NSA able to compromise Cisco, Juniper, Huawei switches

Ray Soucy rps at maine.edu
Mon Dec 30 17:00:57 UTC 2013


Looking more at the actual leaked information it seems that if the NSA is
working with companies, it's not anything the companies are likely aware
of.

The common form of infection seems to be though software updates performed
by administrators (through the NSA hijacking web traffic).  They are
implimented as firmware and BIOS infections that modify the OS image and
persist through software upgrades to provide a persistant back door (PBD).
 The documents imply that a signiciant of systems deployed are already
infected.

So this isn't an issue of the NSA working with Cisco and Juniper to include
back doors, it's an issue of the NSA modifying those releases after the
fact though BIOS implants.  Where exatcly the NSA is inserting these we
can't be sure.  They could be targeted or they could be at the assembly
line.

Quick Summary of Leaked Information:
Source: http://www.spiegel.de/international/world/a-941262.html

Firewalls:

(1) Cisco PIX and ASA: Codename "JETPLOW"
(2) Huawei Eudemon: Codename "HALLUXWATER"
(3) Juniper Netscreen and ISG: Codename: "FEEDTROUGH"
(4) Juniper SSG and Netscreen G5, 25, and 50, SSG-series: Codename:
"GOURMETTROUGH"
(5) Juniper SSG300 and SSG500: Codename "SOUFFLETROUGH"

Routers:

(1) Huawei Router: Codename "HEADWATER"
(2) Juniper J-Series: Codename "SCHOOLMONTANA"
(3) Juniper M-Series: Codename "SIERRAMONTANA"
(4) Juniper T-Series: Codename "STUCCOMONTANA"

Servers:
(1) HP DL380 G5: Codename "IRONCHEF"
(2) Dell PowerEdge: Codename "DEITYBOUNCE"
(3) Generic PC BIOS: Codename "SWAP", able to compromise Windows, Linux,
FreeBSD, or Solaris using FAT32, NTFS, EXT2, EXT3, or UFS filesystems.

USB Cables and VGA Cables:

Codename "COTTONMOUTH", this one is a hardware implmant hidden in a USB
cable.  The diagram shows it's small enough that you would never know its
there.
Codename "RAGEMASTER", VGA cable, mirrors VGA over the air.

Many others.

I'm not sure that the list is comprehensive, so I wouldn't say that since
Cisco routers are not mentioned (for example) that they're any more safe
than Juniper (which is listed often).






On Mon, Dec 30, 2013 at 11:50 AM, Dobbins, Roland <rdobbins at arbor.net>wrote:

>
> On Dec 30, 2013, at 11:18 PM, Sam Moats <sam at circlenet.us> wrote:
>
> > This might be an interesting example of it's (mis)use.
> > http://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2%80%932005
>
> That's one of the cases I know about; it was utilized via Ericsson gear.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
>           Luck is the residue of opportunity and design.
>
>                        -- John Milton
>
>
>


-- 
Ray Patrick Soucy
Network Engineer
University of Maine System

T: 207-561-3526
F: 207-561-3531

MaineREN, Maine's Research and Education Network
www.maineren.net


More information about the NANOG mailing list