Hacker News new | past | comments | ask | show | jobs | submit login
From China, With Love (devttys0.com)
191 points by conductor on Oct 19, 2013 | hide | past | favorite | 60 comments



As a perhaps unnecessary (for HN) reminder: This is a primary reason that "anti-circumvention" legislation, that "outlaws" e.g. decompiling and/or reverse engineering (1) machine code in proprietary devices (in this case, for research purposes), needs to be permanently put down.

Without examination, existing circumstances repeatedly demonstrate that we more than a bit likely to be subjected to hidden weaknesses and exploitations we are uninformed about and have not agreed to.

----

(1) decompilation/reversing, as in the referenced, recent D-Link case, or perhaps even simple extraction of a compressed fileset


The DMCA Anti-circumvention clause explicitly makes an exception for "security testing" and "encryption research", amongst others. Search for those terms on this page:

http://www.law.cornell.edu/uscode/text/17/1201

I am no law scholar, but I get the impression that, in general, reverse engineering and research are exempt from most forms of IP protection (which is what the DMCA is).


Except that as far as I know you can't share most of what you learned with anyone else.


As far as the text of the DMCA goes, the only restrictions on sharing what you learned are if that sharing could facilitate copyright infringement rather than advance knowledge or security. I can see how that could be a bit hazy in some cases, but certainly should not apply to cases like this one.


You're wrong.


Which is why the DMCA exempts most security testing, and, in particular, the exact kind of security testing performed in this analysis.


In one sense, I'll defer to your far greater experience. In another, though, I'm increasingly of the impression that the effect, or lack thereof, of the DMCA upon one is more about the lawyers and money for lawyers that one has, than about "rights".

I also seem to recall ongoing efforts to (further) criminalize various forms of infringement (as opposed to leaving them matters of civil law), taking accusations to a whole new level of hurt.


Strangely, the whole GoAhead code including the backdoor seems to be on Github: https://github.com/socoola/yhrouter/blob/master/user/goahead...


I filed an issue, see what happens. Unclear if this code is a legit copy...


This was interesting but the title "From China, With Love" seems descriptively weak and unnecessarily confrontational, as if somehow the Chinese government were to blame for one router manufacturers backdoor.


* Chinese intervention and even ownership of its local industries is a well-known phenomenon. You can't on the one hand believe that NSA --- err, Clyde Frog --- is strongarming US Internet companies into complying with court orders while at the same time seriously suggesting that Chinese manufacturers are independent of the Chinese state.

* How much do we know about Shenzhen Tenda? All I could find in 5 minutes or so of research is that it's the result of the efforts of D.P. Quan to provide networking and enrich the lives of all people through, IIRC, excellence.

* China has a very well-established, well-attributed track record of attacking the tech infrastructure of the rest of the world, and does so through proxy organizations.

* A very blatant backdoor with minimal tech support value is something that is more valuable to a state than to a random tech company.


US gadgets have backdoor - blame the bad programmers

Chinese gadgets have backdoor - evil Communist country making a grand scheme.


Ever since the Snowden situation began every security issue related to the US has invited comments suggesting the NSA might be involved. I don't see your point.


Minus the "evil" and "communist" (that doesn't really describe China anymore), that sounds about right.


Its not that useful as it is not accessible remotely. If I was the government I would ask for a better backdoor.


But the NSA (with the FBI) IS strongarming companies to comply with court orders :-)


It's pretty well known that there is some terrible software that comes out of the Chinese hardware shops. 99.9% of the time these are not malicious back doors. Instead they're debugging or QA frameworks that just get left in released software. There is zero process or control of the releases. They can certainly put a system together, but they can't write the software for shit.


Your comment is just another over-generalisation. You sum up the entire spectrum of Chinese companies with 'they'. Why do you think this makes sense and yet you'd naturally spot that it would be plain dumb to summarise and generalise American companies in this way?


No. I generalized Chinese hardware shops. Not all Chinese companies. Having spent years working with software, and sometimes rewriting it, from said companies I'm perfectly content with the generalization I've made.


The title is not really an interesting subject of discussion. After reading the article (ignoring the title), I find the author is neither descriptively weak or unnecessarily confrontational.


"One teensy-weensy, but ever so crucial little tiny detail is that the backdoor only listens on the LAN, thus it is not exploitable from the WAN"

mh, so not really phoning home is it ? I thought this was pretty interesting until i read that..thats a pretty minimal security risk.


It also means that any bit of unprivileged clientside malware an attacker can get onto your machine might be able to use the bug as a pivot, first to your whole network, then potentially back to a more privileged place on your machine.


True, however we are talking about a $30 consumer router. Most people using something like that have alot of other security flaws to worry about (but usually dont) and arent that interesting as an attack target to hackers anyway.

Anyone with a "whole network" who remotely knows what hes doing wont be using a router like that one.


Anyone with a "whole network" who remotely knows what hes doing wont be using a router like that

Which router would he use?


Probably a enterprise grade router if its a bigger/corporate network or something halfway decent that supports OpenWRT


Are you sure you haven't visited webpages that tell your browser to send requests to your local router lately?


This requires UDP packets, which a browser cant send.


Right. It looks a lot more like a badly-implemented feature for factory validation than a backdoor intended as an easily exploitable point of attack.


But a government is very likely to have access into a local network.


This is why I've replaced all my home network gear's firmware with http://www.dd-wrt.com/site/index


I've found openwrt to be quite superior, especially config and packet management.


Also, if you're looking for open-source firmware for 3G/4G USB-enabled routers, then check out ROOter. ROOter is based on OpenWRT, and supports most of the popular routers and 3G/4G USB dongles.

http://ofmodemsandmen.com/supported.html


Agree. Packet management is mainly the reason I did the switch.


How many other embedded systems on our networks have these backdoors? As the number of important devices (Nest, I'm looking at you) on my home network increases, so does my risk profile.


I used to do R&D for the US defense industry. Three years back I was catching up with a friend from that industry and asked what they're up to these days. Her answer? Hacking into connected appliances (furnace, video games, espresso machines, etc) with the goal of turning them into listening devices, making them explode or catch fire, or otherwise malfunction.

If you can dream up a sick way to mess with people, odds are there is a government somewhere funding research into it.


You call it a sick way to mess with people, governments will refer to it as cyberwarfare. I'd say that the US / Israel's attacks on the Iranian uranium enrichment facilities (Stuxnet) was just a tame and reserved trial, and that most modern countries have plans in place that will unleash a devastating cyberattack on loads of internet-connected devices.

I'd say routers are particularly vulnerable, if only because they are smart (Linux) machines, but in most cases users will never check them for anything odd going on. As this article shows, it takes but a simple command for them to execute stuff, and given how Linux is a general purpose OS, they could install and perform any kind of task - like install backdoors and whatnot on the PC's behind the routers, which can then in turn be disabled or used in a massive botnet to perform a DDoS or other attacks on other systems.

Just think about the implications of there being a backdoor in every internet-connected computer system, or the consequences of all-out cyberwar.


A senior VP of a prominent credit card processing company in the US told me that he fields an average of 200,000 attacks originating from Chinese and Iranian IP addresses every day. Governments having backdoors everywhere would be terrifying.


You are completely correct. And I don't want to add fuel to the fire, but it gets even worse than that. Aside from backdoors and the security of these appliances/devices from a system perspective, what about network connectivity and the transport layer? Only recently, within the past few years [1], has SSL/443 become a requirement for some of the bigger organizations out there. Seems to me that security is often an afterthought. Smart Appliances/Devices run the same risks, and it stands to question; are they connecting securely? And if not, how long will it take them to secure their transport? Because even if that brand new IP-enabled Door Lock is secure from a system perspective, it wouldn't matter if someone can subvert the transport layer, take control, and open the Lock.

One of my Projects attempts to solve this problem for the new generation of IP-enabled Appliances/Devices. I plan to make the process painless and easy. Everyone wins, both customer/consumer and developers/providers. Does anyone want to build it with me?

[1] http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/14...


Off-topic: does anyone know what software was used to make graphics like http://www.devttys0.com/wp-content/uploads/2013/10/recvfrom.... ?


It's a feature in IDA.


You can get even better graphics out of Hopper.app, which is a great little program. Hopper will even do a decent first-pass conversion from assembly back to C.


Yet IDA Pro is much more mature and feature-rich, and it has become an industry standard. I wish there was an open-source alternative.


We use both, but when I can get away with using Hopper, I try to, because the UI is nicer, the program feels faster, and the Python extension interface is built right in.

Disassemblers are a good target for open source development. They're commercially valuable only for a very small subset of users, and the market leader is terribly mispriced relative to the value it provides, which drags the whole commercial market for them down.


Not only are they terribly mis-priced, it is very difficult for people that are not in the security industry but have an interest in reverse engineering to get access to the software because the author won't sell to them.


IDA 5.0 is available for free. Worth trying it out, for experimenting and for having fun :)

https://www.hex-rays.com/products/ida/support/download_freew...


Perhaps it's time for an open-source router. Does one exist? I would support a crowd-funded ADSL router.


There are open source (Linux based) firmwares such as OpenWRT [0].

[0] - https://openwrt.org/


The problem isn't a lack of software to put on hardware, it's a lack of hardware that doesn't go out of its way to thwart attempts to install different software, either intentionally or as a side-effect of being optimized for cost.

As an example of the latter, I have a Monoprice-rebadged Tenda W301A ceiling-/wall-mount AP on my desk. It only has 2 MB of flash and 16 MB of RAM. It has a TTL serial port, but the lines are broken out to surface pads that aren't even grouped together on the PCB. (They're not labelled on the silkscreen, either.) The version of u-boot it ships with is stripped down to nothing, probably because of the limited flash space available. For ≤$5 more on the BOM, these problems could be fixed, and the device would be considerably more useful.


There are devices with more RAM (32MB or 64MB) and with USB port(s) where you can mount a flash drive / external disk and install anything (like Transmission, or even Samba) on it and use as a poor man's NAS. For example the TP-Link MR-3020 is pretty much hackable [0].

[0] - http://wiki.openwrt.org/toh/tp-link/tl-mr3020


There are manufacturers who have product lines designed to be reflashed eg Netgear http://www.myopenrouter.com/


You might want to check out the Facebook Open Compute Project (http://www.opencompute.org/). The goal is to develop Open Hardware that the Open Source Software Community can then leverage. You can read more about the Networking Aspect at http://www.opencompute.org/projects/networking/

As an Engineer, I find the project completely fascinating. I believe that this project will (or already has) enhance Infrastructure/Datacenter Design and pave the way for the next generation of Software Defined Networking (SDN) Solutions. In some ways, the Open Compute Project is sort of flying under the radar. When you say Facebook to someone, they probably think of the Product. But if you take a look at what they're doing with this Project, and how it can impact underlying infrastructure, this is amazing. There are other things they're working on (not directly networking related) that are also amazing. Another project I find fascinating is the Prism Project (no, not the NSA one, the Facebook one). Right in line with Google's Spanner. Pretty cool stuff!


There's DD-WRT, and of course a ton of free routing software. But I think you mean open source hardware, which would be very difficult, considering the need for high-performing ethernet hardware and the like.


Have you looked into Snabb Switch? ( https://github.com/SnabbCo/snabbswitch/wiki )


Yeah, you're not going to replace modern networking chips very easily.

If it's China you are worried about, perhaps work with a domestic chip producer like Broadcom. The chips might be fabbed in China, but it would be pretty difficult for China to sneak a "phone home" module into a GDSII drop.


Kinda puts a new spin on whether RMS was too ideological with the tivoization clauses in GPLv3.


This is the closest thing to what you're looking for that I've come across. Last I heard, there will be a kickstarter when it's ready. http://www.bunniestudios.com/blog/?p=3265


That's exactly what I was looking for. Thanks.


In china, I think TP-link is much better than D-link and Tenda, Tenda is just rubbish, it's not easy to use, TP-link is much easier to use, but I am not sure does it have backdoor.


search for backdoor keyword

userRpmNatDebugRpm26525557


Hey, I guess PRISM belongs to China, too!




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: