Re: NSA able to compromise Cisco, Juniper, Huawei switches

[Enno Rey <erey () ernw de>]

Hi,

some approaches were discussed in 2010, by Graeme Neilson from NZ here:

https://www.troopers.de/wp-content/uploads/2012/10/TROOPERS10_Netscreen_of_the_Dead_Graeme_Neilson.pdf

a later year, at the same conference, he gave a private session demonstrating basically the same stuff for JunOS, as 
ongoing (and, at the time, non-public) research.

happy NYE to everybody

Enno

On Tue, Dec 31, 2013 at 06:50:11PM +0200, Saku Ytti wrote:
> On (2013-12-31 09:03 -0600), Leo Bicknell wrote:
>
> > If I were Cisco/Juniper/et all I would have a team working on this right now.
> > It should be trivial for them to insert code into the routers that say, 
> > hashes all sorts of things (code image, BIOS, any PROMS and EERPOMS and
> > such on the linecards) and submits all of those signatures back.  Any
>
> I asked earlier today JTAC (#2013-1231-0033) and JTAC asked SIRT for tool to
> read BIOS and output SHA2 or SHA3 hash, and such tool does not exist yet.  I'm
> dubious, it might be possible even with existing tools. At least it's possible
> to reflash the BIOS with stock JunOS, as lot of us had to do due to
> misformatted SSD disks.
> But fully agreed some of these sanity checks should be added, it's not cure
> all, maybe the attack changes the answers before showing them, maybe BIOS
> comes infected from Juniper or from Kontron. But it would create additional
> barrier.
>
> I also emailed Kontrol and told it would be prudent for them to do press
> release also. Just to know what their public/official statement is.
>
> > I also wonder how this will change engineering going forward.  Maybe the
> > BIOS should be a ROM chip, not an EEPROM again.  Maybe the write line needs
> > to be run through a physical jumper on the motherboard that is normally
> > not present.
>
> We can take page from XBOX360 which is designed to be resistant against attack
> with physical access. Key idea is that use PKI and hide key in such place
> where it's difficult to recover, namely, if it's inside modern lithography CPU
> in read-only, it's just financially unviable vector. MS just goofed and forgot
> to sign DVD firmware.
>
> > Why do we accept our devices, be it a PC or a router, can be "persistently"
> > infected.  The hardware industry needs to do better.
>
> I'm still taking all these revelations with grain of salt, until real
> speciment is dissected.
>
> -- 
>   ++ytti

-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
=======================================================