Thought of a network security question and wondering if it makes sense

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

coffeeprogrammer

Well-known member
Jul 19, 2021
116
11
I thought of a networking security question. The idea goes something like this. There are networking stacks that exist that are not IP, the internet works on IP and the ability for it to be routed. Steve went over this many years ago, why NAT is effective and the usefulness of Shields Up. With the iphone backdoor we have an idea that companies do put in back doors in for various reasons. With a ISP supplied a router or a popular brand name, could they have a secret networking stack that would allow someone in, and it would not be from a IP style packet. This might not work from far away because the traffic would have to be routed, but at a ISP level, if they knew that a router had a backdoor then they would not have to route over the internet to get to it, just be at the other end of the wire. Assuming that that such a router would let someone in with a alternative network stack, the next question is what would that mean for the hosts running on that network? Most systems running on a local sub net would be IP, but could a software vulnerability that existed on one of those hosts then be used to get in after getting past router/nat firewal? Or could an operating system vendor include a networking stack that is hidden from the user? When I was thinking about this, I deiced that it would be too difficult for me or most people perhaps, to figure out if there were a hidden network stack in Windows or some other massive OS. But some router operating systems are open source and the ones that are not open source could be reverse engineered to find a hidden network stack. What would be the case then, even if reverse engineered router OS were fully understood, could it still hide a back door but using something in hardware? In the iphone situation, if you had a static image of what was running on the iphone and you 100% understood every thing, you would not see the back door, because there is nothing in the code that is using it. It was only discovered when it was being used. Could that exist in my idea about a router? The backdoor could be there, but without understanding everything from the hardware you would never see it. Only from seeing how the software was using it was it discovered. At least that is what I understand about the apple iphone example. I had one other thought, what if the networking stack had a particular code to let some one in far a exact IP with an exact payload? In that case, the ISP would have to send fake IP packets to the router that commands it to open its backdoor. At least that is what I was thinking in the case of staying within the IP networking stack.



So is there anything to this idea of backdoor networking stacks? Is this some thing that could be hidden in routers? Could reverse engineering find it in in a simple router? Would an open-source router OS be 100% effective in this case? Or could it be, in theory, hidden only in the hardware? If it were hidden in hardware, then putting a custom trusted OS on the router would destroy that I think.
 
Also, if you were to capture all of the traffic to and from your router, then you would be able to see the back door traffic? This would be the case because everything is just binary data, so if you could filter out the normal stuff, then you would see the backdoor traffic? Would that be correct understanding?
 
Just a little stream of consciousness.

In theory a off the shelf router could have a port knocking sensing capability. Either the company put it there
deliberately or their supply chain for the software was compromised. Very much like the Apple silicon story.

Either way the evil one could have root level wan access. Finding it would require you to have a safe router with logging
between the internet and the bad router and let all packets through and then analyze the data
to discover the conversion. Even if you capture the conversation it could be encrypted.

I guess the answer is to just put in a trusted router and block.