Tuesday, 17 December 2013

The Internet Dark Age?

An anonymous article "The Internet Dark Age" published on Cryptome (here) alleges that BT and others have secretly installed back doors in modems in customer premises.

Unfortunately these paranoid ravings are causing a bit of a stir, with lots of our customers asking about this. We have had to post replies to this, and there is now an article in ISP review as well.

You really don't have to read much of the article to realise how crazy it is. It seems based on the fact that BT FTTC modems have a separate management VLAN, and that BT have chosen to put the management on a block of IPv4 addresses under 30.x.x.x. This is a non routed private network block that belongs to the US DoD which makes it ideal for a private network management LAN for BT. It does not mean it is connected to the US DoD either as a network or in any other way. It is just the block BT happened to pick for management.

The article links this to US DoD and to Snowden leaks suggesting that these modems are an integral part of the snooping being done by UK and US intelligence.

There is no actual evidence of any such links or indeed anything to suggest that this is any more than a management LAN which allows BT to do remote testing for fault diagnosis and upgrade firmware when needed. It is nothing special.

So what the hell is the point of such paranoid ravings? Who knows? They do serve to annoy people and also to undermine any real research or findings that happen later, I suppose.

At the end of the day no equipment that you do not control yourself (and even some that you do) can be 100% trusted. You cannot trust BT not to upgrade their modems to do snooping and filtering and man-in-the-middle attacks, but then you cannot trust them not to do that at the DSLAM or BRAS or anywhere else in their network. You cannot trust ISPs or transit providers not to do the same. You cannot trust your o/s provider not to do the same, or your TV manufacturer or indeed anyone that can upgrade firmware in anything on your network.

This is why we use encryption to access banks and many other sites, and can use end to end encryption for email and other applications. This is why we have firewalls. It is healthy not to trust anyone or anything when designing network security.

But there is no evidence of any such snooping. There is clear evidence against any sort of interception (e.g. man-in-the-middle attacks) because we, and our customers, can easily see what goes in and out of both ends of the back-haul. We have seen cases of bugs, for example, which caused packets to be dropped or changed, and these were picked up. Any attempt to change https traffic would be picked up very quickly and proved, so there really is no point in a major telco risking that happening.

Page 47 is a good read - the idea that the modem is a "white box" to throw you off (not being a "black box"), and the idea that it has a special hard-to-unplug RJ11 connector. Unbelievable.

I would have said the whole article is a joke, but I can't find the punch line. Are there really people quite that paranoid?


  1. How on earth would a hard to unplug RJ11 connector be of any relevance to snooping software, even if there were any snooping software?

  2. How come that is not routed? It's not within RFC1918 range. Is it's allocated to DoD but they only use it internally with no route advertise to it? (What a waste)

    1. Getting an IP allocation did not require it to be "routed on the public Internet", especially as, back then, there was not as much of a public Internet in the first place, and DoD probably had the bigger network :-)

    2. It's still relatively dangerous / not that smart from BT. What happen if tomorrow DoD start to advertise it, or return/resell the range (that's unlikely)? I'm not sure BT will realise on time that they have a massive issue on their hand.
      RFC1918 is there for a reason....

    3. @SMabille - it won't matter because BT aren't routing it over the Internet. Your FTTC modem's address is on their internal network.

    4. If their management LAN doesn't have access to the internet (and you would hope this is the case) then it won't make any difference at all. Their LAN will continue as it currently does and the internet will also work as intended.

    5. But BT won't have a massive issue on their hands, as their management network isn't routed either.
      It still seems a slightly odd choice, but given they are the only people to use it, and it is not part of the internet, it is never going to cause any problems.

    6. It's not really a waste at all (and FWIW the UK government has a similar non-routed network). The idea is that it is a globally unique bunch of addresses, so you can use them to interconnect various organisations over VPNs without needing to concern yourself about conflicts with the non-globally-unique RFC1918 networks within each organisation.

      This is also why IPv6 encourages using properly assigned addresses in non-routed situations rather than site-local addresses - it greatly increases the ease with which separate private networks can be glued together at a later date (think: merges between businesses, etc. where you unexpectedly need 2 formerly separate networks to talk to each other).

      On the other hand, whilst I agree that the article is nonsense, using someone else's addresses rather than either RFC1918 or BT-owned networks does seem a bit strange - I do wonder what their reasoning is for doing that.

  3. This comment has been removed by the author.

  4. Finally got some time to start reading the paper.
    I'm sure RevK you particularly enjoyed :
    "There are two security factors in operation here:
    a) NAT based networking, meaning that your home computers are
    hidden and all share a single public IP address" ....

    reminded me of IPv6 vs NAT cartoon (http://youtu.be/v26BAlfWBm8)

  5. The paper is absolutely laughable; that news outlets picked up on it is boggling. However it did get me thinking about the BT management vlan - I have no idea how it's actually setup, or if anyone has ever prodded it for holes.

    They appear to claim that the routers allow anyone on the management vlan to ssh in with the username "admin" password "admin". Assuming that is true (I've not checked) I presume my router's management VLAN IP can't actually talk to anyone else's management IP, and that access to the management VLAN is suitably locked down.

    1. That would be more of a concern, and worth checking. If so, not a conspiracy, but incompetence, which is always much more likely.

  6. As an isolated network, with only the FTTC management interfaces and BT's management servers on, it should be easy to use 10/8 instead of usurping the DoD's 30/8: if it's not routed anywhere, just dual-home the handful of management servers which are directly connected to that network and give the other interface addresses on the appropriate network.

    The rationale for the UK government using a public /8 in this way was that they had to interconnect multiple third-parties, many of which also used RFC1918 space internally: that surely doesn't apply to this management VLAN (unless the article's right and black-helicopter-people are routed into it...)

    With IPv6, yes, using up even a whole /32 in this way would be harmless - but with scarce IPv4 space, I'd love to see the DoD and DWP moved to 10/8, freeing up almost 1% of the global address space for reuse. Or, of course, get them to upgrade to IPv6...