Protect Against NSA Backdoors in Networking Gear

Monday Oct 21st 2013 by Joe Stanganelli

Has the NSA built a backdoor into your enterprise's networking stack? Learn the dangers and how to protect your enterprise's sensitive data.

In the wake of revelations by former NSA contractor Edward Snowden about US national security practices, data security debates in the technology sector have reached a fever pitch. Networking professionals should be concerned. 

Especially worrisome are disclosures that the NSA induced companies to include backdoors in their products to enable the NSA to exploit and spy on users. The result has been a global ripple effect. Other nations are stumping to build technological defenses, while foreign clients are fleeing the US datacenter market (with the European cloud industry cashing in), all for fear of Uncle Sam watching their every move.   

A big part of the problem is that, according to reports, the NSA worked clandestinely to:

  • Insert a backdoor into a pseudorandom number generator known as Dual_EC_DRBG ("Dual Elliptic Curve Deterministic Random Bit Generator");
  • Get Dual_EC_DRBG endorsed by the National Institute of Standards and Technology as part of a NIST standard;
  • Get the now-compromised NIST standard accepted by the International Organization of Standardization – which has 163 member-nations.

Shortly after Dual_EC_DRBG was released as part of a NIST standard, cryptographers were baffled with some of its quirks. Poking and prodding it, they soon found weaknesses in the code. Then, in March 2007, two Microsoft researchers – Dan Shumow and Niels Ferguson – unveiled a serious backdoor (thought to be merely a "possib[le] backdoor" at the time) in Dual_EC_DRBG. Shumow and Ferguson found that if an attacker knew or could determine two particular values used to generate Dual_EC_DRBG's output points, the attacker could then figure out all of those output points, thereby cracking the cryptography. It was unspecified how the particular values in question (including an unspecified constant) had been derived.

At that point, Dual_EC_DRBG became widely discredited. Nonetheless, many major vendors (such as RSA) continued to use it for years, until very recently. Worse, some might still use Dual_EC_DRBG.

NSA backdoors in routers

"There have long been rumors in the networking community about possible [government] backdoors in major networking vendors' firmware and network stacks," networking professional Nicholas Merrill told  Enterprise Networking Planet. Merrill is founder and executive director of the Calyx Institute, a data privacy and cybersecurity nonprofit in New York.

Routers may be particularly vulnerable. Data security consultant Robert Graham estimated that 20 percent of all routers and half of all industrial control systems have some form of vulnerability or backdoor. It is little wonder that the NSA documents have reportedly demonstrated that the NSA prefers attacking routers.

"This is an especially fruitful avenue of attack," blogged Bruce Schneier, a cybersecurity expert who has reviewed many of the NSA documents. "[R]outers are updated less frequently, tend not to have security software installed on them, and are generally ignored as a vulnerability."

Other hardware backdoors, too, are far from unheard of. Printers have been known to have backdoors that threaten an entire private network. In 2012, UK researchers discovered a backdoor embedded within a chip (specifically, the Microsemi/Actel ProASIC3).

The dangers of NSA backdoors

And for many enterprises, the growing concern about these goes beyond government surveillance. Backdoors, even those built by the government, mean a greater chance of hackers getting through. "The risk is that when you build a back door into systems, you’re not the only one to exploit it," said Matthew D. Green, a cryptography professor at Johns Hopkins University.

This very thing happened from 2004 to 2005 when hackers infiltrated a Vodafone lawful intercept system so as to spy on the Greek government. In doing so, they were able to listen in on the cellphone calls of more than 100 high-ranking government officials, including the prime minister of Greece, the mayor of Athens, and US embassy employee.

"That incident was made possible by backdoors built into phone switches in order to comply with [laws like] CALEA," Merrill pointed out. CALEA – the Communications Assistance for Law Enforcement Act – was passed in 1994 to require telecommunications carriers and telecommunications equipment manufacturers to build in real-time surveillance backdoors for law enforcement. The European Union followed suit with a similar resolution the following year.

These system breaches can be serious for the enterprise. The devastating results can include (but are not limited to) private data exposure, data loss, intellectual property theft, and even potential legal liability (particularly involving a breach of unencrypted data). Indeed, in a real-life Greek fable worthy of Aesop himself, authorities fined Vodafone €76 million after the lawful intercept system breach.

Consequently, it is important for enterprises to take steps to guard against any kind of network vulnerability – government-induced or otherwise – to the extent legally and feasibly possible.

How to detect—and protect against—government backdoors

Fortunately, there are things both enterprises and privacy-conscious individuals can do to protect their networks and systems. For starters, "[i]t's impossible to overstate the importance of logging," wrote Vassilis Prevelakis and Diomidis Spinellis, members of the Institute of Electrical and Electronics Engineers. Periodic log data review was what eventually led to detection of the Vodafone infiltration.

Many security experts, including Schneier and Merrill, further recommend open-source encryption and open-source software. Open-source solutions are peer-reviewed and therefore less likely to contain vulnerabilities, and endpoint software is particularly vulnerable to attack.

Schneier also recommends air gaps for machines storing particularly sensitive data. An air gap is a physical isolation of a device or local network from the Internet. The general idea is that you connect a computer as little as possible to the Internet upon initial configuration, and then take steps to forever keep it completely disconnected after that. Other security steps are necessary too, such as disabling autorun features and using small portable storage devices. (Schneier wrote a blog post here that describes this process in detail.)

Schneier further recommends using hidden services, such as Tor. "Yes, the NSA targets Tor users," he acknowledges, "[B]ut it's [more] work for them. … The NSA has turned the fabric of the internet into a vast surveillance platform, but they are not magical. They're limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible."

Joe Stanganelli is a writer, attorney, and communications consultant. He is also principal and founding attorney of Beacon Hill Law in Boston. Follow him on Twitter at @JoeStanganelli.

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved