[LINK] What's Behind the Huawei Fracas

[Kim Holburn]

On 2012/Mar/28, at 8:55 PM, Richard Chirgwin wrote:

> On 28/03/12 8:24 PM, Richard Archer wrote:
>> On 28/03/12 5:56 PM, Richard Chirgwin wrote:
>> 
>>> Consider - to snoop on the NBN the Ethernet-over-fibre kit needs to
>>> accomplish the following without detection by the operator:
>>> 
>>> 1. Extract the data from the Ethernet frames,
>>> 2. Decide what's interesting and what's not, and
>>> 3. Send interesting stuff back to China.
>> I think that might be a bit naive.
>> 
>> If I was designing such a beast, I'd have it watch for control commands
>> passing through the device as normal traffic.
>> 
>> So all you would need to control the device is an IP or even digital
>> voice connection which passes through it. Such commands could be used to
>> instruct the device to do whatever you've designed into it.
> Except that the NBN switch won't have an "IP" or "voice" connection; by 
> the time it reaches the NBN, it will be Ethernet frames.

I can think of a number of ways the underlying switches could get messages out, most of them out of band.  An ISP might use huawei routers or anyone had a device that could relay, even a powned windows box.  

But hey, most of our computing and networking equipment is made in China.

> In-band management of an Ethernet switch exists, but if you're outside 
> of the network, you need to find a way to get a router to turn an IP 
> packet into a suitable Ethernet frame - and, since the routers will be 
> out of NBN Co's control, you have to create some kind of "poison 
> packet", which, when turned into an Ethernet frame, is interpreted as 
> the Ethernet management frame.
> 
> Then, the switch has to return the information as a frame which the 
> router will interpret as "This is a Phone Home packet" and route 
> accordingly.
> 
> I don't say "impossible". What I do think is "unlikely to be 
> unobservable to the owner of the kit, when those owners are trained 
> network engineers, not home punters".
>> 
>> The device would then act on these commands and inject the responses
>> into the control stream.
>> 
>> Your machine on the end of the link could then store/analyse the
>> collected data. It would be this machine which would send the collected
>> data "home".
>> 
>> I doubt there'd be any way to easily tell the device was doing anything
>> untoward. You would have to checksum all data streams into and out of
>> the device and make sure they hadn't been modified in transit.
>> 
>> As for deciding what's interesting and what's not... I expect this is
>> something the experts in this field would have no trouble with.
>> Especially if the code running on the device was upgradeable on the fly.
> Here, I suspect that what I call "spook PR" outruns what's "easy" or 
> even "doable".
> 
> You have to bury this code without arousing suspicions:
> - "Why does this device have a processor twice the size of all its 
> competitors, for no extra performance?"
> - "How come it's got so much more memory, for no extra performance?"
> - "Why are you overloading processing power and memory, but still 
> delivering cheaper, even though both products come from the same Foxconn 
> factory?"
> 
> All of this also presumes that no amount of reverse-engineering would 
> reveal any anomolous behaviour.
> 
> If someone said "we don't like the NBN's commercial status being 
> beholden to Chinese state decisions", I can believe and understand it. 
> But the more I think about it, the more the "secret hacker backdoor" 
> theory sounds like a smokescreen.
> 
> RC
>> 
>> ...Richard.
>> 
>> 
>> _______________________________________________
>> Link mailing list
>> Link at mailman.anu.edu.au
>> http://mailman.anu.edu.au/mailman/listinfo/link
>> 
> 
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request