Full Disclosure

The Internet Dark Age

Removing Governments on-line stranglehold Disabling NSA/GCHQ major capabilities ( !""R!N / #DG#H$""% Restoring on-line privac& - immediatel&

b&

The Adversaries

Spread the Word

'

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Full Disclosure
NSA/GCHQ Sources and Methods Uncovered
We e !"a#n ho$ NSA/GCHQ% Are Internet wiretapping you Break into your home network Perform 'Tailored Access Operations' (TAO) in your home Steal your encryption keys Can secretly plant anything they like on your computer Can secretly steal anything they like from your computer ow to STOP this Computer !etwork "#ploitation

Internet Wire-Tapping

WARNING:
BT Broadband E uip!ent "ontain NSA#G"$% Bac& Doors

We e !ose NSA/GCHQ&s 'ost Secret Wea!on - Contro" and ho$ (ou can de)eat #t*
Dedicated to the Whistle-Blower

Mr Edward J. Snowden.
(

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Table o' "ontents

)re*ace+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++, Disclos-res++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++, So-rce o* this $n*ormation+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++. /-r "a0s+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++. Companies++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++1 2echnical Nat-re o* this $n*ormation+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++1 )rivac& vs Sec-rit&+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++1 3otivation+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++4 2erminolog&++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++5 6o-r Home Net0or7++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++'8 2he Hac7+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++'9 Ho0 it :or7s++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++'9 2he Attac7s+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++'4 $nternal Net0or7 Access++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++'4 3an-$n-2he-3iddle Attac7++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++'5 All SS" Certi;cates Compromised in Real-2ime++++++++++++++++++++++++++++++++++++++++(8 2he*t o* )rivate <e&s++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(' 2he <ill S0itch++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(9 !ploading/Do0nload Content++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(9 Hac7ing in to a =/$)/=ideo Con*erences in Real-2ime++++++++++++++++++++++++++++++(9 2or !ser/Content Discover&+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(> #ncr&pted Content++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(> Covert $nternational 2ra?c Ro-ting++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(> Activists++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(> Destro& S&stems+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(> Censorship++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(, 3obile :$@$ Attac7s+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(, Doc-ment 2rac7ing++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(, (G/9G/>G 3obile Attac7s+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(. asic De*ense+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(1 Sec-re &o-r end-points++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(1 $nbo-nd De*ense+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(4 /-tbo-nd De*ense++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(5 3ore De*ense 2ips++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++98 3$23 De*ense++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++9' 2C)CR6)2++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++9( @reA-entl& As7 Q-estions++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++99 :h& @-ll Disclos-reB++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++99 :ho sho-ld read this in*ormation++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++99 :h& does this doc-ment eCist++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++99 :hat abo-t the debateD the balanceB+++++++++++++++++++++++++++++++++++++++++++++++++++++++++99 $Em an AmericanD does this appl& to me+++++++++++++++++++++++++++++++++++++++++++++++++++++99 :ill stopping 2Agent so*t0are stop these Attac7s++++++++++++++++++++++++++++++++++9> 9

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND $s it possible that 2 is -na0are o* this+++++++++++++++++++++++++++++++++++++++++++++++++++++9> 3& eA-ipment is completel& diFerentB++++++++++++++++++++++++++++++++++++++++++++++++++++++9> $Eve never done an&thing 0rong+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++9> Ho0 can $ veri*& this m&sel*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++9> $ 0o-ld li7e to donate and s-pport &o-r 0or7+++++++++++++++++++++++++++++++++++++++++++9> Ho0 &o- can veri*&++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++9, #as& Con;rmation++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++9. Hard Con;rmation++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++91 2he !N-Hac7++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>' arriers+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>9 Social Attac7s on #ngineers+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>> Co-nter-$ntelligence++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>, NSA Hone&pots+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>, Abo-t the A-thors++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>. /-r 3ission++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>. Donations++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>.

>

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

(re'ace
Preface :hen the GovernmentD 2elecomm-nications companies and $nternet Service )rovidersD implant secret sp&ing eA-ipment in &o-r home 0itho-t &o-r 7no0ledge or consent -nder the g-ise o* something elseD then -se that eA-ipment to in*ect &o-r comp-ters and sp& on &o-r private net0or7 activit& (not the internet%D 0e believe &o- have a right to &no)+ $t is not possible to ma7e these claims 0itho-t act-al proo* and 0itho-t naming the act-al companies involved+ 2hese events coincide 0ith the global s-rveillance s&stems recentl& disclosed and the& *-rther con;rm the mass scale o* the s-rveillance and ho0 deepl& entrenched the Governments are in o-r personal lives 0itho-t o-r 7no0ledge+ 2he methods 0e disclose are a violation o* sec-rit& and tr-st+ Good $n*ormation Sec-rit& ($n*oSec% dictates that 0hen 0e discover s-ch bac7 doors and activit&D 0e anal&GeD -nderstandD p-bliciGe and ;C/patch s-ch sec-rit& holes+ Doing other)ise is !orall* )rong+ :hat is revealed here is the missing piece to the global s-rveillance p-GGleD that ans0ers 7e& $n*oSec A-estions 0hich incl-deH Ho0 do the NSA/GCHQ per*orm Comp-ter Net0or7 #CploitationB :e reveal the actual methods -sed b& the NSA/GCHQ and others that allo0s them to instantly peer into &o-r personal eFects 0itho-t regard *or &o-r privac&D 0itho-t &o-r 7no0ledge and 0itho-t legal d-e process o* la0D th-s violating &o-r H-man RightsD simpl& beca-se the* can+ Disclosures 2he ris7s ta7en 0hen s-ch activit& is -nderta7en is I Being Disco+eredJ and the activit& being I(ublicl* E,posedJD as 0ell as the I-oss o' "apabilit*J+

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND Source of this Information

.The si!ple &no)ledge that )e !a* be clandestinel* obser+ed in our o)n ho!es pro+ided the deter!ination to /nd the truth0 )hich )e did12

2his in*ormation is not the res-lt o* an& 7no0ledge o* classi;ed doc-ments or lea7sD b-t based on in*ormation in the p-blic domain and o-r o0n *act ;nding mission d-e to @orensic and Net0or7 Anal&sis $nvestigations o* private S/H/ net0or7s located in the !<+ As 0e detail the methods -sedD &o- 0ill see that in*ormation 0as -ncovered 'airl*D honestl* and legall* and on private propert& -sing privatel& o0ned eA-ipment+ 3ur -a)s 2here is no la0 that 0e are a0are o* that grants to the !< Government the abilit& to install d-al -se s-rveillance technolog& in millions o* homes and b-sinesses in the !<+ @-rthermoreD there is no la0 0e are a0are o* that *-rther grant the !< Government the abilit& to -se s-ch technolog& to sp& on individ-alsD *amilies in their o0n homes on the mass scale that this s&stem is deplo&ed+ $* there are s-ch hidden la0sD the citiGens o* the !< are certainl& -na0are o* them and sho-ld be )arned that s-ch la0s eCist and that s-ch activit& is being engaged in b& their o0n Government+ All o* the evidence presented is *-ll& reprod-cible+ It is our belie' that this acti+it* is N3T li!ited to the 451

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND "o!panies 2 are directl& responsible *or covertl& embedding secret sp& eA-ipment in millions o* homes and b-sinesses 0ithin the !< as o-r evidence 0ill demonstrate+ 2 have directl& enabled "o!puter Net)or& E,ploitation (CN#% o* all its home and b-siness c-stomers+ Technical Nature o' this In'or!ation 2he in*ormation described here is technicalD this is beca-seD in order to s-bvert technolog&D the attac7ers need to be able to *ool and con*-se eCperts in the ;eld and 7eep them b-s& slowing them downD b-t regardlessD the impact and eFect can be -nderstood b& ever&bod&+ 6o-r main ta7e a0a& *rom this disclos-re is to -nderstand concept-all& ho0 these attac7s 0or7D &o- can then p-t sec-rit& meas-res in place to prevent s-ch attac7s+ (ri+ac* +s Securit* "oss o* privac& is a breach o* personal sec-rit& and the legal violation o* privac& is p-rel& a conseA-ence o* that sec-rit& loss+ :eEve *oc-sed on the technical breach o' securit* i+e+ the Comp-ter Net0or7 #Cploitation itsel* and b& ;Cing that &o- can restore at least some o* &o-r personal privac&+ 2his ill-strates that there is no s-ch thing as a balance bet0een sec-rit& and privac&D &o- have them both or &o- have none+

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

6oti+ation
6oti+ation A*ter st-d&ing in detail the revelations b& the #d0ard Sno0denD 0e realiGed there 0as a large missing part of the puzzle+ 2here has been little to nothing p-blished on speci;call& ho0 the attac7ers technicall& achieve their goals+ 3ost in*ormation p-blished is based on theoretical sit-ations+ $* 0e donEt 7no0 ho0 hac7ers act-all& achieve these sec-rit& breachesD 0e cannot de*end against s-ch breaches+ @or eCampleD a slide similar to the *ollo0ing 0as p-blishedD o* all the slides releasedD itEs -ninteresting and easil& dismissedD as it simpl& describes 0hat is commonl& 7no0n as a theoretical 3an-$n-2he-3iddle attac7+

2he media *oc-s o* the slide is o* co-rse the Google7s Ser+ersD and &o-r ;rst tho-ght might beD Ethis is Google's pro lem to sol!eED b-t 0hat i* D EGoogle Ser+erE 0as E6* Ban&s Ser+ersED &o- 0o-ld probabl& be more concernedD beca-se that ma& directl& eFect &o-+ But )e thought0 )hat i'0 7Google Ser+er70 )as 7An* Ser+er0 An*)here87 4

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

/-r investigation led to -s -ncoverD and -nderstand ho0 this attac7 reall& 0or7s in practiceD ho0 it is implemented and the hair-raising realit& o* its tr-e nat-re and that isD this not j-st a bac7 doorD b-t an entire attac7 plat*orm and distrib-ted architect-re+ Ter!inolog* 2o ease eCplanationD 0e are going to -se standard sec-rit& terms *rom here on+ Attac&er - GCHQD NSAD 2 Gro-p or an& combination+

The $ac& K 2he technical method -sed b& the attac7ers to illegall& brea7 into &o-r home net0or7 comp-ters and phones+

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Basic Securit*
Your Home Network $n order to eCplain ho0 these Comp-ter Net0or7 #Cploitation attac7s 0or7D and ho0 this aFects &o- personall&D 0e m-st ;rst loo7 at the architect-re o* a t&pical home or o?ce net0or7+ "oo7 *amiliar to &o-B

3ost $nternet connections consists o* an DS" t&pe modem and one or more #thernet ports attached to the modem that &o- connect &o-r comp-tersD devices and add-on s0itches etc+ 2here are t0o sec-rit& *actors in operation hereH a% NA2 based net0or7ingD meaning that &o-r home comp-ters are hidden and all share a single p-blic $) address b% 6o-r modem has a b-ilt-in ;re0all 0hich is bloc7s inbo-nd tra?c+ The inherent security assumption is that data cannot pass from the in ound D"# line to a #A$ switch port without %rst eing accepted or re&ected y the uilt-in %rewall '8

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND @or the technical mindedD these sec-rit& ass-mptions are *-rther re-enforced i* the modems so*t0are is open so-rce e+g+ -sing "in-C and that its so-rce code is *reel& and openl& available as per the GN! G)" reA-irements+ Given that the above is the most common architect-re on the $nternet as it applies to almost ever& home and o?ceD ever&0hereD lets no0 revisit that ;rst slideD b-t this timeD )e as& one si!ple uestionH $o) do the attac&ers get bet)een 9ou and Google or so!e other ser+ice8 /n closer inspection o* the diagram &o- 0ill notice that I Google Re uestJ and the Attac&er (#og into 'outer% share the sa!e routerD 0hen this slide 0as releasedD 0e all ass-med that this ro-ter 0as either GoogleEs o0n ro-ter or some -pstream ro-terD that 0a& the attac&er co-ld intercept pac7ets and per*orm a 6an-In-The-6iddle (3$23% attac7+ Ho0everD this 0o-ld not 0or7 *or ever& 0ebsite or service on the $nternet+ 2he attac&er 0o-ld need to be -pstream e!erywhereL

So )here does the attac&er hide8 Where is this "o!!on Router8 again )e as&: $o) do the attac&ers get bet)een 9ou and Google or so!e other ser+ice8 "ets eCamine the diagram one last time+

''

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

9ou guessed it0 it7s right inside *our house1 It7s the router supplied b* *our trusted Internet Ser+ice (ro+ider :IS(;1
$* this is tr-eD it means that &o- are being $nternet 0iretappedD beca-se the attac&er has as entered &o-r private propert& and -nla0*-ll& accessed &o-r comp-ter eA-ipment+ !nli7e a la0*-l interception in 0hich a 0arrant is served on the third part& ($S)%D the intercept happens at the $S)s propert& -pstream and o-tside &o-r propert&+ 2his is happening in &o-r home or o?ceD 0itho-t &o-r 7no0ledgeD 0itho-t &o-r permission and &o- have not been served 0ith a search 0arrant as is reA-ired la0+ -t 0orseD is the *act that this architecture is designed *or C&ber Attac7ing in addition to passive monitoring as 0e 0ill detail neCt+

'(

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

The $ac&
The $ac& 2his eCample is based on the !< version o* 0hat 0e are calling The $ac& -sing BT $nternet services+ $* &o- are not in the !< and regardless o* the serviceD &o- should al)a*s ass-me that the eCact same principles detailed here are al)a*s being -sed against &o- regardless o* &o-r co-ntr& or $S) + The $ac& is based on the 'act that a second secret/hidden net0or7 and second $) address is assigned to &o-r modem+ !nder normal -seD &o- cannot detect or see this *rom &o-r "AND b-t the attac&er has direct access to &o-r modem and "AN in &o-r ho-se *rom the $nternet+ $o) it Wor&s :hen the DS" connection is established a covert DH P re!uest is sent to a secret !ilitar* net)or& o0ned b& the 41S1 Go+ern!ent D131D1 6o- are then part o* that 41S1 D131D1 militar& net0or7D this happens even be*ore &ohave been assigned &o-r p-blic $) address *rom &o-r act-al $S) + 2his sp& net0or7 is hidden *rom the "AN/s0itch -sing ;re0all r-les and tra?c is hidden -sing ="ANs in the case o* 2 et alD it -ses ="AN <=>D b-t other vendors modems ma& 0ell -se diFerent ="ANs+ 2he original slide has a strange n-mber ?@? 0ith gre& bac7gro-ndD 0e thin7 this represents the ="AN n-mber/=endor n-mber so 2 0o-ld be <=>+ 2his hidden net0or7 is not visible *rom &o-r M(odem's We InterfaceM and not subAect to *our /re)all rulesD also not s-bject to an& limitations as *ar as the s0itch portion o* &o-r modem is concerned and the hidden net0or7 also has all ports open *or the attacker+ /ther tools and services are permanentl& enabled inside the modemD 0hich greatl& aid the attac&erD s-ch as )e ra * 'ipd routing daemons+ ipta les %rewall+ "", remote shell ser!er+ along with a dhcp clientThese tools allow the attac&er to control .//0 of the modem functionality *rom the $nternet and in an -ndetectable manner+ e+g+D the attac&er can '9

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND *or0ard all &o-r DNS reA-ests to their private net0or7D the& can selectivel& ro-te speci;c protocolsD ports or net0or7s or ever&thing to their net0or7 and b& de*a-lt the& do+ Altho-gh the hidden net0or7 is o0ned b& 41S1 D131D1D it is located 0ithin the !< as the ping time to the attac&er7s $) gate0a& is N 4ms *rom 0ithin the !<+ 2his clearl& demonstrates that the !< GovernmentD !+S+ GovernmentD !+S+ 3ilitar& and 2 are co-operating together to secretl& 0iretap all $nternet -sers in their o0n homes (with few e1ceptions%+ 2he modems are provided b& 2 and "ocked down+ $* &o- cannot con;rm other0iseD &o- m-st ass-me that all $S)s in the !< b& polic& have the same techniA-es deplo&ed+ 6o-r home net0or7 act-all& loo7s something li7e the *ollo0ing diagram+ 2o the right is the :H/$S record o* the net0or7 o-r modems are a-tomaticall& connectedD &o-rs ma& var&+

2he above hidden net0or7 is created a-tomaticall& in all o-r test cases across a 0ide range o* modems+ $t sho-ld be noted that even be*ore &o-r )oint-to-)oint over #thernet ()))/#% reA-est is iss-edD this hidden net0or7 is alread* 'ull* operational+ So m-ch soD that &o-r "AN can be directl& accessed even 0hen &o- thin7 &o-r modem is oF-line+

'>

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND 2his is an eCtremel& compleC and covert attac7 in*rastr-ct-re and itEs b-ilt right into &o-r modems ;rm0are 0hich can also be -pdated remotel& as reA-ired b& the attac&er -sing the b-ilt-in BTAgent+ The $ac& attac7 is t-rned on b& de*a-ltD b-t is selectivel& t-rned oF *or special p-rposes or speci/c dangerous custo!ersD *or eCampleD *or certain so*t0areD ;rm0are and hard0are developers/engineers (which may include you%D so that these people donEt discover The $ac&+ 2he attac&er identi;es these speci;c IthreatsJ and mar7s their $nternet connections as IN/ DHC)JD s-ch that the same dhcpc reA-ests *rom their telephone lines are ignored and 0hile these reA-ests are ignoredD the hidden net0or7 0ill not appear inside their modem and is m-ch harder to discover+ @irm0are engineers -s-all& 0ant to 7no0 i* the modems are -sing /pen So-rce so*t0are s-ch as "in-C and -s&boCD in 0hich case the& are s-bject to the terms o* the GN! )-blic "icense+ 2hese engineers as 0ell as tech savv& -sers ma& 0ish to p-t their o0n so*t0are (e+g+ /pen:R2% on these modemsD ma&be beca-se the& donEt tr-st their $S) D b-t are prevented b& their $S) *or obsc-re reasons+ 3ost modem providers -s-all& violate cop&right la0 b& not releasing the so-rce code and 2 0as no eCception to this r-le+ /nl& b& the threat o* legal action did the& release the so-rce code+ Ho0everD 2 still prevents the modems *rom being -pdated b& their c-stomers or third parties+ 2 goes to eCtreme lengths to prevent an*one *rom changing the ;rm0areD and those that come close are ;rst s-bjected to (h*sical and (s*chological Barriers eCplained later and the *e0 that overcome thatD are s-bjected to a separate NSA/GCHQ targeted Social Attac& designed speci;call& to derail an& engineering progress madeD this is also eCplained later+ 2hese attac7s are almost al0a&s s-ccess*-l+ D-ring these attac7sD 2 -ses all the in*ormation discovered b& the engineers to prod-ce ;rm0are -pdates that prevent an&one else -sing those same techniA-es -nder the g-ise o* sec-rit& and protecting the c-stomer and this is per*ormed 0itho-t notice to an& c-stomers+

',

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND As 0e move to ne0 generations o* hard0areD the modems are ver& sophisticated and ver& covertD the engineers capable o* even attempting to replace the ;rm0are become practicall& non-eCistent+ As 0e detailD the sole p-rpose o* loc7ing the modem is to prevent people discovering that the& are act-all& being 0iretapped b& 2 on behal* o* NSA/GCHQ+
As a side note NSA describe "in-C//pen So-rce as $ndigeno-s and a S$G$N2 target+

NSA doc-mentsD describe this means o* S$G$N2 collection asH

/thers incl-deH

and

'.

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

9our Real Net)or&

9our Real Net)or& 2he *ollo0ing is a more realistic vie0 o* &o-r home net0or7 and 0hat is no0 possibleD given the attac&er no0 has secret access to &o-r home "AN+

$t is no0 a simple matter to -se other tools and methods available to the attac&er to penetrate &o-r internal comp-tersD this incl-desH
Steal private =)N/SSH/SS"/)G) 7e&s $n*ect machines 0ith vir-ses $nstall 7e& loggers $nstall screen loggers Clone/destro& hard drives !pload/destro& content as reA-ired Steal content as reA-ired Access Corporate =)Ns Clean -p a*ter operations Ro-te tra?c on demand (e+g+ 3$23% Censorship and <ill S0itch )assive observation

'1

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

The Attac&s
The Attac&s 2his section lists the attac7s on &o- that are no0 possible b& the NSA/GCHQ+ "aterD 0e sho0 ho0 &o- can de*end against these attac7s and it 0o-ld be 0ise to implement o-r de*enses 0ith immediate eFect+ !nli7e the reval-ations so *ar b& Sno0den 0here the attac7s occ-r o-t there some0here on the $nternetD these attac&s happen in *our ho!e#oBce+ 2he attac7s listed are the most obvio-s attac7sD some are mentioned in #d0ard Sno0den revelations and re*erred to as om#uter Network E$#"oitation (CN#%+ Internal Net)or& Access 2he attac7er has direct access to &o-r "AN and is inside &o-r ;re0all+ 6o-r modem acts as a serverD it listens on lots o* ports s-ch as SSH (((% and 2#"N#2 ((9%D so the attac7er can j-st hop on to it (b-t &o- cannot%+ 2his is possible beca-se another hidden bridged inter*ace eCists 0ith its o0n ="AN+ @ire0all r-les do not appl& to this inter*aceD so the attac&er can see &o-r entire "AN and is not s-bject to *our ;re0all r-les beca-se those r-les appl& to the 2 lin7 (blac& line% not the attac&ers lin7 (red lines%+ :hen &o- scan &o-r 2 )-blic $) address *rom o-tsideD &o- ma& 0ell onl& see port '.' open (BTAgentD more on this later%D b-t 0hen scanned *rom the attac&ers net0or7D all necessar* ports are open and 0ith an SSH daemon r-nning (e!en the username and password are the asic admin2admin%+ asicall& the attac7er is inside &o-r home net0or7D and ironicall&D in most casesD right ehind your actual curtain (where the modems are usually located%+ 2his is the digital version o* 6artial -a) 0ith a C&ber Attac7 Soldier in ever& home in the co-ntr&+ 2he ;rst tas7 o* the attac&er is to per*orm a site s-rve& and learn as m-ch as '4

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND possible abo-t all the devices attached to &o-r net0or7+ All &o-r hard0are can be identi;ed b& the speci;c 3AC addresses and then ;ngerprinted *or speci;c protocols and so*t0are versions+ All this cannot be detected -nless &o- are logged into &o-r "ocked modem+ 2he above is j-st the base plat*orm o* the NSA/GCHQ *rom 0hich h-ndreds o* t&pes o* attac7s are no0 possibleD 0hich no0 incl-de all o* the *ollo0ingH 6an-In-The-6iddle Attac& 2he attac&er controls all o-tbo-nd routesD he can easil& per*orm an H22)S 3an-$n-2he-3iddle attac7 b& *or0arding speci;c tra?c *or port >>9 or destination net0or7 to a dedicated 3$23 net0or7 0hich he controls ( as per pre!ious slides%+ 2he onl& thing reA-ired is a valid SS" certi;cates O 7e&s *or a speci;c domain ()hich he alread* has0 see belo)%D 2he attac&er is bet0een &o- and an& site &o- visit or an& service &o- -se (not &ust we sites%+ e+g+ S7&peD =/$) D SSH etc+ 2he attac&er simpl& creates a static ro-te or more easil& p-blishes a Ro-ting $n*ormation )rotocol ReA-est (R$)% reA-est to the Pebra daemon r-nning in the ro-ter *or the target net0or7 address and &o-r tra?c *or that net0or7 0ill then be ro-ted to the attac&ers net0or7 -ndetectable b& &o-+ 2he attac&er can then -se as&mmetric ro-ting and -pon eCamination o* the reA-ests he can ;lter speci;c reA-ests he is interested in and respond to thoseD b-t let the target 0ebsite server or service respond to ever&thing else+ 2he 7e& hereD isD tra?c *rom the target 0ebsite bac7 to the -ser does not then ha!e to go !ia the attackers hidden networkD it can go directl& bac7 to -sers p-blic $) (0hich 0o-ld be logged b& the $S)%+ 6IT6 can be on an& port or protocol not j-st H22)S (>>9%D *or eCample &o-r SSH connectionsD all !D) or GR#D ))2) D $)Sec etc+ or an& combination o* an&thing+

'5

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND All SS- "erti/cates "o!pro!ised in Real-Ti!e 2he sec-rit& o* )-blic <e& $n*rastr-ct-re ()<$% is based primaril& on the sec-rit& o* the o0ners private 7e&s+ 2hese private 7e&s are not necessaril& reA-ired in order to per*orm a 3$23 attac7+ All that is reA-ired is an act-al d-plicate signed certi;cate -sing NSA/GCHQ o0n private 7e&s+ 2he 3$23 attac7 can be as simple as r-nning a transparent proC& and &o- 0ill al0a&s see a valid certi;cate b-t -nable to detect the attac7+ At the point o* the proC& all &o-r tra?c is decr&pted in real-timeD at 0hich point targeted pac7et injection can occ-r or simpl& monitored+ $t ma7es per*ect sense that the tr-sted Certi;cate A-thorit& (CA% act-all& ma7e a second d-plicate SS" certi;cate 0ith a separate set NSA provided private 7e&sD as the CA never sees the real certi;cate o0ners private 7e&s+ :hen &o- send &o-r Certi;cate Signing ReA-est (CSR% and order &o-r SS" Certi;cateD a d-plicate signed certi;cate is then a-tomaticall& sent to the NSA and stored in their IC#S )aring databaseJ as per Sno0den releases+ :e m-st there*ore ass-me that NSA/GCHQ alread& have a d-plicate o* ever& )<$ certi;cateO7e& (7e& diFerent *rom &o-rs%+ 2his means as soon as &o- revo7e or rene0 &o-r certi;cateD the NSA is read& and 0aiting againD allo0ing them to do real-time decr&ption on almost an& site an&0here across an& protocol that -ses )<$+

(8

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND The't o' (ri+ate 5e*s Home net0or7s are -s-all& ver& insec-reD mainl& beca-se onl& &o- or *amil& -se themD &o-r g-ard is do0n and &o-r SSHD =)ND )G) D SS" 7e&s are all v-lnerable to the*t b& the attac&er and his available methods+ The $ac& is the 7e& mechanism that enables these the*ts+ As an eCample o* the aboveD i* &o- -se the modems b-ilt-in =)N *eat-reD &o-s-all& add &o-r certi;cate and private 7e& to the modem or generate them both via its 0eb inter*aceD at some later timeD the attac&er can j-st cop& these 7e&s to the IC#S )airing databaseJ via his private net0or7D the data collected *rom S$G$N2 can later be decr&pted oF-line or in real-time+ $n the case o* 7e&s eCtracted *rom the -ser b-ilt-in =)ND the IC#S )aring databaseJ no0 contains the real 7e&/cert pairD meaning the attac7er can no0 attac7 the =)N server environment directl& 0hen that server 0o-ld have not being eCploitable other0ise+ 2he attac&er can also mas7 as the gen-ine -ser b& per*orming the server attac7 *rom 0ithin the -sers modem (using the correct source I3 address%D this 0a& nothing -n-s-al 0ill appear in the =)Ns logs+ /nce inside the parameter o* the =)N server the c&cles repeats+ 6o- sho-ld ass-me that all I ig randJ =)Ns and ro-ters -se the eCact same attac7 strateg& and architect-re 0ith variances in the speci;c implementation e+g+ ig rand s-pports $)SecD "ittle rand s-pports ))2) + 2he NSA -llr-n G-ide statesH

I2he *act that Cr&ptanal&sis and #Cploitation Services (C#S% 0or7s 0ith NSA/CSS Commercial Sol-tions Center (NCSC% to leverage sensitiveD cooperative relationships 0ith speci;c ind-str& partnersJ+ Speci;c implementations ma& be identi;ed b& speci*&ing #A-ipment 3an-*act-rer (Big Brand4(ake4(odel%D Service )rovider (I"3% or 2arget $mplementation (speci%c modem4router implementation%+ $n this disclos-reD 0e are interested in I2arget $mplementationJD beca-se in o-r eCample caseD 2 has covertl& implanted these devices in homes 0here there is an a solute e1pectation of pri!acyD 0hereas the other implementations eCist 0ithin the $S) or large corporations in 0hich &ocannot eCpect privac&+ $tEs important to remember that I ig randsJ also ma7e small S/H/ DS" and ('

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND cable modems+ @-rther evidence o* the mass global distrib-tion o* this technolog& to at least the '> #&esH !SAD G RD CAND A!SD NP"D @RAD D#!D DN<D N"DD N/RD #S) D $2AD #"D S:# and almost certainl& man& more co-ntriesH Q-ote *rom GCHQ regarding their abilit& to steal &o-r private 7e&sH It is imperati!e to protect the fact that G5,6+ $"A and their "igint partners ha!e capa ilities against speci%c network security technologies as well as the num er and scope of successes- These capa ilities are among the "igint community7s most fragile+ and the inad!ertent disclosure of the simple 8fact of9 could alert the ad!ersary and result in immediate loss of the capa ility5onse:uently+ any admission of 8fact of9 a capa ility to defeat encryption used in speci%c network communication technologies or disclosure of details relating to that capa ility must e protected y the B;##';$ 5<I and restricted to those speci%cally indoctrinated for B;##';$The !arious types of security co!ered y B;##';$ include+ ut are not limited to+ T#"4""#+ https =e-g- we mail>+ "",+ encrypted chat+ ?3$s and encrypted ?<I3 And 'eports deri!ed from B;##';$ material shall not re!eal =or imply> that the source data was decrypted- The network communication technology that carried the communication should not e re!ealed@rom the NSAH

((

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND The 5ill S)itch Act-al capabilities -ncovered here incl-de the act-al abilit& to appl& ph&sical censorship on the $nternet b& governments directed at individ-alsD gro-psD companiesD entire co-ntries or the majorit& o* the -sers o* the $nternet at once (given a coordinated go!ernment agreement%+ 2his is something that can be t-rned on globall& 0ithin min-tes+ 2his I7ill s0itchJ is onl& a small portion o* the total capabilities available that are in place right no0+ #ssentiall&D an& operation that can be applied -sing a single ;re0all or R$) ro-terD can be applied to ever& c-stomer at once+ 4ploading#Do)nload "ontent 2he attac7er can -pload or do0nload content via either &o-r p-blic $S)s net0or7 or via his private hidden net0or7+ 2he diFerences is that &o-r $S) co-ld con;rm or den& *rom their logs the -ser did or did not -pload/do0nload content *rom/to a partic-lar so-rce+ $n other 0ordsD the possibilities and abilit& to *rame someone cannot ever be overloo7ed+ :hen the attac&ers steal contentD that in*ormation al0a&s travels via the private net0or7+ $ac&ing in to a C3I(#Cideo "on'erences in Real-Ti!e As an eCampleD itEs a trivial matter *or the attacker to ro-te speci;c tra?c *or speci;c media protocol s-ch as =/$) (S$)/H+9(9/R2S)% etc+ to his net0or7 in real-time these protocols are -s-all& not encr&pted so no 7e& the*t is reA-ired+ $n the case o* S7&peD itEs no stretch o* the imagination to ass-me that 3icroso*t handed over the 7e&s on da& one+ 2hose the& do not redirect in real-time as 0e 7no0D 0ill be collected via -pstream S$G$N2+

(9

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND Tor 4ser#"ontent Disco+er* !sers o* the 2or net0or7 can easil& be discovered b& "AN pac7et ;ngerprintingD b-t also b& those 0ho do0nload the 2or client+ 2he attac7er can stain pac7ets leaving &o-r net0or7 and be*ore entering the 2or net0or7D ma7ing tra?c anal&sis m-ch easier than 0as previo-sl& 7no0n+ All 2or tra?c can be redirected to a dedicated pri+ate Tor net)or& controlled b& the attac&erD in this 0a& the attac7er controls A"" 2or nodes and so can see ever&thing &o- do *rom end-to-end+ 2his is not something the 2or project can ;CD it can onl& be ;Ced b& the -ser *ollo0ing o-r methods+ 2or hidden services sho-ld drop all tra?c *rom -n-tr-sted 2or nodesD this 0a& clients r-nning in the sim-lated 2or net0or7 0ill *ail to connect to their destination+ Encr*pted "ontent 2he attac&er is in &o-r net0or7 and has all the tools necessar& (s-ch as operating s&stem bac7 doors% or Gero da& v-lnerabilities to hac7 into &o-r comp-ters and steal &o-r =)ND )G) D SSH 7e&s as 0ell as an& other 7e&s the& desire+ AlsoD content that is encr&pted can be capt-red be*ore encr&ption via an& n-mber o* methods 0hen the attac7er is alread& inside &o-r net0or7+ "o+ert International TraBc Routing 2he attac&er can secretl& ro-te &o-r tra?c to the !+S+ 0itho-t &o-r permissionD consent or 7no0ledge th-s b& passing an& #-ropean data protection or privac& la0s+ Acti+ists :e have seen man& activist gro-psD protest organiGers identi;ed and silenced over the *e0 &earsD 0e believe this is the primar& method -sed to capt-re activists+ <no0ing the victims $S) 0o-ld indicate 0hich $S)s are involved+ Destro* S*ste!s Released doc-ments state that the !+S+ C&ber Command have the abilit& to disable or completel& destro& an adversaries net0or7 and s&stemsD the ;rst step to this 0o-ld be to penetrate the adversaries net0or7 ;re0all ma7ing secondar& steps m-ch easier+

(>

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND "ensorship 2he attac&er has control o* the hidden ;re0allD it is eas& *or the attac&er to simpl& bloc7 tra?c based on speci;c ports or based on destination address or net0or7 ro-teD *or eCampleD the government can bloc7 port 4999 at so-rce and there*ore bloc7 all itcoin transactions+ A coordinated attac7 on the itcoin net0or7 is possible b& bloc7ing ports o* 3inors aro-nd the 0orld+ Red-cing the hash rate and bloc7ing transactions+ 6obile WIFI Attac&s 3obile devices phones/tablets etcD are as easil& accessible once the& connect to &o-r :$@$ net0or7 0hich isD *rom the attac7ers perspectiveD j-st another node on the &o-r "AN that the attac&er can ab-se+ 2he level o* sophistication or advanced encr&ption in -se b& &o-r :$@$ is no de*ense beca-se the attac7er has gained a tr-sted position in &o-r net0or7+ All 3AC addresses gathered *rom &o-r "AN are stored in the Q<#6SC/R# database so the& can be -sed to identit& speci;c devices and speci;c locationsD allo0ing the attac7er to trac7 &o- 0itho-t the aid o* G)S or 0here no G)S signal eCists+ Docu!ent Trac&ing 3icroso*t embeds the ph&sical 3AC addresses o* the comp-ter inside doc-ments it creates+ 2his allo0s the so-rce o* a doc-ment to be identi;ed easil&+ 2he *ollo0ing is *rom the Q<#6SC/R# )o0er)oint+

(,

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

The 6obile $ac&

?G#<G#@G 6obile Attac&s Given the NSA/GCHQ plan to sp& on .an* phone0 an*)here0 an* ti!e2+ The $ac& detailed in this doc-ment is a carrier independent method to achieve that goal that 0or7s ver& 0ell+ 2he attac&er 0ill almost certainl& re-se the same strateg& *or all 3obile phones or 0ireless broadband devices+ 6o-r mobile phone ((G/9G/>G% is almost certainl& s-bject to this same attac7 architect-re beca-se *rom the attac&ers perspectiveD his side o* the in*rastr-ct-re 0o-ld remain the same regardless o* device being attac7ed+ A mobile phone these da&s is simpl& a 0ireless broadband !ode! O phoneD so an& encr&pted messaging s&stem *or eCample can be capt-red be*ore encr&ption+ 2here*ore mobile phones are s-bject to all the same and many more attac7s as per The $ac&+ This would mean that mo ile phone makers may well e in collusion with the $"A4G5,6 ecause they would need to implement the e:ui!alent routing and %rewall a ility in each mo ile phone as part of the <" if it was to remain hidden2he mobile phone version o* The $ac& is also m-ch more di?c-lt to detect than the broadband version+ 3obile phones ma7e more -se o* $)v. and the overall compleCit& o* $)v. means that even eCperts ma& not 7no0 0hat the& are loo7ing at in the ro-ting tables even i* the& co-ld see them+ Carriers o*ten have m-ltiple $)s *or diFerent services the& provide+ #ven top--p mobile phones 0itho-t an& credit can be accessedD *or eCampleD the mobiles phones top--p services are al0a&s available and their DNS servers are al0a&s accessible regardless o* &o-r top-credit state+ 3odern 7ernels -se m-ltiple ro-ting tables (e+g+ ip r-le sho0% *or polic& based ro-tingD so again -nless &o- con;rm 0ho o0ns a speci;c $). rangeD it 0ill be di?c-lt to spotD especiall& as ;rm0are hac7ers are not even loo7ing *or s-ch bac7 doors+ 3a&be no0 the& 0ill+ :e do not provide de*ense methods *or 3obile )hones at this time+ (.

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Basic De'ense
Basic De'ense <no0ing ho0 &o- are being attac7ed is hal* the battleD b-t in this caseD d-e to the attac&ers ab-se o* a privileged position and the *act that the attac&er is &o-r o0n government and its *oreign partnersD de*ense is m-ch more di?c-ltD compared to a common vir-sD 0orms or hac7ers+ /ne o* the best de*enses is to ta7e "egal action against 2 or &o-r $S) +

$* &o- are serio-s abo-t &o-r privac&D donEt eCpect an& help *rom &o-r attac&ers (as attac7ers never help their victims%+ 6o- m-st ens-re &o-r o0n privac&+ e*ore 0e eCplain practical de*ensesD here are some good tips+ Secure %our end&#oints Never ever tr-st $S) s-pplied eA-ipment (e+g+ ro-terD ;re0allD S2 s%D al0a&s consider s-ch devices as hostile and position them in &o-r net0or7 architect-re accordingl& i+e+ in the 3ilitariGed Pone (3P% Do not -se an& b-ilt-in *eat-res o* $S) eA-ipment (e+g+ @ire0allsD =)Ns% Never ever tr-st a device that has an& closed so-rce ;rm0are or other elementsD regardless o* the eCc-ses the &o-r attac&er gives &o Never tr-st a device that &o- cannot change the ;rm0are &o-rsel*D regardless o* Ibig brandJ names Disable all protocols that &o- donEt -se or donEt -nderstandD especiall& 2R-8.5 and an& other Remote 3anagement *eat-resD these are all part o* the s-rveillance control s&stem (e-g- BTAgent %rmware update% Al0a&s -se a second "in-C ;re0all 0hich &o- controlD that &o- have b-ilt Control all &o-r NA2 on &o-r second "in-C ;re0all not the $S)s s-pplied ro-ter 3a7e s-re &o- control all end-points 0henever possible #ns-re that '88R o* pac7ets !D)/2C) (e-g- including D$"% are encr&pted leaving &o-r second ;re0all (this is the ke% to end&#oint securit%%D this reA-ires -sing 3utbound De'ense method described later Al0a&s -se a =)N and remote proC& that &o- control or tr-stD disable logging altogether to protect privac&+ 2his reA-ires -sing 3utbound De'ense method described later (1

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Inbound De'ense
Inbound De'ense 2his de*ense method against most NSA/GCHQ Inbound attac7s is *airl& eas& to implement and not too technicalD ever&bod& at a minim-m sho-ld incl-de this method in their de*ense strateg&+ 2he strateg& 0ill onl* prevent NSA/GCHQ *rom hacking into &o-r home/o?ce "AN+ $t cannot prevent other direct attac7s beca-se the attac&er can still intercept and ro-te all pac7ets leaving &o-r propert&+

A second "in-C ;re0all device (blue% that *ou control and !anage is placed in *ront o* the $S) ro-ter eFectivel& placing the $S)s ro-ter in the 3ilitariGed Pone (3P% i+e+ the $nternet+ A single cable ( red% is -sed to lin7 the "AN o* the $S) ro-ter to the $nternet "AN port o* the "in-C ;re0all+ loc7 all inbo-nd access incl-ding m-lticast pac7ets *rom the $S) ro-terD r-n DHC) and NA2 on &o-r "in-C ;re0all+ 6o-r second ;re0all can then iss-e )))/# reA-ests via its $nternet port and create a local ppp8 device 0hich 0ill be its ne0 $nternet connection+ All pac7ets leaving the ;re0all 0ill no0 be )))/# encaps-lated+ (4

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

3utbound De'ense
3utbound De'ense 2his de*ense method sho-ld be -sed against all NSA/GCHQ Inbound and 3utbound attac7s+ 2his is the onl& s-re ;re method to protect 2or clients+ 2his de*ense reA-ires that &o- (control/own4rent% a Server or =3 else0here on the $nternet (*ar a0a& *rom &o-r IS(% and pre*erabl& in a diFerent co-ntr&+ R-n a =)N s-ch as /pen=)N bet0een &o-r "in-C @ire0all (blue% and the &o-r =)S server (green cloud%D thereD &o- r-n SA-id )roC& and DNS and bloc7 all inbo-nd access eCcept *rom &o-r =)N+ Al0a&s r-n &o-r o0n DNS service on &o-r =3/Server+

(5

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND An alternative short-term de*ense is to -se 3penWRT ro-ter so*t0are that &o- install into the modem &o-rsel* so that &o- can con;rm no hidden net0or7s or $) addresses eCists and that the ;re0all act-all& *-nctions+ Ho0everD this is technicall& impossible *or m-st -sers+ @or open so-rce ro-ter so*t0are visit httpsH//open0rt+org/ 6ore De'ense Tips $solate &o-r :$@$ *rom &o-r "AN and limit b& 3AC address O strong pass0ords alternati!elyD $solate &o-r :$@$ *rom &o-r "AN and leave it open as a *ree hot-spot+ $* &o- are capableD install &o-r o0n ro-ter ;rm0are (open0rt% 2ell &o-r $S) &o- do N/2 0ant a ro-ter 0ith bac7 doors or mal0are in itD as7 them to con;rm in 0riting that bac7 doors do not eCistD this 0ill help &o- in co-rt 0hen s-ing them Stop -sing an& operating s&stems that is 7no0n to contain bac7 doors /nl& -se 2or i* &o- are -sing 3utbound De'ense methodD other0ise &oco-ld be -sing a NSA/GCHQ 0onderland version o* the 2or net0or7 $t cannot be emphasiGed eno-ghD never tr-st closed so-rce ro-ters Never -se &o-r $S) DNS servers

98

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

6IT6 De'ense
6IT6 De'ense !ntil no0D it 0as not *-ll& -nderstood ho0 a 3$23 act-all& 0or7ed 0ith regard to ho0 the attac&er co-ld get in the middle o* an* connection+ No0 0e 7no0 0ith '88R con;dence that the man is not in the middleD b-t in the !ode! and thatEs ho0 an* individ-al can be s-bjected to 3$23 attac7+ :e hereb& rename this attac7 6an-In-The-6ode! attac7+ As an alternative de*ense *or the *-t-re in place o* the previo-s ( admittedly comple1 out ound defense%D &o- co-ld -se 2cpCr&pt+ 6o- can prevent this attac7 b& ens-ring that &o-r client and servers are r-nning 2cpCr&ptD 0hich is a 2C) protocol eCtension+ $t 0or7s 0itho-t an& con;g-ration and a-tomaticall& encr&pts 2C) connections i* both server and client s-pport it or it 0ill *all bac7 to no encr&ption+ $tEs also '88R NAT 'riendl*+

/nce installedD this 0or7s *or an& port not j-st port 48D it 0ill also protects H22)SD S32) D SSH and ever& other service+ 9'

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

T"("R9(T
T"("R9(T 2cpCr&pt is a ver& sec-re approach to man& o* the problems posed b& the NSA/GCHQ beca-se its tr-e native end-to-end encr&ption and does not reA-ire a certi;cate a-thorit& and is *ree open so-rce so*t0are+ 2he NSA have tried to 7ill this project a n-mber o* times and 0ill contin-e to do so or limit its -seD &o- m-st not let that happen+

-et7s get all T"( connections Encr*pted b* de'aultD

Available no0 *ree open so-rce *or "in-CD :indo0s and /SQ visitH

httpH//000+tcpcr&pt+org/ <ernel Developers - please s-pport Tcp"r*pt 5ernel 6odule

$* &o- 0o-ld li7e to see ho0 NSA and GCHQ agents tr& to 7ill projects li7e this in p-blicD vie0 the video httpH//000+tcpcr&pt+org/tal7+php and go to (.H(( and hear the voice o* the NSA and then GCHQ+

9(

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

're!uent"% Ask (uestions

Wh* Full Disclosure8 :e are -nder no obligation to 0ithhold this in*ormation *rom citiGens o* #-ropeD speci;call& 0e are not s-bject to an& provisions o* the /?cial Secrets Act o* '554 as )e ha+e ne+er beenH a member o* the sec-rit& and intelligence services a Cro0n servant or a government contractor But !ore i!portantl* because: 2his in*ormation 0as discovered on private propert& As sec-rit& conscio-s -sers o* the internetD 0e identi;ed serio-s intentional sec-rit& Sa0s 0hich need to be ;CedD and *ast 2he needs o* the man& o-t0eigh the needs o* the *e0 !nder the r-le o* la0D the tr-th is an absol-te de*ense and that is 0hat 0e present here lastl&D Because )e can Who should read this in'or!ation 2he intended a-dience is citiGens o* #-ropeD b-t an&one 0ho is or co-ld be a victim o* global s-rveillance s&stemsD this incl-des ever&bod& in the 0orld no0 and in the *-t-re+ Wh* does this docu!ent e,ist :hen a person(s% or government ta7es a0a& &o-r inalienable rights s-ch as &o-r Right to )rivac& (especiall& in &o-r o0n home%D *ou ta&e it bac&+ 2his is not something that can be negotiated or traded+ What about the debate0 the balance8 2here is no s-ch thing as a balance bet0een privac& and sec-rit&D &o- either have them both or &o- have none+ I7! an A!erican0 does this appl* to !e 2he NSA 0o-ld onl& -se this techniA-e in the !+S+ i* the& reall& tho-ght the& co-ld go -ndetected+ $n the !< the& have gone -ndetected -ntil no0 (since (8'8%D &o- sho-ld ass-me that the !+S+ is doing the same to all A!ericans and &o- sho-ld -se the de*enses as detailed herein as a preca-tion+ :e can turn oE the lights o-rselves+ 99

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND Will stopping BTAgent so't)are stop these Attac&s No+ BTAgent is j-st misdirection+ $t is not reA-ired or directl& -sed in the attac7s+ $t can be -sed to -pdate the ;rm0are o* a target modem sho-ld the attac&er need speci;c *-nctionalit& on the modemD b-t this 0o-ld be -n-s-al+ SoD 7illing BTAgent is does not help (you should kill it anyway%+ Is it possible that BT is una)are o' this NoD this is their ;rm0areD controlled b& the& also loc7 the modems+ 2D p-blish b& 2D -pdated b& 2D

6* e uip!ent is co!pletel* diEerent8 The $ac& is an NSA#G"$% Global Strateg* and its architect-re is independent o* a speci;c ma7e or model o* modem or mobile phoneD it is also independent o* the method transport e+g+ dial--p vs+ ADS"D D/CS$SD =DS"D Cable modem etc++ $t sits at the top o* the stac7 (2C)/!D) etc%D so ho0ever &o- connectD it connects+ #ach implementation 0ill var& and improve 0ith each generation+ 6o- sho-ld onl& -seD *-ll& open so-rceD ;rm0are that is p-blicl& veri;ed+ I7+e ne+er done an*thing )rong 6es &o- haveD &o- have allo0ed hac7ers to enter &o-r home net0or7 and plant mal0are that in*ects &o-r comp-tersD 0hich ma& no0 have become part o* a Gombie arm& 0ith tentacles controlled b& the NSA/GCHQ+ 2his is 0orst than an& vir-s or 0orm &o- can imagine+ $o) can I +eri'* this !*sel' @ollo0ing the instr-ctions in the *ollo0ing sectionsD &o- can also create sim-lations oF-lineD b-t that is more technical+ I )ould li&e to donate and support *our )or& 2han7 &o-D please see the last page o* this doc-ment *or details+

9>

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND How %ou can verif% 2he *ollo0ing section eCplains ho0 &o- can con;rm that &o-r modem has the GCHQ/NSA bac7 door+ $n these eCamplesD 0e -se t0o BT 3penReach 0hite modemsD ( ut more accurately descri ed as )T *ver+each% modelsH $ua)ei Echo-i'e $GF>? and E"I B-F3"uS CDS-? !ode!1 2hese t0o loo7 almost identical+ 2he HG.'( is an earlier model+

2he process o* con;rmation is slightl& diFerent *or each modem+ :e 0ill sho0 t0o o* 0a&s to veri*& the bac7 doorD the ;rst is something an&one can do and reA-ires j-st the ping command+ 2he second reA-ires reSashing the ;rm0are so &o- can login to the modem itsel*+
"aims of Huawei modems ,-eft. havin/ 0ack&doors are fa"se1 the vendor ,e./. )T. 0ui"d and insta"" the *S for these modems. Huawei sim#"% #rovided hardware. E I Te"ecom -td1 is the #rovider of the second modem ,+i/ht. 2 the more dan/erous of the two.

9,

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Eas* "on/r!ation Step >1 Remove )o0er *rom the modem and disconnect the telephone line+ Step ?1 /n &o-r )C (ass-med "in-C% add an $) address '5(+'.4+'+'88 i+eH T i'con/g eth=:> >G?1>FH1>1>== up Step <1 Start to ping '5(+'.4+'+' *rom &o-r )C i+eH T ping >G?1>FH1>1> Step @1 Connect a net0or7 cable to "AN' Step I1 )l-g-in the po0er cable to the modem and 0ait *or abo-t 98 seconds *or the device to bootD &o- 0ill then noticeH F@ b*tes 'ro! >G?1>FH1>1>: ic!pJse K>>I ttlKF@ ti!eK=1G?< !s F@ b*tes 'ro! >G?1>FH1>1>: ic!pJse K>>F ttlKF@ ti!eK=1@G? !s F@ b*tes 'ro! >G?1>FH1>1>: ic!pJse K>>L ttlKF@ ti!eK=1I>@ !s 6o- ma& notice -p to ten responsesD then it 0ill stop+ :hat is happening is the internal "in-C 7ernel bootsD the start -p scripts then con;g-re the internal and virt-al inter*aces and then t-rn on the hidden ;re0all at 0hich point the pings stop responding+ $n other 0ordsD there is a short 0indo0 (9-'8 seconds% bet0een 0hen the 7ernel boots and the hidden ;re0all 7ic7s in+ 6o- 0ill not be able to detect an& other signs o* the hidden net0or7 0itho-t act-all& logging into the modemD 0hich is eCplained in the neCt section+

9.

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND $ard "on/r!ation @or this methodD &o- 0ill need to re-Sash the modem b& *ollo0ing the instr-ctions in the doc-ment called hgF>?Junloc&JinstructionsJ+>-<1pd' 0hich is available *romH httpH//h-a0eihg.'(hac7ing+;les+0ordpress+com/(8''/''/hg.'(U-nloc7UinstrctionsUv'-9+pd* /r &o- can navigate toH httpH//h-a0eihg.'(hac7ing+0ordpress+com/ and clic7 I4nloc&ed Fir!)are I!ages 'or $ua)ei $GF>?J on the right panel+ /nce &o- have re-Sashed &o-r modemD &o- 0ill be able to login to the modem via telnet as *ollo0sH Note: $* &o-r net0or7 is not '5(+'.4+'+8D &o- 0ill need to add the $) address to &o-r )C as eCplained previo-sl&D i+e+ T T T T i'con/g eth=:> >G?1>FH1>1>== up telnet >G?1>FH1>1>D then login !sernameH ad!inD )ass0ordH ad!in then t&peH shell to get the -s& oC shell prompt+

6o-r telephone line sho-ld remain disconnected+ 91

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND 6o- 0ill be s-rprised to learn there eCists '. net0or7 inter*aces inside the deviceD most are legitimateD b-t others are part o* The $ac&+
All $) O 3AC addresses have been redacted to protect victims identities+
# ifconfig -a br0 Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2 <--redacted MAC address inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 br1 dsl0 eth0 eth0.2 eth0.3 eth0.4 eth0.5 imq0 imq1 imq2 Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Link encap:UNSPEC [NO FLAGS] MTU:0 HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 Metric:1

Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Link encap:Ethernet BROADCAST MULTICAST Link encap:Ethernet BROADCAST MULTICAST HWaddr 10:C6:1F:C1:25:A2 MTU:1500 Metric:1 HWaddr 10:C6:1F:C1:25:A2 MTU:1500 Metric:1

Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 UP RUNNING NOARP MTU:16000 Metric:1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 UP RUNNING NOARP MTU:16000 Metric:1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 UP RUNNING NOARP MTU:16000 Metric:1

pktcmf_sa Link encap:UNSPEC HWaddr FE-FF-FF-FF-FF-FF-FF-FF-00-00-00-00-00-00-00-00 UP NOTRAILERS RUNNING NOARP MTU:0 Metric:1 pktcmf_sw Link encap:UNSPEC HWaddr FE-FF-FF-FF-FF-FF-FF-FF-00-00-00-00-00-00-00-00 UP NOTRAILERS RUNNING NOARP MTU:0 Metric:1 ptm1 ptm1.101 ptm1.301 Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Link encap:Ethernet HWaddr 10:C6:1F:C1:27:A2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A3 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

94

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND "ets eCamine the ro-ting tableH

# route -n Kernel IP routing table Destination Gateway 192.168.1.0 0.0.0.0 # ip route show 192.168.1.0/24 dev br0

Genmask 255.255.255.0 proto kernel

Flags Metric Ref U 0 0 src 192.168.1.1

Use Iface 0 br0

scope link

# netstat -n Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.1.1:23 192.168.1.100:57483 ESTABLISHED # telnet tcp 0 0 127.0.0.1:2600 127.0.0.1:33287 ESTABLISHED # Z->rip tcp 0 0 127.0.0.1:33287 127.0.0.1:2600 ESTABLISHED # rip->Z Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 3 [ ] STREAM CONNECTED 766 /var/BtAgentSocket # SPIES Socket

$ets see what processes are running% (duplicate and uninteresting lines remove for brevity) # ps PID 1 101 116 127 131 136 146 147 191 193 548 552 570 733 741 762 766 780 Uid 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 VSZ Stat Command 336 S init SW [dsl0] SW [eth0] 504 S mc 380 S /bin/msg msg 1124 S /bin/dbase 1680 S /bin/cms 1148 S /bin/cwmp 328 S zebra -f /var/zebra/zebra.conf 332 S ripd -f /var/zebra/ripd.conf 396 S dhcpc -i ptm1.301 -I ptm1.301 <--HELLO? 504 S monitor 348 S dnsmasq --conf-file=/var/dnsmasq.conf 248 S tftpd -p 69 292 S sshd -E <-- HELLO? 1136 S MidServer 380 S /bin/sh /BTAgent/ro/start 832 S ./btagent

All loo7s innocent at ;rst+ No0D lets plug-in the telephone line cable and 0ait *e0 secondsH

95

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND N3TE: :e have redacted some $) addresses assigned to -s b& the attac&er CC V redacted address+
# route -n Kernel IP routing table Destination Gateway 192.168.1.0 0.0.0.0 30.150.xx.0 0.0.0.0 0.0.0.0 30.150.xx.1

Genmask 255.255.255.0 255.255.xxx.0 0.0.0.0

Flags U U UG

Metric 0 0 0

Ref 0 0 0

Use 0 0 0

Iface br0 ptm1.301 ptm1.301 <-Default?

# ip route show 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1 30.150.xx.0/21 dev ptm1.301 proto kernel scope link src 30.150.xx.xx default via 30.150.xx.1 dev ptm1.301

:e have a ne0 $) address on ="AN 98'D this is be*ore an& comp-ters are connected and be*ore the )))/# discover command has been iss-ed *rom the "AN connected H-b or )C+ The de'ault route sends all traBc to the attac&er b* de'ault M <=1>I=1,,1> Ho$ c"ose #s the attac+er, ver( c"ose- . /'s
# ping 30.150.xx.1 PING 30.150.xx.1 (30.150.xx.1): 56 data 64 bytes from 30.150.xx.1: seq=0 ttl=64 64 bytes from 30.150.xx.1: seq=1 ttl=64 64 bytes from 30.150.xx.1: seq=2 ttl=64 bytes time=7.174 ms time=7.648 ms time=7.685 ms

NOTE: You are now pinging the NSA/GCHQ

Now lets see what is happening at a socket level (comments on right after #): # netstat -an
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:161 0.0.0.0:* LISTEN # This is BTAgent tcp 0 0 127.0.0.1:2600 0.0.0.0:* LISTEN # This is Zebra Router tcp 0 0 127.0.0.1:8011 0.0.0.0:* LISTEN # Transparent tproxy tcp 0 0 30.150.xx.xx:8081 0.0.0.0:* LISTEN # This NSA/GCHQ Services tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN # This is DNS tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN # This is SSH Server tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN # This is TELNET tcp 0 55 192.168.1.1:23 192.168.1.100:57484 ESTABLISHED # This telnet session tcp 0 0 127.0.0.1:2600 127.0.0.1:36825 ESTABLISHED # This is zebra-rip tcp 0 0 127.0.0.1:36825 127.0.0.1:2600 ESTABLISHED # This is rip->zebra udp 0 0 0.0.0.0:69 0.0.0.0:* # TFTP Server for upgrades Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 3 [ ] STREAM CONNECTED 766 /var/BtAgentSocket # Special Agent BT

The &e'ice is now awaiting the hu()PC to issue a PPPO" &isco'er re*uest+ at which point you will recei'e your ,-eal Pu(lic IP./ At this point the attac+er has complete control of the mo&em an& your $A!+ e#tra 0rewall rules are a&&e& the moment the ptm1/231 4$A! &e'ice is ena(le& (y the dhc!c comman&/

>8

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

The 4N-$A"5
The 4N-$ac& $* &o- are able to login to &o-r ro-ter (via serial port or "AN%D there is a de*ense 0hich 0ill prevent A-- the attac7s -sing The $ac&+ 2his 0ill unhac& the modem and needs to be done a*ter each reboot+ Step >1 !npl-g the telephone cable and boot the 3odem then login and iss-e the *ollo0ing commands (in bold%D the hash is the prompt (donEt t&pe that%H <ill the *ollo0ing processesH T &illall Nebra ripd dns!as t'tpd sshd 6idSer+er

<ill the pids o* the #bin#sh #BTAgent#ro#startH T &ill LFF No0D <ill all o* the T &illall btagent 2Agent processesH

!nmo-nt the 2Agent partitionH T u!ount #usr#BTAgent Remove the attac7ers ="AN 98'H T +con/g re! pt!>1<=> <ill the rog-e dhcpc process 0ith *orce (-5% or it 0ill re-spa0n T &illall -G dhcpc Remove all hidden ;re0all r-les T iptables -F -t !angle T iptables -F -t nat T iptables -F Step ?1 )l-gin the telephone cable and the DS" 0ill connect to the NSA/GCHQ listening%+ 2 (0itho-t

Step <1 No0 start &o-r )))/# session *rom &o-r second "in-C ;re0all machine as per the instr-ctions *or Inbound De'ense and 3utbound De'ense as applicable and EnAo* *our pri+ac*+

>'

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Special AgentBT
Special AgentBT 2his IspecialI so*t0are installed on all modems provided b& BTAgent+ 2 called

2his so*t0are listens on port '.'D 0hich is the $ANA assigned port *or Simple Net0or7 3anagement )rotocol (SN3)%D an&one loo7ing at this process 0o-ld a-tomaticall& ass-me this to be the case+ SN3) t&pe programs are o*ten re*erred to as SN3) Agents+ 2he primar& p-rpose o* BTAgent is -np-blishedD b-t a version has been partiall& reverse engineered and the so*t0are does do0nload ;rm0are and -pdate the modems Sash+ 2 responses to A-eries abo-t their BTAgent is to claim that the& need to 8remotely manage modems for security purposes9!ser concerns 0ith 2AgentH

.- It's closed source @- ;sers cannot turn it oA B- The secreti!e nature and responses from BT >+ !sers cannot -pgrade the ;rm0are -sing ,+ )ort '.' is open to the p-blic internet 2he second (special% p-rpose o* the BTAgent is p-rel& reverse reverse ps&cholog& and designed to 7eep &o- 0ondering abo-t itD to ca-se &o- to 0aste &o-r time reverse engineering itD 0hen it ma& 0ell be 0hat it sa&s on the tin and 0hile &o-r thin7ing abo-t BTAgent &o-Ere not thin7ing abo-t the other net0or7 inter*aces s-ch as pt!>1<=> and the dhcpc reA-ests 0hich all loo7 innocent b-t act-all& per*orm the dirt& deeds right in the open+ :hen &o- reverse engineer BTAgent and p-blish &o-r res-ltsD this allo0s the NSA/GCHQ to target &o- *or other t&pe o* attac&s+ :e sho-ld rememberD that 0ith a single @irm0are -pdate *rom BTAgentD it co-ld morph itsel* and into 0hat 0e originall& *earedL >( 2Agent

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

(s*chological and (h*sical Barriers

Barriers 2he NSA/GCHQ 0ill do an&thing and ever&thing to stop the The $ac& being discovered+ 2he ;rst step is to deal 0ith the majorit& o* -sers and prevent them *rom even thin7ing abo-t opening it -p or even to-ching the modem+ Some o* the s-ggestions listed here ma& seem eCtremeD b-t the less interest created in this boCD the less attention it receives *rom cons-mers+ '+ $tEs a 0hite boCD ps&chologicall& itEs not a Iblac7 boCJ so it sho-ld be sa*e (+ $t comes in a plain bro0n cardboard boCD 0hich contain no 0ords or graphics 0hatsoeverD 0ith a single 0hite bar-code label 0ith ma7e/model o* the modem 9+ 2he 2 engineer personall& carries and installs it in &o-r homeD 0hile other components s-ch as 2 Home H-bD the more eCpensive component are sent thro-gh the postal s&stem+ 2 cannot leave this shin& 0hite modem hanging aro-nd *or a 0ee7 0hile the& allocate &o-r connectionD &o- ma& tr& to open it or do research abo-t it onlineD and the& 0ant to 7no0 0ho is researching it >+ 2he telephone soc7et (RW''% is designed s-ch that 0hen &o- pl-g in the telephone cableD it becomes ver& di?c-lt to remove itD m-ch more so than a standard telephone RW''+ $ts not j-st a case o* pinching the leverD &o- have to pinch and p-sh *-rther inD then remove+ 2his is s-btleD b-t it 0ill prevent a lot o* people *rom even attempting to disconnect the telephone cableD j-st in case the& brea7 it ,+ 2he older model 0as eas& to openD j-st a *e0 scre0sD the ne0er models is almost impossible to open beca-se it is clip loc7ed closedD meaning that &o- 0ill damage it i* &o- attempt to open it .+ Red :arning Stic7er on the bac7 K IDonEt cover Air HolesJD 0ise b-t scar& 1+ 2he onl& doc-mentation is a single piece o* 0hite paper detailing ho0 it sho-ld be mo-ntedD there is no instr-ctions abo-t 0hich cables go 0hereD this is designed never to be to-ched 4+ All internal serial port headers are removed soD &o- can easil& hac7 it 5+ 2he modem is plain 0hite and sA-areD eCtremel& -ninterestingD boringD INothin/ to see here1 move a"on/JD All o' this subtle .Anti-6ar&eting2 'or the !ost ad+anced BT product8

>9

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Social Attac&s on Engineers

Social Attac&s on Engineers Having discovered the attac7 architect-re and disabled itD 0e decided to visit some *or-ms onlineD 0e 0ere interested to see i* an&oneD an&0here is close to -ncovering The $ac& and ho0 the NSA/GCHQ react to s-ch iss-es+ Generall&D there are engineers chatting and sharing pict-res o* their modems and ho0 the& solder 0ires on to the (-s-all& hidden% serial portsD the disc-ssions -s-all& leads to login and gaining root access o* the modem or replacing the ;rm0are altogether+ :hen engineers start to get reall& closeD something -s-all& eCtra-ordinar& happensD almost li7e Isu#erman to the rescue3D someone 0ho is highl& A-ali;edD someone 0ho has b-ilt -p a rep-tation o* being a ethical hac7er/sec-rit& eCpertD introd-ces themselves and prod-ces 0hat appears to be major brea7-thro-gh in gaining access to the modems+ Ho0everD beca-se o* the IethicalJ elementD super!an instead o* sharing the method contacts 2D or 2 contacts super!anD directl& and the& agree to allo0s 2 to ;C the Sa0 (e-g- gi!ing BT a B/ days head start% a*ter 0hichD super!an 0ill p-blish the method he -sed+ All things being eA-alD this is *air eno-ghD b-t things are not all eA-al beca-se this 0as a complete smo7e screenD pla&ed o-t to disco-rage the engineers *rom *-rther development 7no0ing that in a *e0 0ee7s I super!anJ 0ill give them access+ 3an& o* the engineers/enth-siast 0aiting end--p getting ca-ght b& -pgrades o* their modems ;rm0are 0hich then loc7s them o-t o* the game+ 2his is a cat and mo-se gameD and engineers sho-ld be ver& 0ar& o* those bearing gi*tsD their agenda is to slo0 &o- do0n and prevent &o- *rom ma7ing an& progress hoping &o- 0ill j-st give -p+ 6o- can clearl& see this on the 2 *or-ms as 0ell others s-ch as httpH//000+psidoc+comD httpH//000+7its+co+-7/D httpH//httpH//comm-nit&+bt+comD and others+ Reverse engineering is legalD legitimate and it is a great so-rce o* innovation+

>>

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

"ounter-Intelligence
ounter&Inte""i/ence 2he NSA/GCHQ et al+ have being 0atching and attac7ing -sD itEs abo-t time 0e t-rned the tablesD started de*ending o-rselves and also 0atching them+ 2his section is not going to detail speci;c techniA-esD b-t rather s-ggest overall approachesD some o* 0hich 0e have done over a period o* months+ NSA $one*pots No0 0e -nderstand the attac7 architect-reD 0e can sim-late the modem in a 3$)S =irt-al 3achine (BTAgent is not re:uired>:e can ro-te the NSA/GCHQ tra?c to &o-r lab and j-st let them hac7 a0a& in a private clo-d 0hile 0e log tra?c incl-ding ho0 the& attempt to -se their bac7 doors and other dirt& tric7s+ 6o- 0ill need to *or0ard and tap ="AN <=> (in the case of BT et al% to the virt-al modem 0here &o- can anal&Ge its tra?c in real-time or oXineD &osho-ld al)a*s store 0hatever in*ormation &o- gather *oreverD (&ust like they do%+ A*ter gathering eno-gh evidenceD &o- can then p-bliciGe it and ta7e legal actionD &o-r logs can be -sed in co-rt 0hen &o- s-e the conspirators and coconspirators -nder the I om#uter Misuse Act 4556J as 0ell as other la0s+

>,

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND A0out the Authors 2he a-thors o* this doc-ment 0ish to remain anon&mo-s+ Ho0ever 0e are *-ll& prepared to stand in a co-rt o* la0 and present o-r evidence+ :e are a gro-p o* technical engineersD 0e are not associated 0ith an& activists gro-ps 0hatsoever+ :e donEt have a nameD b-t i* 0e did it 0o-ld probabl& be IThe Ad+ersariesJ according to NSA/GCHQ+ 3ur 6ission Creedom is only appreciated when lost- We are on the rink of a irre!ersi le totalitarian multi-go!ernment regime and e!en though the Duropean 3arliament has stated that citizens should not ha!e to defend themsel!es against state sponsored 5y ercrime+ the fact remains that our own Go!ernments continue to attack us in our own homes while we sleep/-r mission is de*ensive and legal+ /-r objectives are to eCpose the so-rces and methods -sed b& those that harms o-r personal *reedoms and rights and to provide practical in*ormation to individ-als aro-nd the 0orld allo0ing them to de*end themselves against s-ch c&ber attac7s+ We elie!e this as well as future disclosures to e in the pu lic interestDonations /-r ongoing 0or7 is technicalD slo0D tedio-s and eCpensive an& donations are ver& 0elcome+ :e onl& accept bitcoins at this time+

bitcoinH'D.Hj91DS(m)2)m5-12AS,ocdd)HQjma-4 6o- can also s-pport -s b& sending this docu!ent to a 'riend or host it on &o-r 0ebsite+ "icensed -nder the "reati+e "o!!ons Attribution-NoDeri+s (CC 6-ND%

>.