UK is rattled over home router ssl; wavering public confidence; BBC malfeasance



photo credit: withheld at the request of multiple national security agencies.

In a major if somewhat technically embarrassing puff piece FOR GCHQ and co, the BBC does its duty as a state broadcaster: push the government line and cow the UK public.

“You would have to be a semi-professional to have…”…. sayeth the seer, a doctorate at (and even perhaps FROM) “Cambridge University”. No! You have to buy it at a supermarket – 2 aisles over from the cat food, or get it from the phone/cable company when they install it for you. ALL of them come with SSL capability. This is SUPERMARKET grade stuff,  valued at 5 pints of beer. For obvious reasons, at that price point one SHOULD NOT EXPECT … too much strength or assurance in the encryption!

Ah, but you’d have to be a technically-minded semi-professional to turn it all on – since its typically not on by default! Well, that IS true – and was probably the line the spooky Dr. was SUPPOSED to deliver. Perhaps the BBC journalist, wanting to join the rather posh BBC establishment, asked several questions – to get the quote she wanted; and then only published the one that fit the desired policy line. This is normal use of media, by spooks trained in the propaganda arts, leveraging their 1930s superman will that SHALL “control the internet”.

But even that is ONLY half true – as there are several variants of SSL used commonly in wifi routers. Because the cable company remotely controls the configuration of the router, if you have broadband service. That means the “semi-professional” technician *can* turn it on REMOTELY and with trivial levels of skill – without you being involved. And so can the spook, with or without the participation of the telco. Its normal exploit land to gain such access in the 5-pint-of-beer-grade wifi router (and then alter the configuration or the radio or crypt build into the firmware used by the programmable electronics).  Think of it as changing the circuit board in your car radio… to filter out Radio Moscow so one heareth not other than a voice of the BBC (british “bias” corporation?) – noting that these days the whole process of making a software-based-radio that tunes in to the spooks needing to store your porn usage/search history for a rainy day, when blackmail is called for, and also tune OUT any undesired voices …is about as hard as loading new music file onto your $10 mobile music player! (This better-end and interesting cheaper crypto device is obtained from the checkout line at the supermarket and is probably more crypto-capable that the wifi home router over by the cat food;  since music firms actually have something they don’t want you to have : copy power!

BUT YOU’D NOTICE IT (or the phone company charged with “PROTECTING YOU (sic)” would). Well two lies abound here. First, strange (free) BLACK MAGIC of self-signed certs WOULD WARD OFF GCHQ, being very frightening to them as they use their browsers to connect (sic). Second, having re-flashed the firmware the semi-professional screens  -that admittedly mom never uses – WOULD NOW SHOW that the feature had been turned on… giving the game away.

NOTE here the attempt to divert (away fcom certain technical areas onto to something semi-technical and VISIBLE, called the remote administration feature of home routers). The issue with home ROUTERS is not that one connects TO THEM (as ssl sites or servers) using browsers. Rather, PCs often induces the router to pen communication ports (including secure ports) to allow outsiders IN … to your PC – to do, ahem, let the KIDS play multi-player games …that arrange for the backchannel opening and the realtime play experience with voice and video (kid terrorists, assumed, of course).

Ah, GCHQ… leveraging the kids behaviours to snoop on others; such are the rights of children in the UK. Just another vector.

Secondly, home routers are typically now WIFI home routers – taking encrypted wireless signals and DECRYPTING them. Don’t forget that the spooks want THOSE decryption keys too (not that this has anything to do with openssl unless the wifi is using something called EAP-TLS…). Don’t forget how they rigged the original secure wifi standard – so it took, urr, 4s to cryptanalyze the keys – assuming, as can spooks, one send 45k malformed packets that rolled through the crypto period.

Now , realize that its HARDER to first-time exploit an uncompromised PC BEHIND the home wifi router doing the SSL than comrpomised the home router itself (though marginally harder). If the PC is doing the encryption, is harder to get an “in”. So you WANT the home router to be doing the SSL FOR your PCs (so that the stealing of the keys happens at the most vulnerable point). And here the nature of PC to router auto-configuration helps – as it turns out that PCS regularly configure the secure ports on your router for you (a SSL-handshake, delivered by guess-what… openssl typically. its an UDP-SSL handshake, if you care to kniow, that allows the PC to request the ports be opened)).

SO, in summary , you see GCHQ and its spook  friends in the BBC doing a typical  UK psychology job. Since it wont work, you will now see the NEXT Phase of UK policy – as it controls the issue. THREATS and FEAR; with a some DEMONONIZATION. One can be sure the BBC will be there to cover it (or the answers that fit the prepared script, anyways).

My advice? Beware the Cambridge doctor.



Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in spying. Bookmark the permalink.