Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[ryant704]

"The CPE with that particular backdoor, are the ADSL2 and VDSL2 modem/routers supplied by the "Openreach" division of the incumbent British Telecom. Around ten million of these CPE have to date been supplied to households and businesses."

http://cryptome.org/2014/10/BTAgent-cpe-backdoor.htm

I've just got halfway through very interesting...



----
edited by admin - slight change to topic title

[kitz]

Not sure what this is all about.  For a long time there has been suspicions about the BTAgent and what it does, way before this document was published.

This is the document which claims the link between BT modems and NSA/GCHQ - http://cryptome.org/2013/12/Full-Disclosure.pdf

Uncovered – //NONSA//NOGCHQ//NOGOV - CC BY-ND

Special AgentBT

This “special“ software installed on all modems provided by BT called BTAgent.
This software listens on port 161, which is the IANA assigned port for Simple Network Management Protocol (SNMP), anyone looking at this process would automatically assume this to be the case. SNMP type programs are often referred to as SNMP Agents.
The primary purpose of BTAgent is unpublished, but a version has been partially reverse engineered and the software does download firmware and update the modems flash.
BT responses to queries about their BTAgent is to claim that they need to “remotely manage modems for security purposes”.
User concerns with BTAgent:

1. It's closed source
2. Users cannot turn it of
3. The secretive nature and responses from BT
4. Users cannot upgrade the firmware using BTAgent
5. Port 161 is open to the public internet

The second (special) purpose of the BTAgent is purely reverse reverse psychology and designed to keep you wondering about it, to cause you to waste your time reverse engineering it, when it may well be what it says on the tin and while your thinking about BTAgent you're not thinking about the other network interfaces such as ptm1.301 and the  dhcpc requests which all look innocent but actually perform the dirty deeds right in the open.
When you reverse engineer BTAgent and publish your results, this allows the NSA/GCHQ to target you for other type of attacks.

We should remember, that with a single Firmware update from BTAgent, it could morph itself and into what we originally feared!

I see we even have a mention in there!
Then comes a document that its not a conspiracy - http://blog.erratasec.com/2013/12/dod-address-space-its-not-conspiracy.html#.VFaXcxa6h40

DoD address space: it's not a conspiracy
By Robert Graham
Recently on Cryptome (the better leaks than wikileaks site), a paper appeared pointing out that BT (British Telecom) assigns all their modems an extra address in the 30.x.x.x address space, and then attaches SSH and SNMP to that address. This looks like what many ISPs do, assigning a second IP address for management, except for one thing: the 30.0.0.0/8 block is assigned to the United States Department of Defense. This has caused a fevered round of speculation that this is actually a secret backdoor for the NSA/GCHQ, so that they can secretly monitor and control people's home networks.

Maybe, but it's probably not the case. The better explanation is that BT simply chose this address space because it's non-routable. While it's assigned public address, it's only used inside the private DoD military network. Try tracerouting to that address space, you'll see that your packets go nowhere.

Thus, it's a good choice for pseudo-private address space.

This sort of thing happens a lot. I (or others I trust) have seen 1.0.0.0/24, 22.0.0.0/24, and other instances of 30.0.0.0/24 used this way. I can confirm that companies use DoD address space as private addresses. Just because it's DoD doesn't mean they route to the DoD.

The reason all these address spaces are DoD is because that's really the only source of unused IPv4 addresses left. All IPv4 address ranges have been assigned. But, the DoD has been assigned 20% of the IPv4 address space, but most of it is used within the DoD, on their own private networks, and is not routable to the outside world. Thus, if you are looking for a large chunk of "private" addresses that won't suddenly one day be assigned to Akamai or Amazon (and thus, explode in your face), then DoD addresses are the way to go.

There are a couple good reasons for going with this approach. The first is that existing private address spaces (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12) are frequently used inside a home network, and thus, might cause some routing confusion if also used outside a home gateway. The second is that for a large company like BT, with millions of customers, they may have exhausted the private address space. The 10.x.x.x network has only 16 million possible addresses, and due to the way it needs to be carved up and routed, would be useful for quite a bit fewer than that. Thus, they may need a few /8 address chunks to adequately cover everyone for a management network.

What I'm trying to get to here is "Occam's Razor". For many people, when they see the 30.0.0.0/0 address, and that it's assigned to the DoD, their simplest explanation is that the DoD is spying on people's home modems. Those of us with more experience see that the most obvious explanation is that BT chose this as pseudo-private address space.

Update:
To be clear, that paper contains nothing that is evidence of NSA spying. I may have missed something, because I only skimmed it, skipping the paranoid ravings, but none of the technical details show anything amiss. Many ISPs provide custom firmwares for the modems they sell. These firmwares typically have a management "backdoor" so that the ISP can monitor and/or control the modem. Many, many networks use publicly allocated DoD addresses inside their network as private addresses.

[kitz]

What I do know for sure, is something that Ive found out just within the past few days:

As you guys know Ive recently had a line fault.. and for the past week or so my ISP have been saying that theyve been unable to run any GEA tests on my line - they dont even know at what speed Im syncing at, nevermind be able to see the amount of errors Ive been getting.

Ive been getting messages on my ticket such as

2:30pm, Friday 24 Oct 2014
I have attempted to test your connection and this is not allowing me to see the status check

8:04pm, Monday 27 Oct 2014
I have attempted to retest the line /snip/ it is not giving me any GEA results.

As you have mentioned your line is no longer DLM banded, to confirm this can you confirm the sync and throughput rates you are currently seeing. I shall attempt to retest this again tomorrow with the hope it will go through the system

6:12pm, Friday 31 Oct 2014

Line remains stable, unable to confirm sync. Not allowing GEA to complete, no issues apparent, PTTR passing, suspect resolved.

At which point it dawned on me that my ISP possibly cant get any info about my line because Im using my own router and not the BToR modem with BT Agent..
The only info they have is my IP profile from the PTTR test.

Its 100% certain that the ISP cant run the GEA service test when you use your own modem/router.

[Chrysalis]

you dont need btagent for the GEA tests kitz, plusnet ran them on my line and as you know I keep that thing disabled.

Plus I think the NSA stuff is paranoia its probably just used for remote firmware updates, remote reboots etc.

I cannot confirm on the own modem thing tho, although I would find that odd.  The dslam wil know what speed you synced at.

[kitz]

you dont need btagent for the GEA tests kitz, plusnet ran them on my line and as you know I keep that thing disabled.

I always kept it disabled too when using the HG612.  But there is something in the BT modems which allows the GEA tests to run that own modems dont.   I recall reading it somewhere ages ago (possibly on the Zen site) , but I only remembered again this week when PN kept saying they couldnt run any of their tests on my line.

[kitz]

Knew I'd read something about it somewhere.. it was from Zen

We have successfully tested the service using a VDSL2 router, the Speedtouch 789.

One thing we learnt was that the GEA service test queries the modem via it’s separate TR69 tunnel used for firmware updates etc. If the test cannot see the modem then the test will not run.

------------

Should also add that with FTTC there arent any TAM test heads in the street cabs

[Chrysalis]

tr069 was also off kitz.  I had both disabled.

I am pretty sure also in the past plusnet have ran GEA tests on my line whilst I had the fritzbox in, which has no btagent or tr069 at all.  Granted things may have possibly changed but given self install is now been pushed such a requirement for tests would seem counter productive,

Black Sheep why dont you run a GEA test on my line so we can see if it works :p I have a billion 8800nl as my modem currently.  Last time you didnt want to do it but I guess as you running it for others now you changed your mind.

[burakkucat]

No doubt we have all glanced at the subject line of this thread and assumed what it read -- as our inbuilt error correcting code has performed its duty and fixed the result of Ryan's finger slippage.

b*cat, having noticed that something was not quite right, has interchanged two adjacent letters in the subject line . . . 

[kitz]

as our inbuilt error correcting code has performed its duty

heh, you're quite correct, I see it and interpret it as GCHQ without a second thought. 

Amended thread

[Dray]

Human rights charity Reprieve has submitted a complaint to the UK government asking that BT be investigated for violating international guidelines through its involvement in the US’ covert drone programme.

Identified as a top GCHQ collaborator under the codename REMEDY, BT is paid “tens of millions pounds annually” to provide an array of cables and wiretaps that allow intelligence agencies to monitor 90% of the telecommunication traffic crossing the UK.

http://www.reprieve.org.uk/press/2014_11_05_BT_OECD_intelligence_sharing_drones/