Is BT ‘embedding secret spy equipment’ in routers?

UK telecoms giant BT is accused of enabling GCHQ and the NSA access to customer data through its routers used in millions of homes and businesses across the UK. BT claims it is just a conspiracy theory. Computer Weekly looks at both sides

BT has been accused of giving customer data to US and UK intelligence agencies without consent by an anonymous group of engineers.

Calling themselves The Adversaries, the collective has published a document on leaks site Cryptome, claiming to explain the technical details of how the data is being taken and routed through government servers by the UK telecoms giant.

“The methods we disclose are a violation of security and trust,” it read. “Good information security dictates that when we discover such back doors and activity, we analyse, understand, publicise and fix/patch such security holes. Doing otherwise is morally wrong.

“What is revealed here is the missing piece to the global surveillance puzzle.”  

Every router in a home or office is assigned an IP address, enabling data to travel to and from a local area network. The firewall on routers stands in between the two destinations, allowing safe data through but blocking anything deemed sinister by the system, and keeping your own data safe from infiltrators.

Secondary IP addresses connect to US DoD

But The Adversaries claimed a second IP address sits on BT routers, separate from the firewall and undetectable by the user, enabling the internet service provider (ISP) to view all information and take it out of the local area network (LAN) without the user’s knowledge.

BT admitted to having this secondary IP address, but told Computer Weekly it was so it could make software updates without the need for an engineer to visit.

“This is extremely common in the industry and it is well known,” the spokesman said. “It is also the case that many other devices, such as gaming consoles and smart TVs, have such addresses.”

The group agreed that despite its investigation focusing on BT equipment within the UK, these secondary addresses were likely to exist in other locations and with other ISPs. However, it claimed this particular set of second addresses – all from the block – were registered to the US Department of Defence (DoD), leading to its accusation of BT routing its data through the NSA.

“When the DSL connection is established, a covert DHCP request is sent to a secret military network owned by the US government DoD,” the document read. “You are then part of that US DoD military network, even before you have been assigned your public IP address from your actual ISP.

“This clearly demonstrates that the UK government, US government, US Military and BT are co-operating together to secretly wiretap all internet users in their own homes (with few exceptions),” it claimed. “The modems are provided by BT and locked down. If you cannot confirm otherwise, you must assume that all ISPs in the UK by policy have the same techniques deployed.”

When it came to this accusation, BT’s spokesman said: “It is not our policy to comment on conspiracy theories.”

GCHQ – the UK government’s intelligence agency – had the same response of “no comment”.

Conspiracy or IP address practicality?

The debate is now raging as to whether it is a conspiracy, as pointed to by The Adversaries, or something more innocent.

Robert Graham, owner of Errata Security and cyber security expert, said the theories were possible, but believed it was more likely to be down to a lack of IPv4 addresses than government spying.

The reason all these address spaces are DoD is because that's really the only source of unused IPv4 addresses left

Robert Graham, Errata Security

“The reason all these address spaces are DoD is because that's really the only source of unused IPv4 addresses left,” he wrote on his blog. “All IPv4 address ranges have been assigned. But, the DoD has been assigned 20% of the IPv4 address space, but most of it is used within the DoD, on their own private networks, and is not routable to the outside world.

“Thus, if you are looking for a large chunk of "private" addresses that won't suddenly one day be assigned to Akamai or Amazon (and thus, explode in your face), then DoD addresses are the way to go.”

He added: “This [use of addresses] has caused a fevered round of speculation that this is actually a secret backdoor for the NSA/GCHQ, so that they can secretly monitor and control people's home networks.

“Maybe, but it's probably not the case. The better explanation is that BT simply chose this address space because it's non-routable. While it's assigned public address, it's only used inside the private DoD military network. Try tracerouting to that address space, you'll see that your packets go nowhere.”

But The Adversaries remain adamant they are correct and continuing the work of Edward Snowden in revealing this to the public.

“When the government, telecommunications companies and internet service providers implant secret spying equipment in your home without your knowledge or consent under the guise of something else, then use that equipment to infect your computers and spy on your private network activity (not the internet), we believe you have a right to know,” they wrote.

Read more on Telecoms networks and broadband communications