Hi, some approaches were discussed in 2010, by Graeme Neilson from NZ here: https://www.troopers.de/wp-content/uploads/2012/10/TROOPERS10_Netscreen_of_t... a later year, at the same conference, he gave a private session demonstrating basically the same stuff for JunOS, as ongoing (and, at the time, non-public) research. happy NYE to everybody Enno On Tue, Dec 31, 2013 at 06:50:11PM +0200, Saku Ytti wrote:
On (2013-12-31 09:03 -0600), Leo Bicknell wrote:
If I were Cisco/Juniper/et all I would have a team working on this right now. It should be trivial for them to insert code into the routers that say, hashes all sorts of things (code image, BIOS, any PROMS and EERPOMS and such on the linecards) and submits all of those signatures back. Any
I asked earlier today JTAC (#2013-1231-0033) and JTAC asked SIRT for tool to read BIOS and output SHA2 or SHA3 hash, and such tool does not exist yet. I'm dubious, it might be possible even with existing tools. At least it's possible to reflash the BIOS with stock JunOS, as lot of us had to do due to misformatted SSD disks. But fully agreed some of these sanity checks should be added, it's not cure all, maybe the attack changes the answers before showing them, maybe BIOS comes infected from Juniper or from Kontron. But it would create additional barrier.
I also emailed Kontrol and told it would be prudent for them to do press release also. Just to know what their public/official statement is.
I also wonder how this will change engineering going forward. Maybe the BIOS should be a ROM chip, not an EEPROM again. Maybe the write line needs to be run through a physical jumper on the motherboard that is normally not present.
We can take page from XBOX360 which is designed to be resistant against attack with physical access. Key idea is that use PKI and hide key in such place where it's difficult to recover, namely, if it's inside modern lithography CPU in read-only, it's just financially unviable vector. MS just goofed and forgot to sign DVD firmware.
Why do we accept our devices, be it a PC or a router, can be "persistently" infected. The hardware industry needs to do better.
I'm still taking all these revelations with grain of salt, until real speciment is dissected.
-- ++ytti
-- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey ======================================================= Blog: www.insinuator.net || Conference: www.troopers.de =======================================================