ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Router Backdoors: Hacked by Chinese Part 2?

By | March 6, 2008, 7:06am PST

Summary: We all remember code red, right? Come on, you know you were hit with it…, ok, here’s an image just in case you forgot: PCPro News out of the UK has written a story that I classify as xenophobic and unfair. PCPro spoke with the SecureTest company who asserted the following: SecureTest believes spyware could be easily [...]

We all remember code red, right? Come on, you know you were hit with it…, ok, here’s an image just in case you forgot:

Hacked by Chinese
PCPro News out of the UK has written a story that I classify as xenophobic and unfair. PCPro spoke with the SecureTest company who asserted the following:

SecureTest believes spyware could be easily built into Asian-manufactured devices such as switches and routers, providing a simple backdoor for companies or governments in the Far East to listen in on communications.

“Organisations should change their security policies and procedures immediately,” says Ken Munro, managing director of SecureTest. “This is a very real loophole that needs closing. The government needs to act fast.”

What’s really interesting is that the article goes on to show no proof that this is indeed a very real loophole that needs closing. They site no cases of any backdoors in any current routers sold from China. I will give Ken Munro and SecureTest this, I do believe that a Chinese company could build a backdoor into router firmware. I also believe U.S. companies, French companies, Japanese companies, etc. could do this. In fact, this could be put into any software or hardware that we buy. Actually, one could make the case that by providing such weak protections out of the box (like username=admin password=admin for administrative consoles), many companies already are including backdoors in their routers.225px-is_this_tomorrow.jpg

Unfortunately for SecureTest, and the Chinese people, the article is portrayed as if they’ve already discovered a router that has a backdoor made by the Chinese, which I do not believe was Ken’s point. One would’ve thought that with the Beijing Olympics fast approaching, we would’ve been able to move past the views of McCarthyism and the Red Scare (see the image right in case you can’t remember history class).

My point is this, when it comes to hacking and the security of our nation, there’s very real threats that currently exist coming from China. Let’s not sensationalize and invent new ones until we have to, or else we could have our next hunt for Weapons of Mass Destruction.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Router, Back Door, SecureTest, Routers & Switches, Network Technology, Networking, Nathan McFeters

Disclosure

Nathan McFeters

http://i.zdnet.com/images/auth/nmcfeters_53x53.jpg

Biography

Nathan McFeters

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
42
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Router Backdoors: Hacked by Chinese Part 2?
lovedong 13th Sep
Win! Thank you!! replica watches
View in thread
0 Votes
+ -
Typo Alert
GiveMeGizmos 6th Mar 2008
Cite, not Site.

Typo Alert: "They site no cases of any backdoors in any current routers sold from China."

Correction: "They cite no cases of any backdoors in any current routers sold from China."

Sorry to be nitpicking about typos, but this is probably because bloggers tend to write about web Sites and forget about the word "cite".....
0 Votes
+ -
RE: Router Backdoors: Hacked by Chinese Part 2?
lovedong 13th Sep
Win! Thank you!! replica watches
0 Votes
+ -
RE: Router Backdoors: Hacked by Chinese Part 2?
nmcfeters 6th Mar 2008
Wow. Great catch man, really. Maybe you should blog!
0 Votes
+ -
Never hit by Code Red
voska1 6th Mar 2008
Sure it made an attempt but was promptly blocked by our Firewall.
0 Votes
+ -
RE: Never hit by Code Red...
nmcfeters 6th Mar 2008
Haha, really? So did your network not actually exist until after Code Red? Congrats if it's true, I'm sure you'd be one of the few that wasn't infected.

Seriously, the point is that it was a very serious flaw that hit a lot of people, and made people fear hacking from China.

Nate
0 Votes
+ -
I wasn't hit either
osreinstall 8th Mar 2008
I have a Linksys BEFSR41 consumer grade NAT router to protect out private LAN with. I figured you had to buy into the social aspects of that worm to launch it on your network.
0 Votes
+ -
xenophobic?
croberts 6th Mar 2008
I really dislike authors and pundits who use loaded language as a way to scare people into silence. After all, who wants to accused of being a racist in middle of a public street? No one, and using words like xenophobic is the literary equivalent.

That having been said, Nathan, facts are facts. China is a communist country. Their claims against Taiwan would force the US into a war. Logically therefore, they cannot be a friend. Friendship is mutually exclusive with the implications of their territorial goals.

Why is it unreasonable to worry that the Chinese, which thanks to us have a monopoly on manufacturing just about everything, might be putting compromised firmware into devices to let them get hacked?

As a security advisor, maybe you should get your head out of your PC, and look at the geopolitical goals of our trading partners.

I suspect that you are using xenophobia as a way to hide from the ultimate conclusion which is that there is no security that you can't control yourself. If you can't make your own gun, your own battleship, your own ammo, your own food, own computers, own phones, what kind of security can you really have?

And before you get into a huff, answer us this: Would Ernst & Young outsource their security to a company owned by a foreign government?

Unless you say yes, put your head back into your PC case.
0 Votes
+ -
Did you actually read the article or is your head in your PC case?
Been_Done_Before 6th Mar 2008
Obviously critical thinking is outside your abilities.

Articles like this require a more thorough reading than the cursory look you gave it.

His point was that anyone can manufacture back doors into anything they manufacture. Singling out China from the host of nations who manufacture devices is just irresponsible and akin to the days of the red scare.

For your information, the U.S and China generally only buy from companies in their own countires when it comes to military supplies. One of the reasons behind that... relates to this article...
0 Votes
+ -
RE: Did you actually read the article...
nmcfeters 6th Mar 2008
Thank you Been_Done_Before, it seems that you did get the point of the article, which I thought was obvious.

Maybe we should single out the French next, I mean, who knows what they are putting in their wine!

Nate
0 Votes
+ -
There's a saying....
bportlock 6th Mar 2008
... over here in the UK. IIRC it is attributed to Churchill. It goes "The British and the Germans are just squabbling cousins, the French are the real enemy of both"

I look forward to your Francophobe article

Vin francais n'est pas tres bon. Au revoir mon ami!
0 Votes
+ -
Ridiculous relativism
mlambert890@... 8th Mar 2008
I see political relativism has really now become an epidemic.

So there is no difference between France and China then? You dont see ANY differentiation there?

Somewhere in China at the Ministry of Information a party delegate has got to be reading this and laughing hysterically.

By your logic, I suppose we should apply the same level of scrutiny to both Iran and the UK then?

The notion that you treat all nations equally and dont categorize their threat level and respond to them accordingly is directly counter to the very foundation of sound security.

I assume that anyone on this thread is a security professional so it is very disconcerting to see such naivete in play.

Yes you watch ALL rivals, but you watch some just a bit more closely. China and Russia for example.
0 Votes
+ -
RE: Ridiculous Relativism
nmcfeters 9th Mar 2008
There's a difference between watching one country closer
than another and simply stating flat out that one country is
guilty of doing something they haven't done.

>>By your logic, I suppose we should apply the same level
of >>scrutiny to both Iran and the UK then?

Yeah, you're stretching a bit here. I'm not saying there is
anything wrong with keeping a more watchful eye on
China then the UK, but I am saying that it is wrong to flat
out accuse a country of doing something they haven't. The
fact is, when it comes to our critical infrastructure, we
should be cautious about any place we get products from.

-Nate
0 Votes
+ -
Ah yes...
bportlock 6th Mar 2008
... the "Boeing Rule".

"the U.S and China generally only buy from companies in their own countires when it comes to military supplies."

You do know that USAF has placed a massive order with Airbus for tankers? The US Marines AV8B is really a British BAE Harrier, that British Aerospace is supplying key parts for the next generation of US fighters and that just about every US pilot for the last 40 years has sat in a British made Martin-Baker ejector seat.

Just what I remember of the top of my head.......
0 Votes
+ -
Have you walked into a store lately?
croberts 6th Mar 2008
Where are your critical thinking skills?

Walk into any store... %90 of the stuff is made in China.

** Logically ** it makes sense to focus on China.

But I guess using your logic we should be worried about Tibet hiding secret backdoors into all those routers they are manufacturing...
0 Votes
+ -
RE: xenophobic?
nmcfeters 6th Mar 2008
Mr. croberts,

I believe if you re-read the article and don't, as you say, "get into a huff", you'll realize that I'm not claiming there isn't a very real threat from the Chinese. I simply state that the way the article was written makes it sound like this is already a known fact.

Nate
0 Votes
+ -
Point taken, but
bportlock 6th Mar 2008
"I simply state that the way the article was written makes it sound like this is already a known fact."

It would not be very effective to let your "enemy" know which product had backdoors built in. They would simply stop buying them. Backdoors are also very hard to detect unless you want to spend your time picking through a dump of all the router code.

Microsoft deftly illustrated the problem recently when a perfectly stable product threw a wobbler on 29th Feb. Backdoors and bugs share a common feature - they remain dormant and unobserved until triggered.
0 Votes
+ -
Microsoft is different. They have not yet
hkommedal 7th Mar 2008
fully come to terms with leap-years. 29th of february seems to be VERY difficult to get right for them.
0 Votes
+ -
Agreed
croberts 6th Mar 2008
I would agree that the "known fact" aspect is wrong unless someone shows us some compromised firmware.

But by the same token, as you well know, security is about **assuming** the worst.

You assume people will bring viruses into the company so you ban floppies and USB keychain drives.

You assume laptops will get stolen so you encrypt the data on them.

Why would it be wrong to assume that China, which is a geopolitical competitor not a friend by any stretch of the imagination, is in fact using it's manufacturing resources to gain a backdoor into private networks and systems.

As an IT professional, I would feel negligent if I didn't consider the possibility and take pre-emptive measures.
0 Votes
+ -
RE: Agreed
nmcfeters 6th Mar 2008
The reason it is wrong is that you are classifying it to one group. Why not just assume that all routers are backdoored? It's just as possible.

It's also more important that you keep in mind the way the article was written, which made it seem like the Chinese had not only the capability to do this, but had already DONE IT.

I'm not arguing it's possible. I'm not saying we shouldn't consider it. I'm aruging against fear based propaganda against one group of people.

-Nate
0 Votes
+ -
China is pretty good at selling.
hkommedal 7th Mar 2008
As ANY good salesman can tell you: You DO NOT upset your customers, because what takes long to build, can be torn down in seconds.
China is actually better off practically OWNING a big part of US (and others) economy. They have come a long way allready. Why would they willingly ruin their best source of income ?
China is known for thinkin long term strategy and they would NOT compromise their current strong economic position.
0 Votes
+ -
Applies to drug dealers too
croberts 8th Mar 2008
Drug dealers need addicts to make money, but that doesn't prevent dealers from blowing away addicts if they become too troublesome. I'm sure anyone in a major city knows that.

So even if the US is a needed customer at the moment, nothing is forever and a culture as old as China's is willing to wait to achieve it's ends.

We, on the other hand, can't get over the idea of thinking past the next financial quarter.
0 Votes
+ -
Hackers: Auf vieter zeine
D T Schmitz 6th Mar 2008
My home router has just one port open, ssh (port 22) with 'PermitRootLogin=No' in /etc/ssh/sshd_config.

And that's all it takes to attract ALOT of unwelcome activity; here's a tail of /var/log/denyhosts (ips have been masked in the last two octets):

2008-02-21 12:20:29,893 - denyhosts : INFO new denied hosts: ['61.247.*.*']
2008-02-21 15:09:30,877 - denyhosts : INFO new denied hosts: ['68.142.*.*']
2008-02-22 21:48:04,902 - denyhosts : INFO new denied hosts: ['200.57.*.*']
2008-02-29 00:27:51,634 - denyhosts : INFO new denied hosts: ['61.219.*.*']
2008-03-04 19:12:13,383 - denyhosts : INFO new denied hosts: ['83.242.*.*']
2008-03-05 07:59:16,123 - denyhosts : INFO new denied hosts: ['202.134.*.*']
2008-03-05 09:34:46,843 - denyhosts : INFO new denied hosts: ['195.86.*.*']


DenyHOSTS is a python script which can be set up as a daemon on select routers running Linux (mine is a linksys WRT54GL running DD-WRT) or on your Linux PC to parse your /var/messages log for sshd (ssh server daemon) activity.

Essentially, five failed login attempts adds the 'offending' ip address to the /etc/hosts.deny file and they're history. Buh bye. Auf vieter zeine !

It's difficult to obscure 'backdoor' code on routers running open source GNU/Linux, but, otherwise, as a general rule you can and should always assume that any open ip port exposed on the WAN will attract attention from just about 'anywhere' around the globe!

mKay? k wink
0 Votes
+ -
Denyhosts? That's no fun!
toadlife 6th Mar 2008
Why spoil the fun that sshd logs can provide??

wink
0 Votes
+ -
Anyone who would
ShadeTree 7th Mar 2008
... put a backdoor in a router would be smart enough to make it impervious to such methods and logs.
0 Votes
+ -
Ok, that settles it then...
D T Schmitz 7th Mar 2008
...everyone has a backdoor on their router. Hey thanks for the FYI!

(cough) Hit?
0 Votes
+ -
By the way: Auf wiedersehen = see you again ! (nt)
hkommedal 7th Mar 2008
nt
0 Votes
+ -
Ich bin ein Berliner!
D T Schmitz 7th Mar 2008
Ok, so 'I am a jelly donut'.

Later! wink
0 Votes
+ -
That is OK. Just this: when you say "see you
hkommedal 7th Mar 2008
again, it is not the same as bye bye (may or may not see you again). With "Auf widersehen" it is implied that you wish to see someone (or this case; something) again. I am pretty sure you did not want to see it again. (Rather the opposite).

Bye the way; I am not german myself, but I did learn some german at scool and a couple of trips to germany helped as well as having a few friends that speaks german natively (I live in Europe so Germany is not so far away.) Just me trying to be accurate. (Don't allways get it right myself.)
0 Votes
+ -
Xenophobic?
Hemlock Stones 6th Mar 2008
Read/weep,

http://www.theregister.co.uk/2008/03/06/pentagon_breach_assessment/
0 Votes
+ -
It said: "culminated in an exploit . .
hkommedal 7th Mar 2008
of a known Microsoft Windows vulnerability, Clem said. That allowed attackers to send spoofed emails that appeared to come from Pentagon personnel in Clem's division.
0 Votes
+ -
This is ridiculous
craneleeon@... 6th Mar 2008
I am in China.
What I saw here is that most IT stuffs(hardware/software) we are using here are American Tech.
Yes, they are maybe produced locally, but the most people who are producing or using them do not know exactly the Technology.
BTW, most departments of Chinese Goverment and Military are using Microsoft's Windows and Cisco's Routers!!
0 Votes
+ -
Where is your logic?
pa2004 8th Mar 2008
Using American Tech does not prove that China cannot build backdoor into their products. Furthermore, don't you know Microsoft opened Windows source code to China and Cisco built special routers for China?
0 Votes
+ -
Excellent points made
nucrash 7th Mar 2008
Can we even really trust American manufacturers at this point with some of the Orwellian politics of the past few years.

Good ole Red Scare. Much like the Terrorist Scare, or the Avian Flu Scare. If not for Media Fear mongering, I don't think the news could fill up a hour long news show, let alone the 24 hour news broadcasts that they do now.
0 Votes
+ -
"McCarthyism and the Red Scare"
ElderEagle 7th Mar 2008
Since you mentioned McCarthyism in the usual knee-jerk fashion, perhaps you might like to read for yourself a carefully researched account of the subject: "Blacklisted by History: The Untold Story of Senator Joe McCarthy and His Fight Against America's Enemies", by M. Stanton Evans.
0 Votes
+ -
RE: McCarthyism and the Red Scare
nmcfeters 9th Mar 2008
I'll grab the book tomorrow. I'm not sure I used
"McCarthyism in the usual knee-jerk fashion", but I'll bite
since I do enjoy a good read. Perhaps you might paraphrase
a bit of the arguments made here so that we might continue
the discussion? I doubt I'll be able to finish the book until a
couple weeks from now.

-Nate
0 Votes
+ -
Another Risk: Operation Cisco Raider?
jalles 7th Mar 2008
Check out this article, and google some more (I couldn't findit on ZDnet)

http://www.networkworld.com/community/?q=node/25519

Over the last three years more than 400 seizures of counterfeit Cisco network hardware and labels with an estimated retail value of more than $76 million have been seized.

"Crimes like these threaten international commerce, national security and the very safety of our citizens," said Julie Myers - Homeland Security Assistant Secretary for ICE.

"Throughout this investigation, the cooperation and partnership that we received from Cisco Systems, our law enforcement colleagues, and Chinese counterparts are a clear example of the results that can be realized through industry, interagency and international cooperation."


The FBI named its portion of this ongoing initiative Operation Cisco Raider - an international, coordinated investigation of 15 cases involving nine FBI field offices.

The FBI worked closely with law enforcement partners including ICE, Defense Criminal Investigative Service, General Services Administration, Department of the Interior, Internal Revenue Service, and the Royal Canadian Mounties.

Over the last two years, Operation Cisco Raider has resulted in 36 search warrants that identified approximately 3,500 counterfeit network components with an estimated retail value of over $3.5 million, and has led to a total of ten convictions and $1.7 million in restitution.
0 Votes
+ -
Hang on a moment. That was COPYRIGHT -
hkommedal 7th Mar 2008
infringement (software-patents do not count for much outsaide the US), NOT incorrect software with backdoors.
So no malware, but abuse of copyright. (Bad enough !)
0 Votes
+ -
RE: Hang on a moment...
nmcfeters 9th Mar 2008
Yes, this is a good point. I actually saw the same Operation
Cisco Raider article from a mailing list I'm on. Perhaps the
bigger point to keep in mind here is, why do we care so
much about copyright infringement in China? Couldn't we
better spend our efforts investigating backdoors in software
in products we get from around the world?
0 Votes
+ -
We didn't get hit with Code Red
John L. Ries 7th Mar 2008
My company wasn't running IIS back then (sorry to say, we our now, but...). Got to see lots of attempts in the server logs, though.
0 Votes
+ -
It is time that Cisco makes their firmware HERE!
osreinstall 8th Mar 2008
It really doesn't matter were the routers are made just so long the firmware is created here in the states by cleared personnel. You also have to watch for the backdoors the spooks want to put in the firmware domestically. Time to get some testing equipment to see what your own equipment is really doing.
0 Votes
+ -
RE: Router Backdoors: Hacked by Chinese Part 2?
znewt 9th Mar 2008
The cows walked out of the pasture, through the government sponsored virtual fence and were served up with rice and onions years ago. It doesn't exactly warm my heart that our security, ahem, "leadership" has only begun to worry (if they actually have) after belching and farting through that indigestion. When will the same realize that the farm has also been given away? In the 1980s I worked on technology projects for developing oil and gas exploration in mainland China. Our good friends on the mainland disassembled EVERY type and brand of product, not just one or two, that we shipped to them. They had an interesting approach: they were reverse-engineering everything from machinery, trucks, electronics (boards and components) then claiming they had been cheated with inferior goods because a standard truck chassis had extra holes to accommodate a plethora of mounting options or a circuit board had optional lands for components not deployed for a particular revision. My employer lost his shirt and eventually his company out of stupidity. The mind-numbing, blind, bottom-line greed focus hasn't changed.
I've watched our "leadership" make the same mistakes over and over for a few dollars up front. Why is anyone surprised? That's the most frustrating thing of all, to me.
Screw routers and switches. This same sort of article was written a few years ago about the lack of security on USB drivers and the broad potential for the like of back door installation. Anyone got a USB dongle they want to stick into a computer? No, of course not. My mind must be wandering in a somewhere in a happy, green pasture.
0 Votes
+ -
RE: Router Backdoors: Hacked by Chinese Part 2?
kiazhi@... 9th Mar 2008
I think the USA should be abit open minded when it comes to trading with foreign countries. The globalisation of industries had led us trade, manufacture and work together. If someone is afraid of Communism, it's best that you hid yourself in a bomb shelter forever.

Personally, I had went to China and had a few China friends. Obviously, I couldn't sense Communism Scare at all except looking at pathetic US citizens that might had never been out of their shells(country) and accusing Communism with false claims of potential threats to the society. The growth of middle-class family in China is so dramatic that you can basically see freedom of speech on the street, provided that you can understand their language.

The lack of understanding of a foreign country culture and mind set had led USA into wars in middle east. I do this that we need to change our mentality through the time or else I can sense disaster approaching cause every war we created bring us more into debts. Are they necessary?

The USA's NSA came up with spying the cellphone, internet, email and instant messaging for anything that they felt it's a security threat. By the way, NSA sold an important information to Boeing about an AirBus deal with Emirates Airline in the past. Eventually, Emirates Airline bought planes from Boeing instead of AirBus. So who's calling the kettle black?

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix