NSA able to compromise Cisco, Juniper, Huawei switches

Jared Mauch jared at puck.nether.net
Tue Dec 31 16:57:15 UTC 2013

On Dec 31, 2013, at 11:50 AM, Saku Ytti <saku at ytti.fi> wrote:

> I asked earlier today JTAC (#2013-1231-0033) and JTAC asked SIRT for tool to
> read BIOS and output SHA2 or SHA3 hash, and such tool does not exist yet.  I'm
> dubious, it might be possible even with existing tools. At least it's possible
> to reflash the BIOS with stock JunOS, as lot of us had to do due to
> misformatted SSD disks.
> But fully agreed some of these sanity checks should be added, it's not cure
> all, maybe the attack changes the answers before showing them, maybe BIOS
> comes infected from Juniper or from Kontron. But it would create additional
> barrier.
> I also emailed Kontrol and told it would be prudent for them to do press
> release also. Just to know what their public/official statement is.

Most of the vendors (I think Cisco/Juniper) have many of their staff out on vacation this week.  I believe both are doing the "mandatory shutdown" or similar that I've seen other folks do around this season.  Arbor networks did something similar as well this year.

If you are looking at your hardware, you can get inexpensive flash readers/writers out there.  I have one I use when doing low level hardware work.

There's also tools for your servers (eg: Flashrom) which are available in your favorite repos/ports/elsewhere and work on Linux/FreeBSD/others.

You can use this to typically read/checksum your bios quickly on supported hardware.  I'm sure they would love to have the efforts that have gone into this e-mail thread followed-up with hardware/research/contributions to improve the software.

It shouldn't be too hard for you to read your bios and load it into ida pro or similar to perform checks.

- Jared

More information about the NANOG mailing list