The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news over the past month, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.
Vulnerability in 100+ Cisco Product Families Gives Attackers a Stealthy, Persistent Presence
Red Balloon Security recently disclosed a security vulnerability in Cisco's Trusted Anchor module that allows attackers who can gain an initial foothold on a Cisco device to subvert the entire trusted boot process. The vulnerability, called Thangrycat, stems from a hardware design flaw that allows attackers to tamper with the programming of the Trusted Anchor module. Because the module is the hardware root of trust for the entire trusted boot process, an attacker could take complete, persistent control of a compromised device in a way that is difficult to detect. Cisco has disclosed more than 100 product families that are affected by this vulnerability.
IISP Analyst Joel Odom: When we consider that Cisco's networking devices pervade the internet and are often the first line of defense against network-based attackers, the ability to deploy a low-level, stealthy, persistent compromise of so many Cisco networking devices on the market is an advanced attacker's dream. This could be big since Thangrycat stems from a hardware design problem that will likely be difficult to patch. Even Cisco's announcement says that most devices will require "on-premise" reprogramming. Proof-of-concept code for Thangrycat exists, so this one looks real.
From a technical perspective, Thangrycat is interesting because it involves manipulation of an FPGA bitstream, which is a difficult thing to do. To exploit Thangrycat, an attacker must first gain administrative access to the Cisco device, and Red Balloon has released a second vulnerability that allows just that. With administrative access, the attacker can modify the FPGA bitstream is stored on an unprotected flash chip. When the compromised device next boots, the malicious bitstream loads into the trust anchor module. Since the attacker controls the trust anchor for the boot process, the attacker can prevent the operating system from detecting its compromise, giving the attacker a persistent, stealthy foothold on the compromised Cisco device.
You could argue that an attacker who already has privileged administrative access to the device already has enough control over the device, but, as Cory Doctorow points out in his analysis of Thangrycat, the trusted boot process is supposed to prevent malicious control of the device from becoming persistent and stealthy. It's exactly this subversion of the trusted boot process that allows persistence and stealth, which is exactly the kind of control that an advanced attacker requires.
Is President Trump's Ban on Transactions Between the U.S. and "High-Risk Companies" Aimed at One Chinese Manufacturer?
In the most recent move against the Chinese telecom company Huawei, President Trump has issued an executive order that bans transactions between high-risk companies (including Huawei) and U.S. companies1. Huawei, which manufactures smartphones popular in most of the world, is already mostly unable to sell their products in the U.S. market. This move also prevents them from using U.S products, including computer chips and the Android operating system, in their smartphones. The U.S. has long accused Huawei of security problems, including both unintentional security vulnerabilities as well as deliberately inserting backdoors at the behest of the Chinese government. The U.S. has also accused Huawei of intellectual property theft and anti-competitive practices. Huawei maintains that there is no proof of the accusations and that the U.S. government is engaging in anti-competitive practices.
IISP Analyst Kennon Bittick: This move comes in the context of the rollout of new 5G cellular networks. Huawei is one of the only companies1 that manufactures the backbone equipment necessary for 5G networks and is trying to get into worldwide markets. They have met stiff resistance from the U.S., who is concerned about covert surveillance and backdoors that could be present in the equipment. Since the 5G networks will route a huge amount of network traffic, any backdoors could be potentially devastating.
Because of the timing with the rollout of 5G networks, as well as the ongoing trade war with the U.S., Huawei has said that the ban is motivated by politics and will result in the U.S. 5G network lagging behind most of the world2. Indeed, Huawei is now suing the U.S. government, saying that the ban is unconstitutional3.
The U.S., on the other hand, maintains that Huawei is a threat to national security. Despite the fact that Huawei says the claims are unsubstantiated, there have been a number of concerning incidents in the past. Vodaphone says that they found a serious security vulnerability in Huawei equipment4, and that even after Huawei said the issue was resolved, the vulnerability appeared to still be present. It is difficult to determine whether the security vulnerability was an oversight or a deliberate backdoor, but either way, it is concerning that such a vulnerability could exist in critical equipment.
In addition, there have been a few known instances of intellectual property theft by Huawei. For example, there are allegations that Huawei attempted to steal information about a phone testing robot from T-Mobile5. In addition, there was a lawsuit between Cisco and Huawei about source code theft and the use of a proprietary Cisco protocol6.
Due to these issues, the U.S. government has aggressively criticized Huawei and encouraged its allies to not use Huawei products. However, Huawei continues to be extremely popular in Asia, Africa, and South American especially. Perhaps the allegations will lead to definitive answers in the Huawei lawsuit against the U.S. government. The result could either increase Huawei's worldwide popularity or cause Huawei to lose market share if the security accusations are validated.