NSA able to compromise Cisco, Juniper, Huawei switches

Saku Ytti saku at ytti.fi
Tue Dec 31 16:50:11 UTC 2013


On (2013-12-31 09:03 -0600), Leo Bicknell wrote:

> If I were Cisco/Juniper/et all I would have a team working on this right now.
> It should be trivial for them to insert code into the routers that say, 
> hashes all sorts of things (code image, BIOS, any PROMS and EERPOMS and
> such on the linecards) and submits all of those signatures back.  Any

I asked earlier today JTAC (#2013-1231-0033) and JTAC asked SIRT for tool to
read BIOS and output SHA2 or SHA3 hash, and such tool does not exist yet.  I'm
dubious, it might be possible even with existing tools. At least it's possible
to reflash the BIOS with stock JunOS, as lot of us had to do due to
misformatted SSD disks.
But fully agreed some of these sanity checks should be added, it's not cure
all, maybe the attack changes the answers before showing them, maybe BIOS
comes infected from Juniper or from Kontron. But it would create additional
barrier.

I also emailed Kontrol and told it would be prudent for them to do press
release also. Just to know what their public/official statement is.

> I also wonder how this will change engineering going forward.  Maybe the
> BIOS should be a ROM chip, not an EEPROM again.  Maybe the write line needs
> to be run through a physical jumper on the motherboard that is normally
> not present.

We can take page from XBOX360 which is designed to be resistant against attack
with physical access. Key idea is that use PKI and hide key in such place
where it's difficult to recover, namely, if it's inside modern lithography CPU
in read-only, it's just financially unviable vector. MS just goofed and forgot
to sign DVD firmware.

> Why do we accept our devices, be it a PC or a router, can be "persistently"
> infected.  The hardware industry needs to do better.

I'm still taking all these revelations with grain of salt, until real
speciment is dissected.

-- 
  ++ytti



More information about the NANOG mailing list