Community discussions

MUM Europe 2020
 
soretuor
just joined
Topic Author
Posts: 2
Joined: Fri Sep 13, 2013 9:09 pm

NSA and routeros

Fri Sep 13, 2013 9:15 pm

Hello, Mikrotik Team!
Does RouterOs have any backdors for NSA?

Thanks.
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: NSA and routeros

Tue Sep 17, 2013 5:37 am

Hello, Mikrotik Team!
Does RouterOs have any backdors for NSA?

Thanks.
Mikrotik is not in USA.
 
raz
Member Candidate
Member Candidate
Posts: 102
Joined: Wed Dec 19, 2012 3:26 pm
Location: Austria

Re: NSA and routeros

Tue Sep 17, 2013 12:35 pm

Maybe not NSA but what about FSB ;-)

Maybe the Tilera CPU has some Backdoors? No one knows. Your Bandwith gets also mirrored on the IX Points, dont worry.
 
AlArenal
Member Candidate
Member Candidate
Posts: 131
Joined: Thu Aug 01, 2013 5:24 pm
Location: Iserlohn, Germany

Re: NSA and routeros

Tue Sep 17, 2013 4:44 pm

Maybe the Tilera CPU has some Backdoors?
Yeah, it probably has integrated 40G wireless connection going directly to the NSA, so it can mirror each and every bit.

A backdoor isn't of much use if you don't get close enough to pull the handle.
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: NSA and routeros

Tue Sep 17, 2013 4:52 pm

There's always packet sniffers like Wireshark one can use to confirm or deny the existence of any traffic sent over any interface for whatever reason.

RouterOS doesn't have any backdoors that anyone would know of. If there are, they certainly don't advertise themselves in any way for packet sniffers to detect them*. Thus, even if there are such backdoors, the NSA wouldn't know in advance** - they'd have to probe the router, at which point, that's not really a "backdoor" per se - it's a "hacker attack attempt", and MikroTik have a good track record of mitigating those.

@soretuor
If you seriously suspect MikroTik having done this... do you honestly believe that they'd also openly admit to it? Or would you take their "No" as even further confirmation?

* Well... except for the MNDP UDP packets, but those merely announce "Hey, I'm a MikroTik router, version X", not "Hey, read my data over port X with this special sequence the router admin doesn't know about".
** Unless MikroTik have explicitly told them something we haven't been told, and then using the MNDP packets, they end up exploiting THAT. You can always disable MNDP and change all management ports to something non-default if you're too paranoid. At that point, NSA wouldn't know it's dealing with a MikroTik router.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: NSA and routeros

Tue Sep 17, 2013 5:55 pm

in coming days there is MUM going to happen in USA, you can ask this question there.
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: NSA and routeros

Tue Sep 17, 2013 6:03 pm

in coming days there is MUM going to happen in USA, you can ask this question there.
Gee... that sounds ominous :lol: .

Like "You can ask this question there... and then the undercover NSA agents in the room label you 'traitor' and put you away for life, or worse...".
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
raz
Member Candidate
Member Candidate
Posts: 102
Joined: Wed Dec 19, 2012 3:26 pm
Location: Austria

Re: NSA and routeros

Tue Sep 17, 2013 10:46 pm

in coming days there is MUM going to happen in USA, you can ask this question there.
LOL. As End User you cant Trust any Manufactor of Network Stuff or something else, look at the HP Storage "Support" User.
And the next Fact is, if you're getting a Letter of an Secret Court, you're not allowed to talk about this. We live in a
good Democracy! Hell Yeah, Thanks Obama. Not.
 
soretuor
just joined
Topic Author
Posts: 2
Joined: Fri Sep 13, 2013 9:09 pm

Re: NSA and routeros

Tue Sep 17, 2013 11:17 pm

I understand that if there is some backdoor, the official Mikrotik team will not reveal it to us:) I'm just kidding.
Also keep in mind, that nsa has their people in many IT companies. So..

Ah by the way, "Forum Gurus" are so gurus =)
 
RogerWilco
Member
Member
Posts: 344
Joined: Wed Feb 16, 2011 6:02 am
Location: Australia

Re: NSA and routeros

Wed Sep 18, 2013 7:46 am

At the end of the day, if your are not doing anything illegal you have nothing to worry about.
 
AlArenal
Member Candidate
Member Candidate
Posts: 131
Joined: Thu Aug 01, 2013 5:24 pm
Location: Iserlohn, Germany

Re: NSA and routeros

Wed Sep 18, 2013 12:01 pm

At the end of the day, if your are not doing anything illegal you have nothing to worry about.
For which intelligence agency are you working for? ;-)
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: NSA and routeros

Sat Sep 21, 2013 8:15 pm

At the end of the day, if your are not doing anything illegal you have nothing to worry about.
Yes, you are right about that. Nothing bad ever happens to good people. By the way, if you lock the doors to your house and your car, you are obviously a criminal and have something to hide.
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: NSA and routeros

Sat Sep 21, 2013 8:42 pm

At the end of the day, if your are not doing anything illegal you have nothing to worry about.
Yes, you are right about that. Nothing bad ever happens to good people. By the way, if you lock the doors to your house and your car, you are obviously a criminal and have something to hide.
+1.... Also, do you realize how many laws there are in the US... I'm certain you have broken one or two. Watch this video:

http://www.youtube.com/watch?v=6wXkI4t7nuc
 
Quiet1
just joined
Posts: 9
Joined: Fri Apr 08, 2011 2:57 am

Re: NSA and routeros

Wed Sep 21, 2016 1:00 am

I know this is an old thread but I just came across this while searching for security information.

https://www.youtube.com/watch?v=vbdyG0l ... .be&t=2209

So there does appears to be a backdoor in Mikrotik. Unfortunately no details were given other than a confirmation.
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: NSA and routeros

Wed Sep 21, 2016 1:14 am

I know this is an old thread but I just came across this while searching for security information.

https://www.youtube.com/watch?v=vbdyG0l ... .be&t=2209

So there does appears to be a backdoor in Mikrotik. Unfortunately no details were given other than a confirmation.
It says: That guy used to work for an ISP, so he knew that there was a backdoor in their router. That could mean that he knew about a user account in the router from when he worked there. It doesn't make sense that he hacked his own ISP (where he used to work) though?

Am I misinterpreting it?
 
Quiet1
just joined
Posts: 9
Joined: Fri Apr 08, 2011 2:57 am

Re: NSA and routeros

Wed Sep 21, 2016 1:28 am

I know this is an old thread but I just came across this while searching for security information.

https://www.youtube.com/watch?v=vbdyG0l ... .be&t=2209

So there does appears to be a backdoor in Mikrotik. Unfortunately no details were given other than a confirmation.
It says: That guy used to work for an ISP, so he knew that there was a backdoor in their router. That could mean that he knew about a user account in the router from when he worked there. It doesn't make sense that he hacked his own ISP (where he used to work) though?

Am I misinterpreting it?
I wasn't sure by the speaker's statement where "TheFixer" used to work for the ISP or for Mikrotik. It's kind of unclear.

Here is the transcript from the Def Con https://media.defcon.org/DEF%20CON%2022 ... efense.txt

Here is the relevant passage.
"So I don’t have much time for questions but I want time for questions. So, a little bit of story time. So VB is the first guy to do this took the site down for like 5 minutes. This was before we had anything in place. He actually did it from his IP that his user account was from so we were able to do positive attribution. So this guy hacker on the forum a reformed criminal but the fixer got the IP we posted on the forums and turned out that VB's ISP was mikrotik routers, that’s who the fixer used to work for, he knew there was a back door in the router so he got into the guy's ISP, turned on remote pcap and basically lols ensued."
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1290
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: NSA and routeros

Wed Sep 21, 2016 3:04 am

Backdoor? No. 0-day exploit? maybe...
Just like Cisco's 0-days that the NSA had, which are now being patched after the leak.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
haik01
Member
Member
Posts: 406
Joined: Sat Mar 23, 2013 10:25 am
Location: Netherlands

Re: NSA and routeros

Wed Sep 21, 2016 11:22 am

In any case in Europe, EVERY ISP !!! needs to have a "backdoor" (in real life: physical fibre) to the security agencies (whatever country has which one)...

And this not only applies to ISP's, also to telecom providers (mobile, and fixed).


So why would they bother the Mikrotik router, if the "agency" already can type in the name / address of the person in interest, and monitor everything what goes there (Layer 7).....


I think this kind of arrangement exists also in the USA.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24325
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: NSA and routeros

Wed Sep 21, 2016 11:32 am

In any case in Europe, EVERY ISP !!! needs to have a "backdoor"
really? :shock: which european union country are you from?
Maybe not NSA but what about FSB
That's insulting. FSB is in Russia. MikroTik is from Latvia.
No answer to your question? How to write posts
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1220
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: NSA and routeros

Thu Sep 22, 2016 12:58 pm

In any case in Europe, EVERY ISP !!! needs to have a "backdoor" (in real life: physical fibre) to the security agencies (whatever country has which one)...
This is obvious internet news paranoia.
There is a requirement for ISPs to keep IP, user and connection associations logs for some time, but it does not include content.
And it has to be made available to law enforcement if requested by court order, if there is a suspicion of criminal activity for that user.

Of course, actual tracking can be requested from the ISP by court order if a specific user is under investigation.
But it is not a "default setup". Can you imagine the resources and logistics behind such an approach?
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
haik01
Member
Member
Posts: 406
Joined: Sat Mar 23, 2013 10:25 am
Location: Netherlands

Re: NSA and routeros

Thu Sep 22, 2016 3:05 pm

In any case in Europe, EVERY ISP !!! needs to have a "backdoor"
really? :shock: which european union country are you from?

Netherlands.

European regulation 2006/24/EG.

https://en.wikipedia.org/wiki/Data_Retention_Directive

Every country can deviate from it, but Netherlands made it even worse. In stead of 6 months, they made it 12 months or longer.

For example what the ISP's need to log:

Telephone:

Time of begin call
Time of end call
Dialed phone numbers
Name and address of the dialed person
Location of the user (if it is a mobile phone) up to mast location (Cell ID) at the beginning and during the call
IMEI of originating and terminating device
IMSI of the user

SMS and MMS to which person are sent + all data like for a fixed line (see above)
Type of used phone call (VoIP, POTS, analogue, ISDN etc...)


E-mail

same as above, except phone numbers, e-mail addresses are recorded.
IP address where where user is connecting from to the mail server

Internet session

Date / time and time zone of login and logoff
Originating IP if any
issued and used IP addresses during that session
Phone number if dialed in by modem
MAC address if a DSL or cable modem is used
Type of service you are using (chat, voip etc...)



This is Europe....

In the Netherlands the ISP's have to buy the equiment and maintain all this data. And pay themselves. In other countries the government pays for it.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24325
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: NSA and routeros

Thu Sep 22, 2016 3:08 pm

Your own link says this directive was proposed, never implemented and is now considered invalid.
I have never heard of anyone storing such info in EU.
No answer to your question? How to write posts
 
haik01
Member
Member
Posts: 406
Joined: Sat Mar 23, 2013 10:25 am
Location: Netherlands

Re: NSA and routeros

Thu Sep 22, 2016 3:10 pm

You are correct Normis. But before 2014 a lot of countries (most in Europe I think) had this implemented, even if it was an "advise".

In any case the Netherlands had this.

For that reason I am behind a VPN, since VPN providers are not considered ISP's, and the directive does not apply to them (so they do not need to log all this).

By the way, are you coming to the MuM in Amsterdam in November?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24325
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: NSA and routeros

Thu Sep 22, 2016 3:15 pm

I think in reality, they do not have enough storage to keep all of this. It is unrealistic.
Yes, I will be in the Amsterdam MUM. Make sure to spread the word, we need more presenters from the community: http://mum.mikrotik.com/2016/NL/agenda
No answer to your question? How to write posts
 
LaRP
just joined
Posts: 24
Joined: Thu Mar 26, 2015 3:30 pm

Re: NSA and routeros

Thu Sep 22, 2016 3:52 pm

In any case in Europe, EVERY ISP !!! needs to have a "backdoor"
really? :shock: which european union country are you from?

Netherlands.

European regulation 2006/24/EG.

https://en.wikipedia.org/wiki/Data_Retention_Directive
But is that a backdoor?

To me a backdoor is a way to access a router/system system without the owner knowing about it.

Im from Denmark and we followed the session logging directive too, but afaik it is now scrapped by the EU... also the Danish police found out that they couldent read the data anyways and had only tried to use it about 2 times in all the years it was active.
 
haik01
Member
Member
Posts: 406
Joined: Sat Mar 23, 2013 10:25 am
Location: Netherlands

Re: NSA and routeros

Thu Sep 22, 2016 3:57 pm

I think in reality, they do not have enough storage to keep all of this. It is unrealistic.
The storage is not a problem. Since it is all text based information in a database it can be compacted to the maximum (I have see Oracle databases of 450 Mb been reduced to 14 kB files....).

And what LaRP says: Yes, it is a backdoor. Not on Mikrotik or any router, but it is in essence a "door" which is not visible by the user.
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: NSA and routeros

Thu Sep 22, 2016 4:33 pm

The storage is not a problem. Since it is all text based information in a database it can be compacted to the maximum (I have see Oracle databases of 450 Mb been reduced to 14 kB files....).

And what LaRP says: Yes, it is a backdoor. Not on Mikrotik or any router, but it is in essence a "door" which is not visible by the user.
Apparently you have no idea what a backdoor actually is. What they are collecting (or not) is called metadata. It is information about the communications, but does not contain the content of the communications. This is not a backdoor. A backdoor is a method of access that is coded into the system, whether intentional or unintentional, that provides unauthorized or undesirable access to the system. Backdoors typically provide full control of the target system. A backdoor would allow someone direct access to the RouterOS system, enabling them to sniff the traffic processed by the system (though if that traffic is encrypted, they still won't be able to read the data unless they have access to or reverse engineer the encryption keys).

My suggestion to you is that when you're using industry standard terminology, you accept the industry's definition of that term instead of making your own up. Metadata collection is not a backdoor, and there are no known backdoors in RouterOS. As to the original question from this OLD thread, RouterOS is not developed by anyone subject to US laws and regulations, so the NSA has no authority to request or require a backdoor.
Michael Preissner
CISSP, CCSP, CEH, PMP
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1220
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: NSA and routeros

Fri Sep 23, 2016 6:24 pm

Just for completeness, I think the 'calea' package is the implementation of the tracking system for law enforcement agencies in the US, and is available in ROS.
But you have to install that package first in order to be active.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.

Who is online

Users browsing this forum: No registered users and 73 guests