Backdoor in Zyxel Firewalls and Gateways

This is bad:

More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel.

[…]

Installing patches removes the backdoor account, which, according to Eye Control researchers, uses the “zyfwp” username and the “PrOw!aN_fXp” password.

“The plaintext password was visible in one of the binaries on the system,” the Dutch researchers said in a report published before the Christmas 2020 holiday.

The NSA is Refusing to Disclose its Policy on Backdooring Commercial Products

Senator Ron Wyden asked, and the NSA didn’t answer:

The NSA has long sought agreements with technology companies under which they would build special access for the spy agency into their products, according to disclosures by former NSA contractor Edward Snowden and reporting by Reuters and others.

These so-called back doors enable the NSA and other agencies to scan large amounts of traffic without a warrant. Agency advocates say the practice has eased collection of vital intelligence in other countries, including interception of terrorist communications.

The agency developed new rules for such practices after the Snowden leaks in order to reduce the chances of exposure and compromise, three former intelligence officials told Reuters. But aides to Senator Ron Wyden, a leading Democrat on the Senate Intelligence Committee, say the NSA has stonewalled on providing even the gist of the new guidelines.

[…]

The agency declined to say how it had updated its policies on obtaining special access to commercial products. NSA officials said the agency has been rebuilding trust with the private sector through such measures as offering warnings about software flaws.

“At NSA, it’s common practice to constantly assess processes to identify and determine best practices,” said Anne Neuberger, who heads NSA’s year-old Cybersecurity Directorate. “We don’t share specific processes and procedures.”

Three former senior intelligence agency figures told Reuters that the NSA now requires that before a back door is sought, the agency must weigh the potential fallout and arrange for some kind of warning if the back door gets discovered and manipulated by adversaries.

The article goes on to talk about Juniper Networks equipment, which had the NSA-created DUAL_EC PRNG backdoor in its products. That backdoor was taken advantage of by an unnamed foreign adversary.

Juniper Networks got into hot water over Dual EC two years later. At the end of 2015, the maker of internet switches disclosed that it had detected malicious code in some firewall products. Researchers later determined that hackers had turned the firewalls into their own spy tool here by altering Juniper’s version of Dual EC.

Juniper said little about the incident. But the company acknowledged to security researcher Andy Isaacson in 2016 that it had installed Dual EC as part of a “customer requirement,” according to a previously undisclosed contemporaneous message seen by Reuters. Isaacson and other researchers believe that customer was a U.S. government agency, since only the U.S. is known to have insisted on Dual EC elsewhere.

Juniper has never identified the customer, and declined to comment for this story.

Likewise, the company never identified the hackers. But two people familiar with the case told Reuters that investigators concluded the Chinese government was behind it. They declined to detail the evidence they used.

Okay, lots of unsubstantiated claims and innuendo here. And Neuberger is right; the NSA shouldn’t share specific processes and procedures. But as long as this is a democratic country, the NSA has an obligation to disclose its general processes and procedures so we all know what they’re doing in our name. And if it’s still putting surveillance ahead of security.

Undocumented backdoor that covertly takes snapshots found in kids’ smartwatch

Undocumented backdoor that covertly takes snapshots found in kids’ smartwatch

A popular smartwatch designed exclusively for children contains an undocumented backdoor that makes it possible for someone to remotely capture camera snapshots, wiretap voice calls, and track locations in real time, a researcher said.

The X4 smartwatch is marketed by Xplora, a Norway-based seller of children’s watches. The device, which sells for about $200, runs on Android and offers a range of capabilities, including the ability to make and receive voice calls to parent-approved numbers and to send an SOS broadcast that alerts emergency contacts to the location of the watch. A separate app that runs on the smartphones of parents allows them to control how the watches are used and receive warnings when a child has strayed beyond a present geographic boundary.

But that’s not all

It turns out that the X4 contains something else: a backdoor that went undiscovered until some impressive digital sleuthing. The backdoor is activated by sending an encrypted text message. Harrison Sand, a researcher at Norwegian security company Mnemonic, said that commands exist for surreptitiously reporting the watch’s real-time location, taking a snapshot and sending it to an Xplora server, and making a phone call that transmits all sounds within earshot.

Sand also found that 19 of the apps that come pre-installed on the watch are developed by Qihoo 360, a security company and app maker located in China. A Qihoo 360 subsidiary, 360 Kids Guard, also jointly designed the X4 with Xplora and manufactures the watch hardware.

“I wouldn’t want that kind of functionality in a device produced by a company like that,” Sand said, referring to the backdoor and Qihoo 360.

In June, Qihoo 360 was placed on a US Commerce Department sanctions list. The rationale: ties to the Chinese government made the company likely to engage in “activities contrary to the national security or foreign policy interests of the United States.” Qihoo 360 declined to comment for this post.

Patch on the way

The existence of an undocumented backdoor in a watch from a country with known record for espionage hacks is concerning. At the same time, this particular backdoor has limited applicability. To make use of the functions, someone would need to know both the phone number assigned to the watch (it has a slot for a SIM card from a mobile phone carrier) and the unique encryption key hardwired into each device.

In a statement, Xplora said obtaining both the key and phone number for a given watch would be difficult. The company also said that even if the backdoor was activated, obtaining any collected data would be hard, too. The statement read:

We want to thank you for bringing a potential risk to our attention. Mnemonic is not providing any information beyond that they sent you the report. We take any potential security flaw extremely seriously.

It is important to note that the scenario the researchers created requires physical access to the X4 watch and specialized tools to secure the watch’s encryption key. It also requires the watch’s private phone number. The phone number for every Xplora watch is determined when it is activated by the parents with a carrier, so no one involved in the manufacturing process would have access to it to duplicate the scenario the researchers created.

As the researchers made clear, even if someone with physical access to the watch and the skill to send an encrypted SMS activates this potential flaw, the snapshot photo is only uploaded to Xplora’s server in Germany and is not accessible to third parties. The server is located in a highly-secure Amazon Web Services environment.

Only two Xplora employees have access to the secure database where customer information is stored and all access to that database is tracked and logged.

This issue the testers identified was based on a remote snapshot feature included in initial internal prototype watches for a potential feature that could be activated by parents after a child pushes an SOS emergency button. We removed the functionality for all commercial models due to privacy concerns. The researcher found some of the code was not completely eliminated from the firmware.

Since being alerted, we have developed a patch for the Xplora 4, which is not available for sale in the US, to address the issue and will push it out prior to 8:00 a.m. CET on October 9. We conducted an extensive audit since we were notified and have found no evidence of the security flaw being used outside of the Mnemonic testing.

The spokesman said the company has sold about 100,000 X4 smartwatches to date. The company is in the process of rolling out the X5. It’s not yet clear if it contains similar backdoor functionality.

Heroic measures

Sand discovered the backdoor through some impressive reverse engineering. He started with a modified USB cable that he soldered onto pins exposed on the back of the watch. Using an interface for updating the device firmware, he was able to download the existing firmware off the watch. This allowed him to inspect the insides of the watch, including the apps and other various code packages that were installed.

A modified USB cable attached to the back of an X4 watch.

Enlarge / A modified USB cable attached to the back of an X4 watch.
Mnemonic

One package that stood out was titled “Persistent Connection Service.” It starts as soon as the device is turned on and iterates through all the installed applications. As it queries each application, it builds a list of intents—or messaging frameworks—it can call to communicate with each app.

Sand’s suspicions were further aroused when he found intents with the following names:

  • WIRETAP_INCOMING
  • WIRETAP_BY_CALL_BACK
  • COMMAND_LOG_UPLOAD
  • REMOTE_SNAPSHOT
  • SEND_SMS_LOCATION

After more poking around, Sand figured out the intents were activated using SMS text messages that were encrypted with the hardwired key. System logs showed him that the key was stored on a flash chip, so he dumped the contents and obtained it—“#hml;Fy/sQ9z5MDI=$” (quotation marks not included). Reverse engineering also allowed the researcher to figure out the syntax required to activate the remote snapshot function.

“Sending the SMS triggered a picture to be taken on the watch, and it was immediately uploaded to Xplora’s server,” Sand wrote. “There was zero indication on the watch that a photo was taken. The screen remained off the entire time.”

Sand said he didn’t activate the functions for wiretapping or reporting locations, but with additional time, he said, he’s confident he could have.

As both Sand and Xplora note, exploiting this backdoor would be difficult, since it requires knowledge of both the unique factory-set encryption key and the phone number assigned to the watch. For that reason, there’s no reason for people who own a vulnerable device to panic.

Still, it’s not beyond the realm of possibility that the key could be obtained by someone with ties to the manufacturer. And while phone numbers aren’t usually published, they’re not exactly private, either.

The backdoor underscores the kinds of risks posed by the increasing number of everyday devices that run on firmware that can’t be independently inspected without the kinds of heroic measures employed by Sand. While the chances of this particular backdoor being used are low, people who own an X4 would do well to ensure their device installs the patch as soon as practical.

Tech firms “can and must” put backdoors in encryption, AG Barr says

Graffiti urging people to use Signal, a highly encrypted messaging app, is spray-painted on a wall during a protest on February 1, 2017 in Berkeley, California.

Enlarge / Graffiti urging people to use Signal, a highly encrypted messaging app, is spray-painted on a wall during a protest on February 1, 2017 in Berkeley, California.
Elijah Nouvelage | Getty Images

US Attorney General William Barr today launched a new front in the feds’ ongoing fight against consumer encryption, railing against the common security practice and lamenting the “victims” in its wake.

“The deployment of warrant-proof encryption is already imposing huge costs on society,” Barr claimed in remarks at a cybersecurity conference held at Fordham University Tuesday morning. Barr added that encryption “seriously degrades” law enforcement’s ability to “detect and prevent a crime before it occurs,” as well as making eventual investigation and prosecution of crime more difficult.

The existence of encryption means “converting the Internet and communications into a law-free zone” that criminals will happily take advantage of to do more crimes, Barr added, likening it to a neighborhood that local cops have abandoned.

The cost of encryption, he said, is measured in “victims” who might have been saved from crime if law enforcement had been able to lawfully intercept communications earlier.

He also accused tech firms of “dogmatic” posturing, saying lawful backdoor access “can be and must be” done, adding, “We are confident that there are technical solutions that will allow lawful access to encrypted data and communications by law enforcement, without materially weakening the security provided by encryption.”

A long-running battle

In his diatribe, Barr is only picking up where predecessors left off. In 2017, then-deputy AG Rod Rosenstein said in an interview that the tech community’s “absolutist position” on strong encryption impeded law enforcement and was “unreasonable.”

Federal law enforcement has been in a very public encryption face-off with consumer electronics companies, particularly Apple, since 2016.

In December, 2015, a gunman killed and seriously injured dozens of victims in an attack in San Bernardino, California. The FBI ended up in possession of the shooter’s iPhone during the investigation but was unable to unlock the device, as the attacker had been killed and therefore could not be compelled to share his PIN.

The FBI demanded Apple cooperate in unlocking the phone by building a backdoor, and the company effectively told the feds to go pound sand. (The FBI eventually accessed the phone without Apple’s help.)

The relationship between the FBI and companies such as Apple that promote encryption has remained frosty ever since. Last year, an FBI official called Apple “jerks” about encryption, accusing the company of an “evil genius” approach to thwarting law enforcement.

“Responsible” backdoors

Rosenstein proposed a so-called “responsible encryption” scheme back in 2017, a call Barr echoed.

“I am suggesting that it is well past time for some in the tech community to abandon the posture that a technical solution is not worth exploring and instead turn their considerable talent to developing products that will reconcile good cyber security to the imperative of public safety and national security,” Barr said.

FBI Director Christopher Wray said last year that developing a process for allowing government officials lawful entry into encrypted communications would “entail varying degrees of innovation by the industry,” but he said he didn’t “buy the claim that it’s impossible.”

But no matter how many times government officials try to will such an option into existence, what they claim to want isn’t actually possible. Security experts and product makers have said time and time again that introducing a backdoor—an access portal for a specific entity to gain access through—into an encryption scheme weakens the whole thing.

Apple CEO Tim Cook has repeatedly said consumer privacy is of paramount importance to his company and that it’s in “everyone’s best interest” for everyone to be “blocked out,” with no secret backdoors.

Senator Ron Wyden (D-Ore.) in a 2018 letter to Wray (PDF) said the quest for a way in to encrypted communications amounts to “a flawed policy that would harm America’s security, liberty, and our economy.”

“Building secure software is extremely difficult,” Wyden added, “and vulnerabilities are often introduced inadvertently in the design process. Eliminating these vulnerabilities is a mammoth task, and experts are unified in their opinion that introducing deliberate vulnerabilities would likely create catastrophic unintended consequences that could debilitate software functionality and security entirely.”

Bloomberg alleges Huawei routers and network gear are backdoored

5G Logo in the shape of a butterfly.

Enlarge / PORTUGAL – 2019/03/04: 5G logo is seen on an android mobile phone with Huawei logo on the background.

Vodafone, the largest mobile network operator in Europe, found backdoors in Huawei equipment between 2009 and 2011, reports Bloomberg. With these backdoors, Huawei could have gained unauthorized access to Vodafone’s “fixed-line network in Italy.” But Vodafone disagrees, saying that while it did discover some security vulnerabilities in Huawei equipment, these were fixed by Huawei and in any case were not remotely accessible, and hence they could not be used by Huawei.

Bloomberg’s claims are based on Vodafone’s internal security documentation and “people involved in the situation.” Several different “backdoors” are described: unsecured telnet access to home routers, along with “backdoors” in optical service nodes (which connect last-mile distribution networks to optical backbone networks) and “broadband network gateways” (BNG) (which sit between broadband users and the backbone network, providing access control, authentication, and similar services).

In response to Bloomberg, Vodafone said that the router vulnerabilities were found and fixed in 2011 and the BNG flaws were found and fixed in 2012. While it has documentation about some optical service node vulnerabilities, Vodafone continued, it has no information about when they were fixed. Further, the network operator said that it has no evidence of issues outside Italy.

The sources speaking to Bloomberg contest this. They claim that the vulnerabilities persisted after 2012 and that the same flaws could be found in Vodafone-deployed Huawei equipment in the UK, Germany, Spain, and Portugal. In spite of this, Vodafone continued to buy equipment from the Chinese firm because it was so cost competitive.

The sources also claim that the story was not so simple as “Vodafone reports bug, Huawei fixes bug.” Vodafone Italy found that Huawei’s routers had unsecured telnet access, and the company told Huawei to remove it. Huawei told Vodafone that it had done so, but further examination of the routers found that telnet could be re-enabled. Vodafone told Huawei that Vodafone wanted it removed entirely, only to be told by Huawei that the company needed to keep it for testing and configuration.

The Bloomberg report doesn’t offer any detail on the other alleged “backdoors” in the gateways or service nodes.

When is a front door a backdoor?

The accuracy of Bloomberg’s report hinges on the distinction between a vulnerability and a backdoor. A vulnerability is an accidental coding error that permits unauthorized parties to access the router (or other hardware). A backdoor, in contrast, is a deliberately written piece of code that permits unauthorized parties to access the router. While a backdoor could be written such that it’s obvious that it’s a backdoor (for example, one could imagine an authentication system that allowed anyone to log in with the password “backdoor”), any competent backdoor will look either like a legitimate feature or an accidental coding error.

Telnet access, for example, is a common feature of home routers. Typically, the telnet interface gives greater control over the router’s behavior than is available through the Web-based configuration interface that these devices usually have. The telnet interface is also easier to automate, making it easier to preconfigure the devices so that they’re properly set up for a particular ISP’s network. Even Huawei’s initial response to Vodafone’s request, which allowed users to re-enable the telnet service, isn’t out of the ordinary: it’s common for the Web front-ends to allow telnet to be turned off and on. Vodafone’s assertion that the telnet service wasn’t accessible from the Internet is also likely to be true; typically, these telnet services are only accessible from the local network side, not from the Internet IP address.

As such, Vodafone and Huawei’s posture that this isn’t a backdoor at all is entirely defensible, and Huawei has done nothing that’s particularly out of the ordinary. This is not to say that the hardware is not backdoored—routers with unauthenticated remote access or bypassable authentication have been found in the past and are likely to be found in the future, too. But there’s no indication that these particular Huawei issues are an attempt to backdoor the routers, and nothing in the Bloomberg report corroborates this specific claim.

What there is, however, is a concern fueled by the US government that Huawei wishes to compromise or undermine networks and systems belonging to the US and Europe, as well as a concern that the company tries to unlawfully use intellectual property taken from Western countries. Among Chinese firms, Huawei is viewed with particular suspicion due to its ties to the Chinese military.

Huawei’s CFO was arrested in Canada on behalf of the United States, which says that Huawei has violated the US sanctions against Iran, and the company has also been indicted for stealing robotic phone-testing technology from T-Mobile. The US government has pressured domestic companies to not buy or sell Huawei hardware, and more broadly, the US has pushed its allies to avoid Huawei network hardware. Examination of Huawei’s firmware and software by the UK government has revealed a generally shoddy approach to security, but these problems appear to be buggy code that was carelessly written and leaves systems hackable rather than deliberate insertion of backdoors.

This pressure is particularly acute when it comes to deploying 5G networks. Huawei’s 4G hardware is already widely deployed in Europe, and Huawei’s 5G hardware is aggressively priced and seen as critical to the timely deployment of 5G infrastructure in Europe. Vodafone, for its part, continued to buy Huawei gear until January of this year; further purchases have been paused because of the concerns about the company.