[LINK] What's Behind the Huawei Fracas
kim at holburn.net
Wed Mar 28 22:03:30 EST 2012
On 2012/Mar/28, at 8:55 PM, Richard Chirgwin wrote:
> On 28/03/12 8:24 PM, Richard Archer wrote:
>> On 28/03/12 5:56 PM, Richard Chirgwin wrote:
>>> Consider - to snoop on the NBN the Ethernet-over-fibre kit needs to
>>> accomplish the following without detection by the operator:
>>> 1. Extract the data from the Ethernet frames,
>>> 2. Decide what's interesting and what's not, and
>>> 3. Send interesting stuff back to China.
>> I think that might be a bit naive.
>> If I was designing such a beast, I'd have it watch for control commands
>> passing through the device as normal traffic.
>> So all you would need to control the device is an IP or even digital
>> voice connection which passes through it. Such commands could be used to
>> instruct the device to do whatever you've designed into it.
> Except that the NBN switch won't have an "IP" or "voice" connection; by
> the time it reaches the NBN, it will be Ethernet frames.
I can think of a number of ways the underlying switches could get messages out, most of them out of band. An ISP might use huawei routers or anyone had a device that could relay, even a powned windows box.
But hey, most of our computing and networking equipment is made in China.
> In-band management of an Ethernet switch exists, but if you're outside
> of the network, you need to find a way to get a router to turn an IP
> packet into a suitable Ethernet frame - and, since the routers will be
> out of NBN Co's control, you have to create some kind of "poison
> packet", which, when turned into an Ethernet frame, is interpreted as
> the Ethernet management frame.
> Then, the switch has to return the information as a frame which the
> router will interpret as "This is a Phone Home packet" and route
> I don't say "impossible". What I do think is "unlikely to be
> unobservable to the owner of the kit, when those owners are trained
> network engineers, not home punters".
>> The device would then act on these commands and inject the responses
>> into the control stream.
>> Your machine on the end of the link could then store/analyse the
>> collected data. It would be this machine which would send the collected
>> data "home".
>> I doubt there'd be any way to easily tell the device was doing anything
>> untoward. You would have to checksum all data streams into and out of
>> the device and make sure they hadn't been modified in transit.
>> As for deciding what's interesting and what's not... I expect this is
>> something the experts in this field would have no trouble with.
>> Especially if the code running on the device was upgradeable on the fly.
> Here, I suspect that what I call "spook PR" outruns what's "easy" or
> even "doable".
> You have to bury this code without arousing suspicions:
> - "Why does this device have a processor twice the size of all its
> competitors, for no extra performance?"
> - "How come it's got so much more memory, for no extra performance?"
> - "Why are you overloading processing power and memory, but still
> delivering cheaper, even though both products come from the same Foxconn
> All of this also presumes that no amount of reverse-engineering would
> reveal any anomolous behaviour.
> If someone said "we don't like the NBN's commercial status being
> beholden to Chinese state decisions", I can believe and understand it.
> But the more I think about it, the more the "secret hacker backdoor"
> theory sounds like a smokescreen.
>> Link mailing list
>> Link at mailman.anu.edu.au
> Link mailing list
> Link at mailman.anu.edu.au
IT Network & Security Consultant
T: +61 2 61402408 M: +61 404072753
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
More information about the Link