Intentional Backdoor In Consumer Routers Found 236
New submitter janoc (699997) writes about a backdoor that was fixed (only not). "Eloi Vanderbeken from Synacktiv has identified an intentional backdoor in a module by Sercomm used by major router manufacturers (Cisco, Linksys, Netgear, etc.). The backdoor was ostensibly fixed — by obfuscating it and making it harder to access. The original report (PDF). And yeah, there is an exploit available ..."
Rather than actually closing the backdoor, they just altered it so that the service was not enabled until you knocked the portal with a specially crafted Ethernet packet. Quoting Ars Technica: "The nature of the change, which leverages the same code as was used in the old firmware to provide administrative access over the concealed port, suggests that the backdoor is an intentional feature of the firmware ... Because of the format of the packets—raw Ethernet packets, not Internet Protocol packets—they would need to be sent from within the local wireless LAN, or from the Internet service provider’s equipment. But they could be sent out from an ISP as a broadcast, essentially re-opening the backdoor on any customer’s router that had been patched."
Your first action after purchasing a router (Score:2, Insightful)
Re: (Score:2)
Re: (Score:3)
This is exactly why shopping for a router isn't as simple as finding the best bang/buck. It's a concerted effort of finding good deals (generally refurb/overstock, avoiding rebates) along with verifying open firmware support. Finding that HW version can be tricky. Just apply Occam's razor to it; there's probably a good reason that gigabit N-600 dual-band router only costs thirty bucks.
My house runs on DD-WRT (one main router, one dedicated for WiFi, both D-Link) and I've never looked back. I'm on DD-WRT fo
Comment removed (Score:5, Informative)
Re: (Score:2)
The link also quite conveniently mentions the following tidbit: "OpenSSL was updated immediately in the DD-WRT SVN repository. It can take a view days until we can provide updated versions for all routers."
Yes, it actually says "a view days" instead of "a few days". A typo is one thing, but that is spectacular... Did they dictate it to their computer or something?
Re: (Score:3, Informative)
It depends on which version of dd-wrt you installed, not necessarily when you installed it. I have a WRT54G that I just flashed r14929 on a few weeks ago, but it's fine, because that build is from 2010 and predates the Heartbleed vulnerability. The vulnerable builds are 19163 to 23882, see here [dd-wrt.com].
Re: (Score:2)
So, you login to your router via http instead of https?
Comment removed (Score:4, Informative)
Meanwhile, in the Media... (Score:4, Interesting)
Pot, meet Kettle.
Re:Meanwhile, in the Media... (Score:5, Insightful)
This sure makes bugging easier . . . (Score:5, Insightful)
. . . the spooks used to have to break into your home to plant bugging devices.
Now, you bring the bugging devices home as consumer appliances, and install then them yourself for the spooks.
This saves them a lot of effort. Cost effective.
Re:This sure makes bugging easier . . . (Score:4, Insightful)
So all I have to do to fool you is install my malware as a service that gets hosted by svchost.exe?
Of if my purpose was to control the microphone, a driver that hooks in to the existing audio driver?
You say tomato? (Score:5, Insightful)
I say tomato..
Just load OpenWRT or some other open source firmware, problem solved.
What do you mean there isn't a port for your hardware? Why did you buy it in the first place? Throw it away (or donate it to someone who can do the port) and buy something that has been ported.
NEVER buy hardware without a open source port at least in progress.. You have been warned!
Re: (Score:3, Interesting)
Re:You say tomato? (Score:4, Informative)
Freedns [afraid.org] has been around for ages, and doesn't seem to be going anywhere. They include DDNS for free as well.
Re: (Score:2)
Is not like we run out of reliable DDNS services (at least yet); no-ip.com has been around since late 90's (still using my hotmail email with it...). The only nag is if your ip doesn't change for 30 days (or you just don't use the client at all) then you need to do a manual update but otherwise if your IP changes regularly you don't need to log in or do anything (I assume you could program another instance of the client to shortly change your IP to something else and then put it back if you had a dynamic IP
Re: (Score:3)
You base the choice about which router and firmware to run on a measly side-feature, that also locks you into the router vendor? What. The. Fuck.
Re: (Score:2)
You don't need the DDNS update client running on your router... See instructions here: http://www.dnsdynamic.org/api.... [dnsdynamic.org]
OpenWRT has packages for damn near every Linux program, which you can run on your router... You can even install devel packages and compile it yourself.
http://www.dnsdynamic.org/ [dnsdynamic.org] pledges to be free, forever. Plus I like their tftpd.net domain. Asus's DDNS is a commercial product, and certainly has no such pledg
Re: (Score:2)
Came here to say exactly that. Unless it's done in hardware (which would be EXTREMELY complicated), OpenWRT can do away with that. Plus, you get all the extra free features, and, with luci, a DECENT http interface (contrary to what most routers include).
Re: (Score:2)
If you do install OpenWRT, can you revert back to the manufacturers software at a later time or is it a one way street? Lets say OpenWRT did not work properly.
Re: (Score:2)
If you do install OpenWRT, can you revert back to the manufacturers software at a later time or is it a one way street? Lets say OpenWRT did not work properly.
Most of the modern Netgar routers are drop dead simple to revert back, but that's not always the case. It's usually not too hard, but there ARE some models that can be pretty difficult and require special equipment. I suggest you check with the place you get your open source firmware for instructions on how to get back to stock, before you put your toe in the water. You might also consider playing with the firmware of choice on separate hardware, say your old but supported router. Learn what you need to
Well one problem there (Score:2)
If you presume that a backdoor like this is intentional, and is there for some nefarious purpose like the NSA or something, they can just move it to the chips themselves. The code that runs on on the CPU is only one small part of what goes on in there. It would be very easy to have code baked in to a chip with a backdoor that couldn't be removed or altered by the OS, because it is lower level.
So don't assume an OSS firmware gets you out of trouble.
Re: (Score:2)
If you presume that a backdoor like this is intentional, and is there for some nefarious purpose like the NSA or something, they can just move it to the chips themselves. The code that runs on on the CPU is only one small part of what goes on in there. It would be very easy to have code baked in to a chip with a backdoor that couldn't be removed or altered by the OS, because it is lower level.
So don't assume an OSS firmware gets you out of trouble.
Shesh, really?
OK, open source may not get you out of *everything* but logically it's going to fix 99.999% of what's possibly going to get you. Not to mention, firmware "built in" to hardware is going to have a seriously difficult time doing anything but crashing the hardware unless it has a *whole lot* of the network stack built into it. So, I'd rather take my chances with open source over the manufacturer's stock firmware, the odds are better, MUCH better.
Re: (Score:2)
Except, of course, open source code also contains horrific security vulnerabilities.
But you know about those, and can fix them if you want. That's the difference between open and closed source.
Re: (Score:2)
Really? How many people knew about heartbleed 3 weeks ago?
Re: (Score:3, Insightful)
Right, because people magically know about _yet undiscovered_ vulnerabilities. Don't pretend to be obtuse.
Once we knew about Heartbleed (and it was found by two independendent teams of researchers), we immediately had a fix, knew what goes into the fix and can administer it by ourself.
This one backdoor was accidentally stumbled on after being there for a decade - some vulnerable models from the list are from 2004 - and nobody could fix it but the maker, and nobody could even verify the fix but the maker. Lo
Re: (Score:2)
Really? How many people knew about heartbleed 3 weeks ago?
I didn't know about it 3 weeks ago. But none of my Linux SSL-enabled servers were affected, either.
It did help that most daemons were linked against libNSS. Many of the Apache installs were using mod_nss for SSL instead of mod_ssl, and.... most of the other servers were CentOS5 with openssl, but not a buggy version.
Re: (Score:2)
And how long did it take to fix it once it was discovered? Not only was this bug NOT fixed the first time (only hidden better), but it probably won't get fixed very quickly (if at all) and we'll have no way to verify they actually DID fix it.
With open source, you can see the change logs and verify that the version you are running is no longer vulnerable to the attack. With proprietary software you just have to trust them that they fixed it this time...
Re: (Score:2)
But you know about those, and can fix them if you want.
It just doesn't work like that. You need a lot of time to understand how the program works. Reading individual lines of C code is relatively easy, but understanding how the whole thing comes together, takes a lot of effort. This also means that the group of people who can realistically grasp the code and point out vulnerabilities, is relatively small.
Dear people and fans of open source: please sometimes actually do the experiment where you (yes, you, yourself, anyone can do it, right?) just find and fix eve
Re: (Score:3)
Except, of course, open source code also contains horrific security vulnerabilities.
But you know about those, and can fix them if you want. That's the difference between open and closed source.
It's not that simple. My point, before it was moderated into oblivion, is that there is no implied additional security just because something is FOSS. I've contributed code to FOSS projects from time to time and I know I am not qualified to audit source for security vulnerabilities. There's appears to be an assumption that "someone" is doing this, but the reality is this doesn't happen often. TrueCrypt is an example of where this is being addressed, but how many projects have had an independant code review?
Re: (Score:2)
I say tomato..
Just load OpenWRT or some other open source firmware, problem solved.
What do you mean there isn't a port for your hardware? Why did you buy it in the first place? Throw it away (or donate it to someone who can do the port) and buy something that has been ported.
NEVER buy hardware without a open source port at least in progress.. You have been warned!
Except, of course, open source code also contains horrific security vulnerabilities.
as is the propriatry we just got board of yelling about them years ago.
Re: (Score:2)
Except, of course, open source code also contains horrific security vulnerabilities.
Everyone raise your hand if you know the difference between proprietary software that's closed source, and open source with viewable binaries! That's right kiddies, if you have open source with viewable binaries you can even compile your own, and fix any bugs you find. You can even fork it! You can't do that with closed source, you're at their mercy for patches, fixes, and security holes.
Re: (Score:2)
... actually, its just as unlikely that 99% of the OSS fanboys like you can edit binaries as they can C source code.
While it takes effort, editing a binary isn't really that hard for people who know assembly. The binary IS THE SOURCE, the actual source that you run, not the code before it gets preprocessed by someone else's compiler.
Anything you can do with some C source, I can do with the actual binary and I'm willing to bet I can do it far faster than you can with the C source code.
Now, everyone raise yo
Re: (Score:2)
Re: (Score:2)
Google says you can buy commercial x86 PC's that run on 5W of power. http://www.tinygreenpc.com/ [tinygreenpc.com]
My 10 year old laptop uses about 8W with the screen off.
I don't personally use one but I run a full linux install on an ARM SBC. It 'sips' around 1W idle. Less than the router it sits behind.
Re: (Score:2)
So you have the source to the CPU? Keyboard controller? Ethernet controller? You have the masks for the silicon and can make your own?
Never said I did, nor did I say it was necessary. But I can assure you that not having the internal firmware of the Ethernet controller is unlikely to be a security problem for anybody. It's either going to work or it won't. Same for the microcode in the CPU.
No, you don't, so every electronic device you own with a CPU isn't open source.
Most are not. But on the border of my network? My firewall? I own those and they are open source because we all know how manufacturers do this thing. They will support the device for as long as it's making money (i.e. they are building and selling
to be expected (Score:2, Funny)
Rather than actually closing the backdoor, they just altered it so that the service was not enabled until you knocked the portal with a specially crafted Ethernet packet.
Well, somebody paid good money for that backdoor. If Sercomm closed it, they'd have to issue a refund.
Re: (Score:2)
The first question that needs to be asked is was it a corporate back door or a government back door. A lot of governments always seem to be rather conveniently forgetful when it comes to how profitable insider trading is and how corporate fiscal espionage readily facilitates it. This allowing profits in the billions and if you don't think that it is one of the biggest drivers of government contracted to private corporations espionage than you are truly gullible and foolish, seriously billions of dollars of
What surprises me... (Score:5, Insightful)
It's not exactly a secret that ISPs and providers of combination internet/TV/voice services tend to view customer-controlled equipment as something between a painful support headache and the blasphemous spawn of an unnatural coupling between internet piracy and absolute evil. Hence their enthusiasm for pushing their pet 'home gateway'/'set top box'/etc. with greater or lesser force, and the existence of standards like TR-069 ('CPE WAN Management Protocol') and organizations like the 'Home Gateway Initiative' [homegatewa...iative.org] that seek to standardize a nice, tame, appliance that can be used to sell services to consumers without confusing their little brains or letting them meddle.
That's what surprises me about seeing a comparatively dodgy-looking; but vendor/OEM provided, back door not only present but deliberately preserved even after being discovered, and sufficiently badly as to be rediscovered. There are remote management systems that, by design, are not under the control of the user, present for the convenience of the operator; but those are in the 'bydesign, wontfix' bucket. There are also malicious backdoors; but if this is one the party inserting it was far too arrogant for their own good. There are probably also legacy backdoors, used by some specific ISPs or the like; but those would presumably show up in their hardware, since Sercomm doesn't control enough of the market to assure that all customer-supplied devices will have the backdoor; but they do control enough that a single ISP's backdoor would be splashed all over the place.
Who is the expected user here, and what did they gain by trying to hold on to an existing backdoor so shoddily as to have it detected again?
Re: (Score:2)
It doesn't look like they went out of their way to hide it as such. But, they did try to change its operating mode from remotely exploitable at any time by anyone, to only usable by someone on the local ethernet segment. Unfortunately, as most here are aware, that kind of 'fix' isn't a solid solution, and still remains exploitable.
Re: (Score:2)
They probably were incompetent enough to not realize this was easy (for somebody very bright, experienced and capable) to find again.
If you think intelligence agencies cannot be terminally incompetent, then there is a recent story of one really large and important one that had its crown-jewels stolen by a contractor...
Re: (Score:2)
I think you hit the nail on the head. This is clearly meant to be a remote management backdoor for the ISPs, hence the need to secure it but not remove it. As dodgy as it is, the fact that it can now only be triggered by the local network and can't be passed over IP means that it's probably good enough by ISP and Sercomm standards, especially if it's treated as a little
Re: (Score:3)
Re: (Score:2)
This is clearly meant to be a remote management backdoor for the ISPs, hence the need to secure it but not remove it.
There is no such need.
Such a feature would look very different, probably involving a certificate. This is a back door for cisco etc. Or for the NSA. It's not for ISPs, or the ISPs would have known about it.
Partial vulnerability list (Score:5, Informative)
In the pdf of his presentation he mentions that there are 24 router models confirmed vulnerable spanning Cisco, Linksys, NetGear, and Diamond. I have yet to spot the actual list of vulnerable routers, though.
He also elaborates on how a technically skilled person can figure out if any particular router is vulnerable.
The link to the list of vulnerabilities is found in the pdf. Here's a copy/pasted list of the ones known so far.
BEGIN COPIED TEXT:
Backdoor LISTENING ON THE INTERNET confirmed in :
Linksys WAG120N (@p_w999) ;) (issue 49)
Netgear DG834B V5.01.14 (@domainzero)
Netgear DGN2000 1.1.1, 1.1.11.0, 1.3.10.0, 1.3.11.0, 1.3.12.0 (issue 44)
Netgear WPNT834 (issue 79)
OpenWAG200 maybe a little bit TOO open
Backdoor confirmed in:
Cisco RVS4000 fwv 2.0.3.2 (issue 57)
Cisco WAP4410N (issue 11)
Cisco WRVS4400N
Cisco WRVS4400N (issue 36)
Diamond DSL642WLG / SerComm IP806Gx v2 TI (https://news.ycombinator.com/item?id=6998682)
LevelOne WBR3460B (http://www.securityfocus.com/archive/101/507219/30/0/threaded)
Linksys RVS4000 Firmware V1.3.3.5 (issue 55)
Linksys WAG120N (issue 58)
Linksys WAG160n v1 and v2 (@xxchinasaurxx @saltspork)
Linksys WAG200G
Linksys WAG320N (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/)
Linksys WAG54G2 (@_xistence)
Linksys WAG54GS (@henkka7)
Linksys WRT350N v2 fw 2.00.19 (issue 39)
Linksys WRT300N fw 2.00.17 (issue 34)
Netgear DG834[â..., GB, N, PN, GT] version 5 (issue 19 & issue 25 & issue 62 & jd & Burn2 Dev)
Netgear DGN1000 (don't know if there is a difference with the others N150 ones... issue 27)
Netgear DGN1000[B] N150 (issue 3)
Netgear DGN2000B (issue 26)
Netgear DGN3500 (issue 13)
Netgear DGND3300 (issue 56)
Netgear DGND3300Bv2 fwv 2.1.00.53_1.00.53GR (issue 59)
Netgear DM111Pv2 (@eguaj)
Netgear JNR3210 (issue 37)
Backdoor may be present in:
all SerComm manufactured devices (https://news.ycombinator.com/item?id=6998258) :END COPIED TEXT
Linksys WAG160N (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/)
Netgear DG934 probability: probability: 99.99% (http://codeinsecurity.wordpress.com/category/reverse-engineering/)
Netgear WG602, WGR614 (v3 doesn't work, maybe others...) (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/)
Re: (Score:2)
Are there any government agencies that use these routers? Just curious...
Simple fix (Score:4, Interesting)
Re: (Score:2, Insightful)
and what device is doing the forwarding, and seeing the "knock" ?
no (Score:2, Informative)
because when the knock arrives, the first who is in charge is hardware, afterwards firmware, and than goes user setup
Nice. Caught red-handed... (Score:5, Interesting)
I predict we will see more of that. Congratulations to the finder! Maybe we should start to offer "public safety" bounties to people that find these acts of sabotage.
Re: (Score:2)
Re: (Score:2)
I have a slightly more ambitious suggestion. We should make a list of every device that uses this 'sercomm' module and make a point never to buy them again.
Who is 'we'? The .01% of consumers that are tech savvy enough to know what a backdoor is and why we don't want one? Meanwhile everyone else will continue to buy routers based on which picture on the box looks better.
Re: (Score:2)
of based on which one their ISP gives them for "free"
The ISP is of course going to choose the one that has the remote management interface (read: backdoor)
Re: (Score:2)
That will likely be infeasible, unfortunately. But make them a worst choice, to be only bought if nothing else is available should be almost as good.
Comment removed (Score:4, Insightful)
Re: (Score:2)
The 2wire/pace (3600,3800,etc) all have TCP port 3479 open to the internet.This is what you are forced to use if you have AT&T U-verse. There is no way to block it and AT&T says its for "updates and trouble shooting".
http://forums.att.com/t5/forum... [att.com]
I wonder what great backdoors are in these gateways?
While I find that's pretty infuriating, I do think that if you're forced to have U-Verse (e.g.: alternatives suck speed wise), then it's probably recommended to have another (non-vulnerable) router between you and the 2-wire and to turn off the wifi radio.
Snowden effect (Score:4, Informative)
Another day, another hole... (Score:2)
It is crap like this, and the abysmally unreliable hardware most consumer routers seem to be based on, that has convinced me not to buy consumer routers any more. Been using an old PC (running a copy of Ubuntu Server booted from a CF card) as my router for several years now.
Yeah, I know the power consumption of an old PC sucks compared to a consumer router. But after going through 3 routers in something like 5 years I was sick of dealing with that crap. The PC-based router is way more stable and reliable.
Western companies need to change (Score:2)
It is long past time for these western companies to bring back production.
At the same time, they need to OSS the firmware so that others will feel comfortable with buying these, knowing that they can get true secured systems.
Comment removed (Score:3)
Is it in the EULA? (Score:2)
Apple AirPort Extreme/Express? (Score:2)
I don't see Apple in that list. However, that doesn't mean it's certainly not impacted. Does anyone have any guess about this?
Re: (Score:2)
THis is why I hide behind (Score:2)
Re: (Score:2, Flamebait)
...NSA?
Other guess, just someone at the manufacturer who wanted to do it that way. However, that does not stop NSA from discovering it in 2 seconds and exploiting it too.
Re:Lemme guess.... (Score:5, Insightful)
The Chinese want their access too, and look what they did with the US solar industry (by hacking and swiping masks, then making panels cheaper than rare earth cost to shutter companies via predatory trade practices.)
The NSA, I'm not worried about. They don't want me out of a job. China, definitely.
Re: (Score:2, Insightful)
The NSA, I'm not worried about. They don't want me out of a job. China, definitely.
The if world was comprised only of people like you, we would all still be slaves under the pharaoh absolute authority.
Re: (Score:2)
Are you really claiming that Chinese gov. is helping NSA spy?
Not bloody likely.
Re: (Score:2, Insightful)
Yes, I cannot possibly fathom why anyone would dislike having a backdoor in their router unless they were pirating material from a well-known public tracker. Brilliant deduction.
Why the fuck would anybody mod this nonsense up? What is wrong with you people?
Re: (Score:2)
Re: (Score:2)
Then it's their choice to add a service to the router and state in the contract that I must not disable it.
Or do you consider it normal that your landlord should retain a key to the apartment you rent so he can come in at leisure to check out that everything's in order? Of course just to aid you.
Re: (Score:3)
I'm kinda glad I am NOT living in your country. Laws here specifically state that he must not.
I still change the lock as one of the first actions when I move into a new apartment.
Re: (Score:3)
Re: (Score:2)
Unless the router firmware is open source, you have no way of knowing what it is doing, DOCSIS or not.
Re: (Score:2)
Re: (Score:2)
RTFA - the author had no trouble viewing the closed source firmware on these routers to find out exactly what the backdoor was doing.
Re: (Score:3)
There are coders out there who might care, look, and warn you *IF* it's open source. If not, you'll just wonder why your friends always snicker and call you 'spammy'.
Re: (Score:2)
So you exploit their browser in a drive-by, then exploit the router to make it persistent.
Re: (Score:2)
Re:List of affected devices please.... (Score:5, Informative)
Re:intentional back-door? (Score:5, Funny)
No, it just means that if you have one of these devices, then you are fucked.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Then your boss should go to jail unless he would care to kick it up the chain of command.
Re: (Score:2)
Re: (Score:2)
Actually, the result is one or more people go to jail, a bunch of managers realize they came within a hair of going to jail, and the company faces a large liability which triples if they don't promptly fix the hole for real. Those responsible for the fix know it will be looked over with a fine tooth comb and that they could go to jail if they don't actually close the hole.
Sadly, the typical happening is that some lower level guy gets thrown under the bus and they ignore the hole.
Re: (Score:2)
Re: (Score:2)
What about the CPUs themselves ?
Backdoors in software, while scary, can be worked around by using software you trust or write yourself.
But what about backdoors in CPUs which only trigger, for example, as a result of a specific data sequence ?
The problem with the obvious kind of hardware backdoor in the CPU is that it needs to interact with an unknown and otherwise complex operating system. And that is extremely difficult to do without associated exploit software running on the same system.
The real problematic standalone hardware 'backdoors' would be things like predictable patterns from a hardware random number generator, secret ways to override memory protection, a way to expose the private/secret keys in crypto hardware, etc.
Those more subtle
Re: (Score:2)
The problem with the obvious kind of hardware backdoor in the CPU is that it needs to interact with an unknown and otherwise complex operating system. And that is extremely difficult to do without associated exploit software running on the same system.
For most modern CPUs, the interaction between the world outside the ceramic chip casing and the REAL hardware CPU is handled by CPU code, better known as microcode. The most glaring example of this is the x86 based CPUs that haven't actually run x86 code in a decade. What code that is pulled in from RAM and executed on the CPU is translated on the fly by the CPU hardware into CPU microcode that actually runs on the hardware itself.
The x86 chips for instance, haven't been of an actual CISC hardware design
Re: (Score:2)
Think of more all the helper ports/chips/"cards" around the cpu and thier way back to stored data/keystorkes on an average consumer motherboard.
Wireless, networking are all part of a deeper complex hardware/software mix that an average OS may not be watching in real time.
Also recall different next gen wake for remote network even if turned off (vs unplugged with no power).
A lot of
Re: (Score:2)
No one said Intel's RdRand was compromised, just that it can't be trusted.
No different than VIA's PadLock or AMD's RNG.
Re: (Score:2)
I disagree. RDRAND is compromised in architecture and design. The implementation may or may not be compromised, but that is pretty irrelevant. VIAs padlock is a completely different story, don't spout BS when you do not understand what the issue with RDRAND is. I don't know what AMD is using though.
Re: (Score:2)
I'm not spouting anything, you are.
No one but you has said there is anything fundamentally wrong with it.
Here's a description, the architecture is in section 3. Point out the flaws, oh mighty one.
https://software.intel.com/en-... [intel.com]
Re:Hardware backdoors in the actual CPUs ? (Score:4, Interesting)
You are either ignorant or a liar. (Maybe a paid-for liar?). Just read this: https://plus.google.com/+Theod... [google.com]
That is a few more people than "nobody". The flaw is that the whole design does not allow verification that it is non-compromised. The claim that including its bits in JTAG would be a security risk is completely bogus, as an attacker with access to the JTAG pins can do whatever they like already. With those bits in JTAG, it would be relatively easy to verify the analog-side is actually analog and is actually what feeds the whitener. That possibility was intentionally sabotaged, and the _only_ good reason for that is that they want to be able to compromise the CPRNG in select batches and make detection of that very hard. And no, there is no software access to those JTAG pins and yes, the hardware to query the internal CPRNG state and analog bit stream must be in place to test the CPU. That means they are switching this access explicitly off after they have verified the hardware works. So not only is this a compromised architecture and design, it is also more effort than doing it right. IT does not get more obvious than this.
Your link, BTW, is worthless. It does not go into the needed level of detail. The contrast with what you get for the VIA C3 generator (e.g.), is quite telling: http://www.cryptography.com/pu... [cryptography.com]. And VIA has a non-compromised design as they do not desperately try to hide what the analog random source spits out.
Re:PLA? (Score:4, Funny)
Re: (Score:2)
That's why Taiwan is run by ROC - Republic of China.
Not to be confused with PRC - Peoples Republic of China.
South Korea is run by people and North Korea is run by a muppet with a bad haircut.
Re: (Score:2)
Re: (Score:2)
Seems like if they want a feature like this to support manufacturing that it should be something that is only accessible on one *internal* (non-ISP facing) Ethernet port and only within a certain amount of time since bootup.
Then they should deactivate the functional test feature, as soon as the admin password is changed from the default.
Re: (Score:2)
That's why I love my rooms pointing towards the west, it makes getting up with the first ray of sunlight so much easier.
Or, just so you understand, just because YOU didn't hear about it doesn't mean it didn't exist and others (like, say ME) didn't know about it. The difference is, with closed source, an NDA can efficiently keep me from telling you earlier.