Security experts have debunked anonymous claims that BT Openreach has placed an NSA/GCHQ backdoor into its fibre broadband modems.
A group calling themselves ‘The Adversaries’ allege that Openreach’s FTTC (Fibre to the Cabinet) modems create a secret network which links to the US Department of Defense.
BT has denied the claims, supported by several security bloggers and a UK ISP co-founder who all point out that the allegedly suspicious features are commonly used for remote device management.
In a paper titled The Internet Dark Age and released on the Wikileaks-esque Cryptome, The Adversaries said: “BT are directly responsible for covertly embedding secret spy equipment in millions of homes and businesses within the UK as our evidence will demonstrate.
“BT have directly enabled Computer Network Exploitation (CNE) of all its home and business customers.”
It’s a grand claim, resting on a study of the behaviour of the Huawei EchoLife HG612 and ECI B-FOCuS modems supplied by BT Openreach for FTTC.
The Adversaries’ concerns focus on a connection created before the modem has completed an internet connection, which uses an IP address assigned to the US DoD.
The connection raised further concerns because its destination is untraceable and it can’t be seen in the modem’s setup menus.
BT said: “BT routers have a second IP address so we can make software updates without the need for an engineer visit. This is extremely common in the industry and it is well known.
“It is also the case that many other devices such as gaming consoles, smart TVs have such addresses. As for the anonymous report, it is not our policy to comment on conspiracy theories.”
While the IP address, in the 30.x.x.x range, is assigned to the US DoD, security blogger Robert Graham points out that these addresses are widely used beyond the DoD for good reasons.
For a start, they’re non-routable, so they’re ideal for creating apparently private channels for customer management.
There’s also a worldwide shortage of IPv4 internet addresses because the communications industry has failed to advance to the new IPv6 standard. The DoD is sitting on a very valuable (and probably lucrative) pool of IPv4 addresses.
Writing on Errata Security, Graham adds: “For many people, when they see the 220.127.116.11/0 address, and that it’s assigned to the DoD, their simplest explanation is that the DoD is spying on people’s home modems.
“Those of us with more experience see that the most obvious explanation is that BT chose this as pseudo-private address space. That paper contains nothing that is evidence of NSA spying.”
The Xerocrypt blog adds that the interfaces found by The Adversaries are commonly used for the TR-069 remote management protocol, which has been in use for almost a decade.
Writer Michael added: “It’s conceivable that GCHQ and the BT Group might use this for surveillance, but I haven’t seen evidence of that ever being done.”
Adrian Kennard, co-founder and technical chief at ISP Andrews & Arnold, told industry blog ISPreview.co.uk that even if the FTTC modem is compromised, there will always be a customer router behind it with its own firewall.
“The fact that the ISP could, if they wanted to, re-flash the modem/router, for almost any ISP connection does, indeed, mean that they could install all sorts of stuff directly on the device if they wanted to – but they don’t have any reason to, and there is no evidence of any NSA/GCHQ back doors,” said Kennard.
The Adversaries complete their claims by promising to present their evidence in court if they have to, although a first step might be to reveal their identities so the world can check their credentials.
Image: The Adversaries