NSA able to compromise Cisco, Juniper, Huawei switches

Eugeniu Patrascu eugen at imacandi.net
Tue Dec 31 12:51:51 UTC 2013

On Tue, Dec 31, 2013 at 5:38 AM, Sabri Berisha <sabri at cluecentral.net>wrote:

> Hi Roland.
> > I don't know much about Juniper
> > gear, but it appears that the Juniper boxes listed are similar in nature,
> > albeit running FreeBSD underneath (correction welcome).
> With most Juniper gear, it is actually quite difficult to achieve
> wire-tapping on a large scale using something as simple as a backdoor in
> the BIOS.
You would just need an entry-point into the system, nothing fancy at first.

> Assuming M/MX/T series, you are correct that the foundation of the
> control-plane is a FreeBSD-based kernel. However, that control-plane talks
> to a forwarding-plane (PFE). The PFE runs Juniper designed ASICs (which
> differ per platform and sometimes per line-card). In general,
> transit-traffic (traffic that enters the PFE and is not destined to the
> router itself), will not be forwarded via the control-plane. This means
> that whatever the backdoor is designed to do, simply can not touch the
> traffic. There are a few exceptions, such as a carefully crafted backdoor
> capable of altering the next-hop database (the PFEs forwarding table) and
> mirroring traffic. This however, would mean that the network would already
> have to be compromised. Another option would be to duplicate target traffic
> into a tunnel (GRE or IPIP based for example), but that would certainly
> have a noticeable affect on the performance, if it is possible to perform
> those operations at all on the target chipset.
>From my experience with Juniper, you can actually tell the PFEs to do quite
a lot to the packets that flow through the router, I would imagine that
programmatically you can tell the router to mirror packets which match a
certain criteria (source, destination, ports, protocol) to a chosen
destination and it would not get noticed by the NOC monitoring systems (it
may not even blip on the throughput graphs)

> However, attempting any of the limited attacks that I can think of would
> require expert-level knowledge of not just the overall architecture, but
> also of the microcode that runs on the specific PFE that the attacker would
> target, as well as the ability to partially rewrite that. Furthermore, to
> embed such a sophisticated attack in a BIOS would seem impossible to me
> with the first reason being the limited amount of storage available on the
> EEPROM to store all that binary code.
All you need is a hook into the system and load your code, the main payload
can be easily downloaded from the internet.

> An attack based on corrupted firmware loaded post-manufacturing would also
> be difficult due to the signed binaries and microcode. If someone were to
> embed a backdoor it is extremely difficult without Juniper's cooperation.
> And the last time I looked at the code (I left Juniper a few months ago), I
> saw nothing that would indicate a backdoor of any kind.
Who checks the binaries when they are loaded when the OS boots up ? :)

More information about the NANOG mailing list