24 October 2014 BTAgent - CPE backdoor Date: Fri, 24 Oct 2014 16:00:01 +0100

Subject: BTAgent - CPE backdoor

To: cryptome[at]earthlink.net



I am a British national.



My background is in electronic engineering, embedded systems development on various architectures, and software engineering in C / assembler.



Back in December 2013, you published a series of articles about a "backdoor" discovered in CPE (consumer premises equipment); modem-router devices that are supplied en masse to subscribers of internet services in Britain.



See:



http://cryptome.org/2013/12/Full-Disclosure.pdf

http://cryptome.org/2013/12/full-disclosure-comments.htm

http://blog.erratasec.com/2013/12/dod-address-space-its-not-conspiracy.html



The CPE with that particular backdoor, are the ADSL2 and VDSL2 modem/routers supplied by the "Openreach" division of the incumbent British Telecom. Around ten million of these CPE have to date been supplied to households and businesses.



The same backdoor (dubbed BTAgent) is found in all recent models of BT HomeHub; the MIPS-based BT Business Hubs; and the latest VDSL2 modem-routers: the MIPS-based Huawei HG612 and ECI B-FOCuS V-2Fub/I and /R (both revisions B1 and B2)



These devices are supplied 'free of charge' by British Telecom. Until recently they were installed in the consumer premises by visiting employees or agents of the company itself.



The author/s of those articles you host, above, make reference to two online blogs about this "backdoor" discovery.



Those blogs are mine, and all content, when not stated otherwise, is my own. However, the blogs are published under a Creative Commons Share-a-Like License; and I am happy that the information discovered is being shared.



---------



To add to what has already been disclosed above, it has been possible to "unlock" and gain a (remote) root shell on the Trimedia-based (VLIW) BT Business Hubs.



These Trimedia TM3260 devices (a very unusual five instruction slot parallel-processing platform ideal for DSP work, formerly a division of Philips now NXP). These devices are also supplied by AT&T for its U-Verse VDSL2 service.



Some of the (earlier) discoveries concerning the Trimedia CPE are documented here:



http://hackingbtbusinesshub.wordpress.com/



---------



Most/All(?) of the BT CPE utilise the same 2048 bit RSA keypair for remote access to these devices. At the time of that discovery (August 2011) I wrote this:



From http://huaweihg612hacking.wordpress.com/?s=public+key :



"God knows who holds the corresponding private key. Hopefully just responsible adults in British Telecom (if there are any!)"



---------



I also run other blogs/websites related, more or less, to intelligence and security.



One website concerns media fakery, and the detection of fake news stories through image forensic analysis.



For example, using Error Level Analysis (ELA) to detect flaws in a "photo"; flaws that can suggest "faux-to-shopping".Â Â ELA relies on an inverse DCT transformation; shifting the image entropy from the spatial domain back into the frequency domain.



This ELA technique is used to visually detect any conflicting compression levels in an "photo"; indicating composite fakery in an image.



See: http://fotoforensics.com/tutorial-ela.php



---------



On 19 June 2014, in relation to discoveries published on my media fakery blog, my home in Shropshire was raided by six police/intelligence officers; only two of whom identified themselves.



An undocumented quantity of electronics equipment, including modems, computers, media storage devices, and paperwork was seized.



The actual grounds for my arrest was cited as "harassment". This concerned a suspected fake news story that had been exposed on my blog.



Evidence of media fakery that implied corruption in the local health authority and indeed in NHS England. It was one of many similar fake news stories - viz the engineered "Mid Staffs Crisis" used to provide the pretext for rationalising and closing health facilities across the country.



During the police interview -- both in the "informal chat" before the official interview itself, and during that formal tape-recording grilling -- I was probed by detectives on topics quite unrelated to my arrest.



In wholly irrelevant circumstances, I was grilled over my role in "unlocking" these CPE, and in my motives for doing so. Not in any way relevant to the accusations filed against me.



In interview, I brushed aside the serious espionage implications of having backdoors in CPE; believing that -- for whatever reason -- everyone has a right to choose what software is running on electronic equipment installed in their own home or office.



Nevertheless, I am expected to appear in court in a couple of weeks, for a preliminary hearing into that spurious (IMHO) charge of harassment.



I suspect that these allegations were engineered to intimidate and silence my security disclosures in the future, and to gain access to sensitive electronics equipment (including several DSLAMs) housed in my home.



As an aside, slow progress (currently on pause) has been made in extracting and scrutinising the firmware in the Huawei MA56xx series of DSLAM; equipment used widely in Britain and elsewhere.



These DSLAMs are telco central office / curb-side kit which elements in the US-USA security apparatus are claiming has firmware with backdoors installed by the Chinese secret service. Pot Kettle Black!



See: http://insidehuaweima5616msan.wordpress.com/



---------



Apologies for the ten month delay in responding, after your initial disclosure, Hopefully, this is still relevant though.



It was only a few days ago when viewing some Apache logs, and noticing hundreds of referred hits from your site, that I became aware that these CPE backdoor discoveries had also been discussed on cryptome.



---------



Finally, to end on a point which has been overlooked, so far as I know:



The rebuttal commonly cited in response to these CPE backdoor concerns, is that MI6/CIA/GCHQ/NSA/TLA et al, have no role, since they have centralised facilities of their own for internet espionage. They therefore don't need CPE backdoors.



However, interceptions performed at that centralised layer of the Intelligence Apparatus, would presumably require authorisation under the 2000 Regulation of Investigatory Powers (RIP) Act.



Whereas clandestinely logging into an individual's CPE through that BTAgent backdoor can obviously be done without any official oversight, and from anywhere in the world.



A CPE backdoor brings advantages that could not otherwise be achieved through centrally-performed surveillance, like that undertaken (allegedly) at the Donut - GCHQ's sigint facility in Cheltenham.



e.g. with remote access via a CPE backdoor, the local ethernet port on the CPE can be put into "promiscuous mode" and all ethernet frames on the local network snagged. Allowing, for example, the snooping of traffic to a networked local printer in an office. Surveillance couldn't easily be done without access to a device on the local ethernet. Hence the usefulness of a CPE backdoor.



Thanks for your time, and keep up the good work!



Cheers

