firm.are "ma-es for )ua.ei )#F?@J on the right panel2 (nce &o. have re-Tashed &o.r modem- &o. /ill be able to login to the modem via telnet as 3ollo/s2 !ote$ $3 &o.r net/or; is not '8*2'572'2+- &o. /ill need to add the $4 address to &o.r 4C as eEplained previo.sl&- i2e2 U U U U ifconfi- eth>$? ?G@.?FH.?.?>> up telnet ?G@.?FH.?.?- then login !sername1 admin- 4ass/ord1 admin then t&pe1 shell to get the .s& oE shell prompt2

:our telephone line ; M??< cable should remain disconnected. 0o prevent &o.r devices =rm/are 3rom being .pdated- disable the 3ollo/ing components- as the& are not reC.ired 3or con=rmation2 >ill the pid o3 the /bin/sh / 0Agent/ro/start ( See U$*#ac% later% U ;ill pid U ;illall t3tpd sshd 9idServer btagent



:o. /ill be s.rprised to learn there eEists '5 net/or; inter3aces inside the device- most are legitimate- b.t others are part o3 The )ac+2
All $4 P 9AC addresses have been redacted to protect victims identities2
# ifconfig -a br0 Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2 <--redacted MAC address inet addr: Bcast: Mask: UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 br1 dsl0 eth0 eth0.2 eth0.3 eth0.4 eth0.5 imq0 Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Link encap:UNSPEC [NO FLAGS] MTU:0 HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 Metric:1

Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Link encap:Ethernet BROADCAST MULTICAST Link encap:Ethernet BROADCAST MULTICAST HWaddr 10:C6:1F:C1:25:A2 MTU:1500 Metric:1 HWaddr 10:C6:1F:C1:25:A2 MTU:1500 Metric:1

Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 UP RUNNING NOARP MTU:16000 Metric:1


imq1 imq2 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 UP RUNNING NOARP MTU:16000 Metric:1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 UP RUNNING NOARP MTU:16000 Metric:1

pktcmf_sa Link encap:UNSPEC HWaddr FE-FF-FF-FF-FF-FF-FF-FF-00-00-00-00-00-00-00-00 UP NOTRAILERS RUNNING NOARP MTU:0 Metric:1 pktcmf_sw Link encap:UNSPEC HWaddr FE-FF-FF-FF-FF-FF-FF-FF-00-00-00-00-00-00-00-00 UP NOTRAILERS RUNNING NOARP MTU:0 Metric:1 ptm1 ptm1.101 ptm1.301 Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Link encap:Ethernet HWaddr 10:C6:1F:C1:27:A2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A3 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND "ets eEamine the ro.ting table1
# route -n Kernel IP routing table Destination Gateway # ip route show dev br0

Genmask proto kernel

Flags Metric Ref U 0 0 src

Use Iface 0 br0

scope link

# netstat -n Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 ESTABLISHED # telnet tcp 0 0 ESTABLISHED # Z->rip tcp 0 0 ESTABLISHED # rip->Z Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 3 [ ] STREAM CONNECTED 766 /var/BtAgentSocket # SPIES Socket

$ets see what processes are running% (duplicate and uninteresting lines remove for brevity) # ps PID 1 101 116 127 131 136 146 147 191 193 548 552 570 733 741 762 766 780 Uid 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 VSZ Stat Command 336 S init SW [dsl0] SW [eth0] 504 S mc 380 S /bin/msg msg 1124 S /bin/dbase 1680 S /bin/cms 1148 S /bin/cwmp 328 S zebra -f /var/zebra/zebra.conf 332 S ripd -f /var/zebra/ripd.conf 396 S dhcpc -i ptm1.301 -I ptm1.301 <--HELLO? 504 S monitor 348 S dnsmasq --conf-file=/var/dnsmasq.conf 248 S tftpd -p 69 292 S sshd -E <-- HELLO? 1136 S MidServer 380 S /bin/sh /BTAgent/ro/start 832 S ./btagent

All loo;s innocent at =rst2 No/- lets plu--in the telephone line cable and /ait 3e/ seconds1


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND !4T%$ <e have redacted some $4 addresses assigned to .s b& the attac+er EE W redacted address2
# route -n Kernel IP routing table Destination Gateway 30.150.xx.0 30.150.xx.1

Genmask 255.255.xxx.0

Flags U U UG

Metric 0 0 0

Ref 0 0 0

Use 0 0 0

Iface br0 ptm1.301 ptm1.301 <-Default?

# ip route show dev br0 proto kernel scope link src 30.150.xx.0/21 dev ptm1.301 proto kernel scope link src 30.150.xx.xx default via 30.150.xx.1 dev ptm1.301

<e have a ne/ $4 address on @"AN ,+'- this is be3ore an& comp.ters are connected and be3ore the 444(# discover command has been iss.ed 3rom the "AN connected H.b or 4C2 The default route sends all tra7c to the attac+er by default N =>.?I>.//.? Ho$ c"ose #s the attac+er, ver( c"ose- . /'s
# ping 30.150.xx.1 PING 30.150.xx.1 (30.150.xx.1): 56 data 64 bytes from 30.150.xx.1: seq=0 ttl=64 64 bytes from 30.150.xx.1: seq=1 ttl=64 64 bytes from 30.150.xx.1: seq=2 ttl=64 bytes time=7.174 ms time=7.648 ms time=7.685 ms

NOTE: You are now pinging the NSA/GCHQ
Now lets see what is happening at a socket level (comments on right after #): # netstat -an
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0* LISTEN # This is BTAgent tcp 0 0* LISTEN # This is Zebra Router tcp 0 0* LISTEN # Transparent tproxy tcp 0 0 30.150.xx.xx:8081* LISTEN # This NSA/GCHQ Services tcp 0 0* LISTEN # This is DNS tcp 0 0* LISTEN # This is SSH Server tcp 0 0* LISTEN # This is TELNET tcp 0 55 ESTABLISHED # This telnet session tcp 0 0 ESTABLISHED # This is zebra-rip tcp 0 0 ESTABLISHED # This is rip->zebra udp 0 0* # TFTP Server for upgrades Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 3 [ ] STREAM CONNECTED 766 /var/BtAgentSocket # Special Agent BT

The &e'ice is now awaiting the hu()PC to issue a PPPO" &isco'er re*uest+ at which point you will recei'e your ,-eal Pu(lic IP./ At this point the attac+er has complete control of the mo&em an& your $A!+ e#tra 0rewall rules are a&&e& the moment the ptm1/231 4$A! &e'ice is ena(le& (y the dhc!c comman&/



The 5!-)A'6
The 5!-)ac+ $3 &o. are able to login to &o.r ro.ter (via serial port or "AN%- there is a de3ense /hich /ill prevent A00 the attac;s .sing The )ac+2 0his /ill unhac+ the modem and needs to be done a3ter each reboot2 Step ?. !npl.g the telephone cable and boot the 9odem then login and iss.e the 3ollo/ing commands (in bold%- the hash is the prompt (donFt t&pe that%1 >ill the 3ollo/ing processes1 U +illall Oebra ripd dnsmas& tftpd sshd 8idServer >ill the pids o3 the (bin(sh (BTA-ent(ro(start1 U +ill LFF No/- >ill all o3 the U +illall bta-ent 0Agent processes1

!nmo.nt the 0Agent partition1 U umount (usr(BTA-ent Remove the attac;ers @"AN ,+'1 U vconfi- rem ptm?.=>? >ill the rog.e dhcpc process /ith 3orce (-8% or it /ill re-spa/n U +illall -G dhcpc Remove all hidden =re/all r.les U iptables -F -t man-le U iptables -F -t nat U iptables -F Step @. 4l.gin the telephone cable and the DS" /ill connect to the NSA/GCHQ listening%2 0 (/itho.t

Step =. No/ start &o.r 444(# session 3rom &o.r second "in.E =re/all machine as per the instr.ctions 3or "nbound Defense and 4utbound Defense as applicable and %nBoy your privacy2



Special A-entBT
Special A-entBT 0his IspecialI so3t/are installed on all modems provided b& BTA-ent2 0 called

0his so3t/are listens on port '5'- /hich is the $ANA assigned port 3or Simple Net/or; 9anagement 4rotocol (SN94%- an&one loo;ing at this process /o.ld a.tomaticall& ass.me this to be the case2 SN94 t&pe programs are o3ten re3erred to as SN94 Agents2 0he primar& p.rpose o3 BTA-ent is .np.blished- b.t a version has been partiall& reverse engineered and the so3t/are does do/nload =rm/are and .pdate the modems Tash2 0 responses to C.eries abo.t their BTA-ent is to claim that the& need to “re"otely "anage "ode"s for sec rity ! r!oses%. !ser concerns /ith 0Agent1

9. It)s closed so rce D. @sers cannot t rn it oE F. The secretive nat re and res!onses fro" 0T ?2 !sers cannot .pgrade the =rm/are .sing )2 4ort '5' is open to the p.blic internet 0he second (special% p.rpose o3 the BTA-ent is p.rel& reverse reverse ps&cholog& and designed to ;eep &o. /ondering abo.t it- to ca.se &o. to /aste &o.r time reverse engineering it- /hen it ma& /ell be /hat it sa&s on the tin and /hile &o.r thin;ing abo.t BTA-ent &o.Fre not thin;ing abo.t the other net/or; inter3aces s.ch as ptm?.=>? and the dhcpc reC.ests /hich all loo; innocent b.t act.all& per3orm the dirt& deeds right in the open2 <hen &o. reverse engineer BTA-ent and p.blish &o.r res.lts- this allo/s the NSA/GCHQ to target &o. 3or other t&pe o3 attac+s2 <e sho.ld remember- that /ith a single Birm/are .pdate 3rom BTA-ent- it co.ld morph itsel3 and into /hat /e originall& 3earedM ?5 0Agent


,sycholo-ical and ,hysical Barriers
Barriers 0he NSA/GCHQ /ill do an&thing and ever&thing to stop the The )ac+ being discovered2 0he =rst step is to deal /ith the majorit& o3 .sers and prevent them 3rom even thin;ing abo.t opening it .p or even to.ching the modem2 Some o3 the s.ggestions listed here ma& seem eEtreme- b.t the less interest created in this boE- the less attention it receives 3rom cons.mers2 '2 $tFs a /hite boE- ps&chologicall& itFs not a Iblac; boEJ so it sho.ld be sa3e *2 $t comes in a plain bro/n cardboard boE- /hich contain no /ords or graphics /hatsoever- /ith a single /hite bar-code label /ith ma;e/model o3 the modem ,2 0he 0 engineer personall& carries and installs it in &o.r home- /hile other components s.ch as 0 Home H.b- the more eEpensive component are sent thro.gh the postal s&stem2 0 cannot leave this shin& /hite modem hanging aro.nd 3or a /ee; /hile the& allocate &o.r connection&o. ma& tr& to open it or do research abo.t it online- and the& /ant to ;no/ /ho is researching it ?2 0he telephone soc;et (RK''% is designed s.ch that /hen &o. pl.g in the telephone cable- it becomes ver& diAc.lt to remove it- m.ch more so than a standard telephone RK''2 $ts not j.st a case o3 pinching the lever&o. have to pinch and p.sh 3.rther in- then remove2 0his is s.btle- b.t it /ill prevent a lot o3 people 3rom even attempting to disconnect the telephone cable- j.st in case the& brea; it )2 0he older model /as eas& to open- j.st a 3e/ scre/s- the ne/er models is almost impossible to open beca.se it is clip loc;ed closed- meaning that &o. /ill damage it i3 &o. attempt to open it 52 Red <arning Stic;er on the bac; L IDonFt cover Air HolesJ- /ise b.t scar& 62 0he onl& doc.mentation is a single piece o3 /hite paper detailing ho/ it sho.ld be mo.nted- there is no instr.ctions abo.t /hich cables go /here- this is designed never to be to.ched 72 All internal serial port headers are removed so- &o. can easil& hac; it 82 0he modem is plain /hite and sC.are- eEtremel& .ninteresting- boringI$othin3 to see here4 !ove alon3JAll of this subtle 1Anti-8ar+etin-3 for the most advanced BT product9



Social Attac+s on %n-ineers
Social Attac+s on %n-ineers Having discovered the attac; architect.re and disabled it- /e decided to visit some 3or.ms online- /e /ere interested to see i3 an&one- an&/here is close to .ncovering The )ac+ and ho/ the NSA/GCHQ react to s.ch iss.es2 Generall&- there are engineers chatting and sharing pict.res o3 their modems and ho/ the& solder /ires on to the (.s.all& hidden% serial ports- the disc.ssions .s.all& leads to login and gaining root access o3 the modem or replacing the =rm/are altogether2 <hen engineers start to get reall& close- something .s.all& eEtra-ordinar& happens- almost li;e Isuper!an to the rescue6- someone /ho is highl& C.ali=ed- someone /ho has b.ilt .p a rep.tation o3 being a ethical hac;er/sec.rit& eEpert- introd.ces themselves and prod.ces /hat appears to be major brea;-thro.gh in gaining access to the modems2 Ho/ever- beca.se o3 the IethicalJ element- superman instead o3 sharing the method contacts 0- or 0 contacts superman- directl& and the& agree to allo/s 0 to =E the Ta/ (e.g. giving 0T a F: days head start% a3ter /hichsuperman /ill p.blish the method he .sed2 All things being eC.al- this is 3air eno.gh- b.t things are not all eC.al beca.se this /as a complete smo;e screen- pla&ed o.t to disco.rage the engineers 3rom 3.rther development ;no/ing that in a 3e/ /ee;s I supermanJ /ill give them access2 9an& o3 the engineers/enth.siast /aiting end-.p getting ca.ght b& .pgrades o3 their modems =rm/are /hich then loc;s them o.t o3 the game2 0his is a cat and mo.se game- and engineers sho.ld be ver& /ar& o3 those bearing gi3ts- their agenda is to slo/ &o. do/n and prevent &o. 3rom ma;ing an& progress hoping &o. /ill j.st give .p2 :o. can clearl& see this on the 0 3or.ms as /ell others s.ch as http1/////2psidoc2com- http1/////2;itH2co2.;/- http1//http1//comm.nit&2bt2comand others2 Reverse engineering is legal- legitimate and it is a great so.rce o3 innovation2



'ounter* ntelli3ence 0he NSA/GCHQ et al2 have being /atching and attac;ing .s- itFs abo.t time /e t.rned the tables- started de3ending o.rselves and also /atching them2 0his section is not going to detail speci=c techniC.es- b.t rather s.ggest overall approaches- some o3 /hich /e have done over a period o3 months2 !SA )oneypots No/ /e .nderstand the attac; architect.re- /e can sim.late the modem in a 9$4S @irt.al 9achine (0TAgent is not re# iredB. <e can ro.te the NSA/GCHQ traAc to &o.r lab and j.st let them hac; a/a& in a private clo.d /hile /e log traAc incl.ding ho/ the& attempt to .se their bac; doors and other dirt& tric;s2 :o. /ill need to 3or/ard and tap @"AN =>? (in the case of 0T et al% to the virt.al modem /here &o. can anal&He its traAc in real-time or oXine- &o. sho.ld al.ays store /hatever in3ormation &o. gather 3orever- ( 4 st like they do%2 A3ter gathering eno.gh evidence- &o. can then p.bliciHe it and ta;e legal action- &o.r logs can be .sed in co.rt /hen &o. s.e the conspirators and coconspirators .nder the I'o!puter Misuse Act 7889J as /ell as other la/s2


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND About the Authors 0he a.thors o3 this doc.ment /ish to remain anon&mo.s2 Ho/ever /e are 3.ll& prepared to stand in a co.rt o3 la/ and present o.r evidence2 <e are a gro.p o3 technical engineers- /e are not associated /ith an& activists gro.ps /hatsoever2 <e donFt have a name- b.t i3 /e did it /o.ld probabl& be IThe AdversariesJ according to NSA/GCHQ2 4ur 8ission Greedo" is only a!!reciated when lost. *e are on the $rink of a irreversi$le totalitarian " lti-govern"ent regi"e and even tho gh the 1 ro!ean /arlia"ent has stated that citi2ens sho ld not have to defend the"selves against state s!onsored =y$ercri"e, the fact re"ains that o r own 3overn"ents contin e to attack s in o r own ho"es while we slee!. (.r mission is de3ensive and legal2 (.r objectives are to eEpose the so.rces and methods .sed b& those that harms o.r personal 3reedoms and rights and to provide practical in3ormation to individ.als aro.nd the /orld allo/ing them to de3end themselves against s.ch c&ber attac;s2 *e $elieve this as well as f t re disclos res to $e in the ! $lic interest. Donations (.r ongoing /or; is technical- slo/- tedio.s and eEpensive an& donations are ver& /elcome2 <e onl& accept bitcoins at this time2

bitcoin1'D5Hj,6DS*m404m8.60CS)ocdd4HRjma.7 :o. can also s.pport .s b& sendin- this document to a friend or host it on &o.r /ebsite2 "icensed .nder the 'reative 'ommons Attribution-!oDerivs (CC :-ND%


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND UP&ATE 2 Doc.ments released b& Der Spiegel have con=rmed o.r o/n =ndings- original so.rces can be 3o.nd here1 http1/////2spiegel2de/international/topic/.nitedV;ingdom/ http1/////2spiegel2de/international/topic/.nitedVstates/ 0he ver& 3act that /e reported these bac;-doors eEactl& as described in these ne/ lea;s proves that o.r claims are legitimate and tr.e2 0his is eEactl& /hat /e .ncovered in 0Fs modems- the architect.re- design and attac+ers net/or;s are eEactl& as /e ill.strated in o.r diagrams and descriptions and list o3 capabilities2 <e veri=ed o.r res.lts b& p.rchasing and testing man& modems directl& 3rom the 0 as /ell as third part& so.rces- all o3 /hich had the bac; doors as described2 $ndivid.al Der Spiegel doc.ments relating to o.r claims can be 3o.nd here1
Bac+doors Bire/alls Ro.ters !SA#')* Cerification Document
http1//cr&ptome2org/*+',/'*/nsa-ant-=re/alls2pd3 http1//cr&ptome2org/*+',/'*/nsa-ant-ro.ter2pd3

QB$R# Attac; Net/or;s http1//cr&ptome2org/*+',/'*/nsa-C=re2pd3 !""R!N-NSA #DH#H$"" !""R!N-GCHQ 4.blic Comments
http1//cr&ptome2org/*+',/+8/nsa-b.llr.n-*-'5-g.ardian-',-+8+)2pd3 http1//cr&ptome2org/*+',/+8/nsa-decr&pt-g.ardian-',-+8+)2pd3 http1//cr&ptome2org/*+',/+8/nsa-b.llr.n-brie3-n&t-',-+8+)2pd3 http1//cr&ptome2org/*+',/'*/3.ll-disclos.re-comments2htm


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND 5.S. D4D ", Addresses <e have al/a&s enco.raged ever&one to con=rm o.r claims 3or themselves&et so called ISecurity E)pertsJ disp.te o.r claims in de3ense o3 0- 3or eEample- Robert Graham o3 %rrata Security- his 0 de3ense is here1 http1//blog2erratasec2com/*+',/'*/dod-address-space-its-not-conspirac&2html Robert states1
I0o be clear- that paper contains nothing that is evidence o3 NSA sp&ing2 $ ma& have missed something- because only s%i!!ed itJ2

5o$ert, Sec rity 1(!erts don)t "iss things like h ge o!en $ackdoorsH Robert even s.ggests that /e sho.ld disregard RBCs and C4s in 3avor o3 j.st re-.sing so called .n-allocated net/or; address space L thatFs allocated to the Government as IThe way to 3oJ2 0han; &o. Special Agent Robert2 <e advise he read RBC '8'7 http1//tools2iet32org/html/r3c'8'72 At least /hen Sprint /as ca.ght o.t in *+''- the& admitted to ro.ting cons.mer traAc thro.gh the D2(2D1 http1/////2androidcentral2com/sprint-internet-dept-de3ense-and-&o. 5.6. 84D ", Addresses 9ore recentl&- a :o.0.be video /as p.blished in /hich !2S2 mobile phone .sers are starting to chec; their $4 addresses and discovering the& belong to the 5.6. 8inistry of Defence (9(D% as /ell as the !2S2 D(D net/or;2 http1/////2&o.t.be2com//atchDvW+<'&c3b>gCc (!ser comments list man& s.ch address bloc;s- not j.st ,+/7 Y *)/7%2 0he C.estion a I/eal Security E)pertJ sho.ld as; is- /h& provide !2>2 $4 addresses to Americans and !2S2 $4 addresses to the ritishD 0he ans/er is o3 co.rse simple- $t allo/s the Government to b&-pass the la/s o3 both co.ntries2 #ssentiall&- this is the eC.ivalent o3 creating a 3alse paper trail2 Allo/ing the NSA to get the GCHQ to b&-pass the 5.S. 'onstitution and the GCHQ to get the NSA to b&-pass %uropean 'onvention on )uman i-hts2 As /e ;no/ the& do- 3rom other p.blished revelations2


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND $4 traAc is not act.all& ro.ted 3rom the !2S2 to the !2> or vice versa beca.se the latenc& (ro nd tri! delay% /o.ld be too high2 .t .sing $4 bloc;s 3rom partner co.ntries allo/ these Governments to claim that the& do not sp& on their o/n citiHens- 3or eEample- GCHQ /o.ld not attac; a p.blic !2>2 $4 address- b.t ma& attac; a !2S2 $4 address2 0he opposite is also tr.e- the !2S2 can claim that the& do not attac; !2S2 $4 addresses- b.t ma& attac; !2>2 $4 addresses L get the pict.reM 0he Governments proo3 it does not sp& on its o/n citiHens /ill be that the& .se ind.str& standard tools s.ch as 9aE9ind $4 geo-location databases etc2 to con=rm 3oreign j.risdiction $4 addresses- knowing f ll well that American targets have been assigned 3oreign $4 addresses allo/ing the NSA/C$A to legitimatel& target Americans2 0ocations of Attac+er !et.or+s <hile an $4 address ma& /ell be 3oreign- it is .nder the control o3 the NSA SCS SC$B site operating /ithin local #mbassies and Cons.lates ( according to their doc "ents%2 <ithin the !>- itFs probabl& located /ithin the GCHQ2

<e no/ ;no/ /here the attac;ers net/or;s in3rastr.ct.res are located2 0his also eEplains the lo/ latenc& ping times /e reported (7 ms% /ithin !>2 ),

Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND $n the 3ollo/ing NSA diagram1

'2 :ello/ Dots depict compromised =re/alls- ro.ters i2e2 &o.r modem *2 Red Dots are the location o3 the attac;ers net/or;s as per SCS Global ,2 Red Dashed "ines represent hidden net/or; paths ?2 lac; Solid "ines represent Bibre (ptic Cables

0he above diagram is 3rom *+'* and states that Z)+-+++ implants- b.t this list does not incl.de the !>- CAN- NQ" and A!S (the other #&es%2 Given 0 et al2 is the largest provider o3 compromised =re/all/ro.ter modems in the !>the act.al n.mber is in the millions2 As a side note- /e stated1 I
.t /orse- is the 3act that this architecture is designed 3or C&ber Attac;ing in addition to passive monitoring as /e /ill detail neEt2J

No/ /e discover- the& even have a logo 3or thisM )?

Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND NeEt- /e see

'2 DoD !et.or+ - :o. ;no/ the one thatFs .n.sed- &ep- that one2 *2 Green Dots L 4assive S$G$N0 (Real-0ime Active 0raAc 9onitors% ,2 Red Dots L Active De3ense L Ai.e. Attac%:B ?2 l.e Dots - Compromised ro.ter/=re/all/modems I$mplants (0A(%J being remotel& controlled b& the attac+ers2 0itled1 I4rovides CentraliHed a.tomated command/control o3 large net/or; o3 active implantsJ2 No/ do &o. believe o.r claims abo.t &o.r second hidden net.or+D- no- /ell read on2


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND 0he 3ollo/ing diagram is /ithin the attac+ers net/or; directl& attached to &o.r 0 (or other IS/% modem2 ?. 0op le3t corner is the Attac+ers gate/a&- (i.e. 0T "ode"s defa lt ro te% @. 0hic; l.e "ines are the Attac+ers net/or; located in SCS SC$B site operating /ithin local #mbassies and Cons.lates =. 0he virt.al machines (@9'-@9?% is the command and control logic- this sends reC.ests to &o.r 0 modem via the hidden net.or+ to inject ro.tes or iss.e other reC.ests to ro.te speci=c or all traAc 3or 9$09 attac;s2 $t sho.ld be noted that the attac;er can also simpl& telnet/ssh to &o.r modem as /ell2

<e previo.sl& stated the 3ollo/ing1
tcp 0 0 30.150.xx.xx:8081* LISTEN # This NSA/GCHQ Services

<hich is the R4C/R9" receiver tcp port (7+7'% on the 0 modems hidden $4 address to receive the above command and control reC.ests 3rom the Attac+er2 Still not convincedD read on222 )5


5nclassified TA4 'overt !et.or+ CovertWhidden Remember 0 C0A! =>?D- $t goes 3rom &o.r home ro.ter to 0 to GCHQ (or yo r local NSA S=S% as sho/n in previo.s and right diagrams2 0he 'st generation modems- donFt .se a @4N/hich is /h& /e did not mention it2 Ho/everthe *nd generation do have a $4Sec @4N b.iltin (and other interesting st.G%2 0he .se o3 a @4N is to hide the attac+ers activities 3rom co.nter s.rveillance2

0he same doc.ment also re3ers to the TA4 'overt !et.or+ as 'ov!et a2;2a2 8"DD0%8A! (8an "n The 8iddle%2

S.rel&- &o.r convinced no/D- no- read on2


Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND $n this diagram /e see &o.r 0 9odemM (bottom right%

"e3t hand side is the Attac+er net/or; in3rastr.ct.re2 0he I"nternet 4ption AJ is almost certainl& .sed eEcl.sivel& 3or GS9 t&pe (RBWRadio BreC.enc&% mobile phones and GS9 based control devices2 4ption A devices can onl& receive commands- the& cannot ret.rn data directl&- the& can do things li;e T rn on Micro!hone- 0a;e 4ict.re- 0ransmit S9S protected data via S9S etc2 As; &o.r mobile phone provider/ma;er 3or a complete list o3 3eat.res in &o.r phone (good case for &SS 3SM "od le%2 4ption B concerns ro.ters/=re/alls/modems- no/ ta;e a close loo;- &o. /ill see <ireless Access 4oint (<A4% i2e2 <$B$- slightl& gra&ed L meaning the .ser ma& not have it or itFs disabled- other/ise the attac;er can tal; to &o.r /ireless tablet/phone via &o.r <$B$ net/or;2 !AT-#W is &o.r oAcial 0 4.blic $4 net/or;2 "astl&- &o. see I/ired clientsJ

connected to an& s/itch ports connected to &o.r modem2 All of this is e/actly ho. .e described it ? month a-o. Still not s.reD- read on2 )7

Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND <e stated that IThe )ac+J as /e call it- is an Architecture and regardless o3 ro.ter or =re/all- the architect.re /o.ld remain the same- this strateg& is ;no/n as architect.ral design patterns- 3or eEample1

$n the above NSA diagram- the Ibac;doorJ is a hidden net.or+ to the Attac+ers (NSA/GCHQ% net/or; (Remote (perations Centre- 4'%2 $3 &o. read all o3 the ro.ter and =re/all doc.ments released- &o. /ill notice the same methods and design is re-.sed over and over2 0hese slides are approE2 ) &ears old and are 'st gen commercial ro.ters- b.t in *+''- the *nd gen cons.mer =rm/are /as installed (at least in the @I% and in K.ne *+', the ,rd gen /as installed in the !>2 $n all generations IThe )ac+J is the same- a covert bac;door hidden net.or+2 I years on2 you can bet your bottom dollar2 this includes every smartphone .hich is eEectively a broadband routerPphone. )8

Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND esponse to BT <e discovered all o3 these details and p.blished them on December ? th *+',almost a month be3ore these ne/ slides /ere released /ith the eEact same detail (act ally " ch "ore detail% and /e have no/ been proven to be correct b& !2S2 Government doc.mentation2 Ho/ co.ld this be possible had /e not discovered ( and e(!lained how and why we discovered% this bac;door inside all o.r 0 modemsD <e ;no/- &o. ;no/- that /e no/ ;ne/ the tr.th (that)s s!y s!eekH%- the 3act is this /as never a IConspirac& 0heor&J as has been claimed- /e are S&stems Architects- S&stem Administrators- Sec.rit& #ngineers- 4rogrammers- 4en 0esters- Cr&ptographers- $nventors and $nnovators /ho gre/ .p /ith a 3ree $nternet in the da&s o3 S"$4[85++bps and Topp& dis;s2 <e ;no/ bac;doors /hen /e see them- a3ter all o.r emplo&ers pa& .s to sec.re some o3 the !2>2Fs most s.ccess3.l online b.sinesses- j.st li;e 02 0he $nternet /ill al/a&s be 3or the neEt generation and cannot be o/ned or .sed as a /eapon against the peoples o3 the /orld2 .t o.r Governments are not listening to .s (well, e(ce!t for the NSA<3=8>%- than;s to 9r #d/ard Sno/den- /e are reclaiming the $nternet2 #ver&one 3.ll& .nderstands that 0 and other $S4 b.sinesses are someho/ compelled to act in the /a& the& have and this can be 3orgiven and tr.st can be restored- i3 0 demonstrate their b.siness is /orth& o3 o.r tr.st once again2 9eaning- nothing short o3 /hat &o. /o.ld eEpect 3rom .s- complete openness- namel& .nloc; all &o.r modems- remove these bac;doors as other major s.ppliers o3 ro.ters/=re/alls have agreed to do- aid innovation once again- then it /ill be good to tal;2

r.ce Schneier did not contrib.te in an& /a& to o.r research- he did ho/ever- inspire its name IB.ll Disclos.reJ- beca.se he called 3or that2 I0he $nternet Dar; AgeJ - that re3ers to the place the NSA/GCHQ and other #&es /ill soon be living2


Sign up to vote on this title
UsefulNot useful