HALLUXWATER: NSA Exploit of the Day
Jan. 8th, 2014 12:31 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
maxomaiBelow, we are shown an example of how the NSA has exploited a commonly used firewall appliance.
By the way - if the NSA has this exploit, so does everyone to whom the NSA has divulged the details of this exploit, willingly or unwillingly, officially or unofficially.
--maxomai
Originally posted by
![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-syndicated.gif){kind=small}
bruce_schneier at HALLUXWATER: NSA Exploit of the DayToday's implant from the NSA's Tailored Access Operations (TAO) group implant catalog:
HALLUXWATER(TS//SI//REL) The HALLUXWATER Persistence Back Door implant is installed on a target Huawei Eudemon firewall as a boot ROM upgrade. When the target reboots, the PBD installer software will find the needed patch points and install the back door in the inbound packet processing routine.
Once installed, HALLUXWATER communicates with an NSA operator via the TURBOPANDA Insertion Tool (PIT), giving the operator covert access to read and write memory, execute an address, or execute a packet.
HALLUXWATER provides a persistence capability on the Eudemon 200, 500, and 1000 series firewalls. The HALLUXWATER back door survives OS upgrades and automatic bootROM upgrades.
Status: (U//FOUO) On the shelf, and has been deployed.
Page, with graphics, is here. General information about TAO and the catalog is here.
In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.
This one is a big deal politically. For years we have been telling the Chinese not to install hardware back doors into Hauwei switches. Meanwhile, we have been doing exactly that. I wouldn't want to have been the State Department employee to receive that phone call.
