Der Spiegel recently ran an article on how the NSA is re-routing shipments of ASAs from Cisco through to their TAO (Tailored Access Operations) centers and implanting JETPLOW, a firmware which modifies the OS on booting offering the NSA a backdoor into the router, as well as in conjuntion with their BANANAGLEE exploit can send the data on to the NSA.
Scary shit right?
Probably not, but it has got many people scared, and understandably so.
What is JETPLOW?
According to this leaked document, JETPLOW is a modification of the ASA firmware.
It works on the PIX 500 series and ASA series 5505, 5510, 5520, 5540 and 5550. You can see some pictures of JETPLOW being installed below (well, kind of its a Cisco device on a desk, but it’s from a leaked document):
Should I be worried?
That depends really. The point here is that this is all targeted, it is not routinely done on all of the ASAs, just ones destined for companies targeted by the NSA. If you are worried about the ASA and are thinking about ditching all your Cisco equipment then you really need to think about who you are going to choose next, as well as your whole stance on being on the internet.
Cisco are not alone
Cisco ASAs are not the only vendor affected. Juniper are as well in the same way with the FEEDTHROUGH, SOUFFLETHROUGH, GOURMETTHROUGH, STUCCOMONTANA, SIERRAMONTANA, and SCHOOLMONTANA modifications, Huawei are affected by the HALLUXWATER and HEADWATER modifications. These are just the ones that have been leaked, whether they are doing the same to say Arista or HP, who knows. Again there is nothing to suggest that every device is affected. I am sure that the NSA have better things to do than to be retro-fitting every single router and firewall that they can get their hands on, and they probably arn’t interested in you either. They are more interested in terrorists and threats to their own country than reading about what you did on holiday, or listening to you order your lunch, which they could do, as they have the technology. There is a massive list of known NSA/GCHQ exploits here. It’s an impressive list.
Did Cisco know about JETPLOW?
Cisco say that they were unaware. Considering that John chambers, CEO of Cisco has written an open letter to the President asking him to curtail the NSA activities and that Cisco are being very open about this in the forums, along with their Trustworthy Systems initiative, I would say the Cisco probably wern’t aware. They are a multi-billion company based on being best-of-breed, they are not going to sell out their customers for a few gold coins.
If you read the above forum link there are a lot of people who don’t believe that Cisco was not complicit in this. There are a number of comments on the blog that suggest that they (the commenter) will be throwing their Cisco hardware “in the trash”, it’s this kind of knee-jerk reaction that fuels the fire. But it’s also misguided and short-sighted. You do know how the internet runs, right? Your traffic goes from A to B. In-between A and B are a whole bunch of routers and companies that can be traffic shaping for their own behalf, or on behalf of the country they are in, for any purpose that they want. You might have thrown Cisco out of your door, but you may also have introduced something that is equally or more-so susceptible to manipulation and your data still travels along paths that may also be tapped. Anyway if you have something to hide then they’ll probably have targeted your computer anyway.
What are Cisco doing about it, and can I check for JETPLOW?
Cisco are working on a forensic toolsuite, no idea when it’s going to be released, but they are working on it.
Frankly nothing is safe on the computer, or on the internet. As one commenter (Adelaide_girl) said on the Cisco forum “…every wall one man can build, another can tear down”. This is very true. I will be testing the ASAs I look after once the toolsuite is released, do I expect to find anything that will cause concern? No, not in the slightest. If I thought I were being targeted by the NSA then I would be checking much much more than just my firewall, they are probably in my iPhone (using DROPOUT JEEP), or watching everything I do on my screen with a $30 device called RAGEMASTER.
The long and short of it is that if you have nothing to hide then you have nothing to worry about.
EDIT: I have retracted my last sentence as (rightly so) pointed out in the comments is a good argument that this could potentially open up the floodgates for more subversive usage.
Sorry but I have to disagree with your last sentence for much the same reasons most other security professionals would. Diminishing the problem down to whether I have anything to hide or not is quite absurd. We sell security. We gain the trust of our clients that we are providing a secure and robust environment for their systems. Right now the NSA are the only ones with this capability but in time you will see variants of their success start to pop up here and there now that malicious coders know the mechanics of how it works.
This isn't just about the NSA, it's about threats in general.
Hi Kev, Thanks for your comment. I can totally see where you are coming from, but my point in general is that this isn't a wholesale modification of every ASA (or for that matter Juniper netscreen etc) – it's targetting those already flagged by the NSA and or other such security departments.
Will malicious coders be able to achieve the same? Its possible, but it's only the NSA that have the power to regularly re-route shipments to their TAO centers, and once Cisco release their forensic kit, then detection of any malicious code should be as possible as any computer based threat.
I do agree that my last sentence was probably an over simplification of the issue at hand, but I still do not believe that this is as widespread as the media would have us believe.
I will retract the last sentence, and thanks again for your comment.