Hi, some approaches were discussed in 2010, by Graeme Neilson from NZ here:
https://www.troopers.de/wp-content/uploads/2012/10/TROOPERS10_Netscreen_of_the_Dead_Graeme_Neilson.pdf a later year, at the same conference, he gave a private session demonstrating basically the same stuff for JunOS, as ongoing (and, at the time, non-public) research. happy NYE to everybody Enno On Tue, Dec 31, 2013 at 06:50:11PM +0200, Saku Ytti wrote: > On (2013-12-31 09:03 -0600), Leo Bicknell wrote: > > > If I were Cisco/Juniper/et all I would have a team working on this right > > now. > > It should be trivial for them to insert code into the routers that say, > > hashes all sorts of things (code image, BIOS, any PROMS and EERPOMS and > > such on the linecards) and submits all of those signatures back. Any > > I asked earlier today JTAC (#2013-1231-0033) and JTAC asked SIRT for tool to > read BIOS and output SHA2 or SHA3 hash, and such tool does not exist yet. I'm > dubious, it might be possible even with existing tools. At least it's possible > to reflash the BIOS with stock JunOS, as lot of us had to do due to > misformatted SSD disks. > But fully agreed some of these sanity checks should be added, it's not cure > all, maybe the attack changes the answers before showing them, maybe BIOS > comes infected from Juniper or from Kontron. But it would create additional > barrier. > > I also emailed Kontrol and told it would be prudent for them to do press > release also. Just to know what their public/official statement is. > > > I also wonder how this will change engineering going forward. Maybe the > > BIOS should be a ROM chip, not an EEPROM again. Maybe the write line needs > > to be run through a physical jumper on the motherboard that is normally > > not present. > > We can take page from XBOX360 which is designed to be resistant against attack > with physical access. Key idea is that use PKI and hide key in such place > where it's difficult to recover, namely, if it's inside modern lithography CPU > in read-only, it's just financially unviable vector. MS just goofed and forgot > to sign DVD firmware. > > > Why do we accept our devices, be it a PC or a router, can be "persistently" > > infected. The hardware industry needs to do better. > > I'm still taking all these revelations with grain of salt, until real > speciment is dissected. > > -- > ++ytti > -- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey ======================================================= Blog: www.insinuator.net || Conference: www.troopers.de =======================================================
