Re: NSA able to compromise Cisco, Juniper, Huawei switches

[Jared Mauch <jared () puck nether net>]

On Dec 31, 2013, at 11:50 AM, Saku Ytti <saku () ytti fi> wrote:

> I asked earlier today JTAC (#2013-1231-0033) and JTAC asked SIRT for tool to
> read BIOS and output SHA2 or SHA3 hash, and such tool does not exist yet.  I'm
> dubious, it might be possible even with existing tools. At least it's possible
> to reflash the BIOS with stock JunOS, as lot of us had to do due to
> misformatted SSD disks.
> But fully agreed some of these sanity checks should be added, it's not cure
> all, maybe the attack changes the answers before showing them, maybe BIOS
> comes infected from Juniper or from Kontron. But it would create additional
> barrier.
>
> I also emailed Kontrol and told it would be prudent for them to do press
> release also. Just to know what their public/official statement is.

Most of the vendors (I think Cisco/Juniper) have many of their staff out on vacation this week.  I believe both are 
doing the "mandatory shutdown" or similar that I've seen other folks do around this season.  Arbor networks did 
something similar as well this year.

If you are looking at your hardware, you can get inexpensive flash readers/writers out there.  I have one I use when 
doing low level hardware work.

There's also tools for your servers (eg: Flashrom) which are available in your favorite repos/ports/elsewhere and work 
on Linux/FreeBSD/others.

You can use this to typically read/checksum your bios quickly on supported hardware.  I'm sure they would love to have 
the efforts that have gone into this e-mail thread followed-up with hardware/research/contributions to improve the 
software.

It shouldn't be too hard for you to read your bios and load it into ida pro or similar to perform checks.

- Jared