What the Situation in Finland Teaches Us About ISP-Supplied Routers (a Global Problem, Back Doors Increasingly Rampant)
This subject has barely been explored in two years and it was a very hot topic ten years ago [1, 2] (the boon of Edward Snowden's NSA and GCHQ leaks; approximately 99% of them will never be seen [1, 2]):
THE post we deal with today is a bit long. An old article from YLE (yle.fi, the national broadcaster in Finland), was entitled Supo varoitti reitittimien tietoturvauhasta – tarkista kotona ainakin nämä kuusi asiaa kuntoon (Supo is the spy agency in Finland) and it was brought to our attention today. This post will deal with Finland in general, Telia more specifically (a very large ISP in Finland), and then the international trends, which extend to BT (see screenshots at the top). I know a lot about BT, including from the inside.
"Here," (in Finland) Sompi said in IRC, there are "many Internet connection types where the customer cannot even choose the router model themselves. For example cable internet is usually that way And the ISPs are actively distributing those Huawei-branded shit routers that they don't even control themselves."
"And [a] couple of years ago Telia offered so-called "hybrid connections" which were basically two connections in the same box, the other being 4G and the other being VDSL2+ and the router tried to distribute the load evenly between those two connections. The routers and their firmware were bought cheaply from some company called Sagemcom and they were OK from the start, but then Sagemcom started to push force[d] updates to them and most of their features were removed [...] Telia could not control the updates at all [...] also with these "hybrid connections" the end-user cannot choose the router themselves. I think they are doing everything on purpose to make security actively worse and just hoping that there are more backdoors for CIA than there are for Russia's and China's intelligence agencies."
"If the providers were not selling 'stolen' copies of OpenWRT," another person said, "it would be trivial to update the routers' firmware and keep it secure. The security failure is thus not a technical problem, that has been solved. It is entirely a legal and ethical problem. Furthermore it leads to unnecessary e-waste as people are told the throw out routers and buy new ones rather than simply update the firmware."
This apparently boils down to "theatrics", said this person. "The above [from YLE] is also a smoke screen to distract from the more severe and prevalent security holes on the desktop called Windows."
Sompi checked and looked around for some old references and said that "those hybrid routers had a backdoor for the ISP, and someone wrote an article to the Internet about it but seems that Google does not find it anymore [...] I actually have two of those routers [...] the exact model [is] Fast 5370 Air..." (there's more information in this page)
How did the ISP respond? Here:
Telia tries to threaten the researcherThe report was responsibly disclosed to Telia and a copy sent to CERT LT (NKSC). What happened next was a little bit of a surprise to the team. There were rumours previously about Telia's poor tech level, but we have experienced this in a real case.
First, Telia did not have a PGP key and did not know how to use it, so instead they asked us to ZIP the report with password and send the password over a separate email (private GMail). I hope Telia's engineers will be reading this article, so I would like to explain why the report should be encrypted. This is to protect you as the affected vendor. If there is a man in the middle who can intercept all the researcher's traffic, it will be very easy to get the ZIP file in the first email and then the password in the second email. Instead, PKI like PGP only allows to decrypt the report by the private key owner, ensuring that nobody else can intercept the report and exploit the vulnerabilities before you fix them all.
Second, Telia tried to threaten the reporter for the vulnerability discovery:
Translation:
Thank you for the information Are you sure you did not violate the electronic data protection law?Original:
Dėkojame už informaciją. Ar tikrai tyrimą atlikote ir neviešus elektroninius duomenis rinkote nepažeidžiant galiojančių įstatymų?And then they once again mentioned that they will check if this report wasn't a hacking attempt and that they will persecute any reporter that discloses any information about Telia vulnerabilities:
Translation:
Thank you for the information. We will continue to check whether you made your report legally without violating any law. And we will ensure that no fake information will be published that could do any harm to the company's reputation and to the critical part of Lithuanian network infrastructure.Original:
Dėkojame Jums už pasidalintą informaciją, kurios surinkimo teisėtumo vertinimą toliau atliekame ir tikimės, kad į viešumą nebus paskleista tikrovės neatitinkanti ar neteisėtai gauta informacija, kuri darytų žalą bendrovės reputacijai ir tuo pačiu sėtų nepasitikėjimą kritine Lietuvos ryšių infrastruktūros dalimi.
We will not comment on this and let the IT community to judge. At the same time we will no longer provide any reports in any form to Telia company.
[...]
And finally, we found that the hash was cracked and was available in the old "weakpass" database. You can search for the "old" weakpass database (sometimes named "First version of weakpass") and grep it - password is there. This means that most probably we are not the first who were able to penetrate Telia.
"Google found only this," Sompi added, "but this was not the article I read earlier [...] But that may be connected to the earlier article that cannot be found anymore - there are some mentions about Telia threatening security researchers [...] It may also be that the original article about those backdoors is still somewhere in internet but it has been censored from the major search engines [...] Archive.org probably has it somewhere..."
If people cannot find it, then this can reinforce the idea or the perception that Google and its bottom feeders are not about search, as over time they integrate more censorship and proactive brainwashing.
Anyway...
That's in Finland. Here in the UK I've learned (from the media) and noticed the same with BT. The reports I saw a decade ago are still online and Google does not seem to hide them. As it turns out, BT changes the software on routers upon each reboot (it is essentially like it is remotely controlled from the moment it bootstraps) and a senior BT engineer explained it to me almost a decade ago. He asserted that it cannot be trusted. I wrote about it in my personal blog back then and suffice to say, he does not think the BT routers provide any real security. It's simply not the goal.
Is this an international thing, a NATO member thing, or limited to certain ISPs? It's hard to tell, as those things are shrouded in secrecy for "law enforcement" or "national security" reasons. Definitive confirmations are hard to find and companies can work hard to discredit leakers and other kinds of whistleblowers. The media just "believes" companies and sometimes takes bribes from them in the form of "sponsorship" or "ads".
This is what Telia has in its site ("telia hybrid router fast 5730, portit ja tutkimustyö"). "In that forum thread," Sompi said, "an employee of Telia admits that there is an ISP backdoor in those routers [...] Those routers were very unstable, they crashed and rebooted when the user tried to resolve certain DNS addresses [...] When a factory reset was made, they were ok for 15 minutes and then they loaded and installed all Sagemcom updates that even Telia did not have any control over, and lost all their features. They used to have a proper control panel and IIRC even a telnet prompt. [...] And probably that crashing after certain DNS resolve attempts were because those routers are snooping all DNS traffic and some strings just cause them to crash because the snoop code is crap. For example, trying to resolve randomi.fi always instantly crashed the router..."
There seems to be overlapping agenda across the EU and beyond. From what we can gather, those observations seem like a universal trend. The FSF-EEE did some work related to this (European people choosing what goes in the data socket, with operating systems like LEDE/OpenWRT).
"But I think that SuPo is only worried about those routers having backdoors for China and Russia," Sompi said. "Then they actually want them to have backdoors for CIA and SuPo themselves and don't want people to use any free router firmwares."
As I noted and even ranted here in the past, sometimes the updates create more bugs than they fix. They install new firmware and reboot without even informing the users and then some things "break" (without an explanation or even an apology). You spend hours trying to diagnose everything, sometimes phone up the company, only to realise it is due to some newly-introduced bugs (no workarounds suggested), and then you must wait for the next update, which might take months to come, so this is enshittification exemplified. To be rather sarcastic or cynical about the whole thing, it good that we don't live in Russia... where the government spies on everything at the data/packet/pipe level.
Supo is warning not against those government back doors but about people who avoid those back doors by installing their own routers. "That's why that warning about them backdoors just makes me annoyed," Sompi said. "Also just updating the router firmware to its latest version does not even help anything because the latest version also comes from Huawei, of whoever made the router [...] And SuPo DOES NOT WANT that people would use free router firmwares because then they would also lose control themselves."
Let this be another example where "security" to them means "we control you"; and perhaps that was always it when the said "national security", often a euphemism for universal back doors. Just like with "secure" boot or CAs (the ones controlled primarily by the US). Now we have sigStore, which Red Hat promoted in its official site the other day. For those who aren't aware or haven't been keeping up, sigStore means that GAFAM + IBM are in control of what you can run on your own machine (which programs can be executed). Think of it as Apple and iOS, not Android (but Android too is leaning in this direction, where installing and running a program of one's own choice gets demonised as "sideloading" or a "break-in").
They pretend this is about security, but the exact opposite is true and now Google says Ogg is not secure (when in fact WebM is far riskier). Google is a spying company, not a security firm, and Chrome in general is a massive, gigantic back/bug door. "It is not the fault of the file format itself if something bad happens," Sompi said. "It is always the program that parses it" (Google's WebP monoculture already turned out to be a total catastrophe).
For those who want to know more, see what we said this morning [1, 2, 3] or read today's IRC logs. This past summer in Pisa Richard Stallman cautioned that security no longer means what it used to mean. █