On Dec 31, 2013, at 8:32 AM, Saku Ytti <s...@ytti.fi> wrote: > I'm going to wait calmly for some of the examples being recovered from the > field, documented and analysed.
If I were Cisco/Juniper/et all I would have a team working on this right now.
It should be trivial for them to insert code into the routers that say,
hashes all sorts of things (code image, BIOS, any PROMS and EERPOMS and
such on the linecards) and submits all of those signatures back. Any
APT that has been snuck into those things should be able to be detected. For
most of them the signatures should be known, as the code shipped from the
factory and was never intended to be modified (e.g. BIOS). A transparent
public report about how many devices are running signatures they do not
know would be very interesting.
Plus, it's an opportunity to sell new equipment to those people, so they
can rid themselves of the infection.
I also wonder how this will change engineering going forward. Maybe the
BIOS should be a ROM chip, not an EEPROM again. Maybe the write line needs
to be run through a physical jumper on the motherboard that is normally
not present.
Why do we accept our devices, be it a PC or a router, can be "persistently"
infected. The hardware industry needs to do better.
--
Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
signature.asc
Description: Message signed with OpenPGP using GPGMail
