NSA able to compromise Cisco, Juniper, Huawei switches

Leo Bicknell bicknell at ufp.org
Tue Dec 31 15:03:15 UTC 2013


On Dec 31, 2013, at 8:32 AM, Saku Ytti <saku at ytti.fi> wrote:

> I'm going to wait calmly for some of the examples being recovered from the
> field, documented and analysed.

If I were Cisco/Juniper/et all I would have a team working on this right now.
It should be trivial for them to insert code into the routers that say, 
hashes all sorts of things (code image, BIOS, any PROMS and EERPOMS and
such on the linecards) and submits all of those signatures back.  Any
APT that has been snuck into those things should be able to be detected.  For
most of them the signatures should be known, as the code shipped from the
factory and was never intended to be modified (e.g. BIOS).  A transparent
public report about how many devices are running signatures they do not
know would be very interesting.

Plus, it's an opportunity to sell new equipment to those people, so they
can rid themselves of the infection.

I also wonder how this will change engineering going forward.  Maybe the
BIOS should be a ROM chip, not an EEPROM again.  Maybe the write line needs
to be run through a physical jumper on the motherboard that is normally
not present.

Why do we accept our devices, be it a PC or a router, can be "persistently"
infected.  The hardware industry needs to do better.

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 793 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20131231/51abe2fd/attachment-0001.bin>


More information about the NANOG mailing list