Lenovo engineers have discovered a backdoor in the firmware of RackSwitch and BladeCenter networking switches. The company released firmware updates earlier this week.
The Chinese company said it found the backdoor after an internal security audit of firmware for products added to its portfolio following the acquisitions of other companies.
Backdoor added in 2004
Lenovo says the backdoor affects only RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System).
The backdoor was added to ENOS in 2004 when ENOS was maintained by Nortel's Blade Server Switch Business Unit (BSSBU).
Lenovo claims Nortel appears to have authorized the addition of the backdoor "at the request of a BSSBU OEM customer." In a security advisory regarding this issue, Lenovo refers to the backdoor under the name of "HP backdoor."
The backdoor code appears to have remained in the firmware even after Nortel spun BSSBU off in 2006 as BLADE Network Technologies (BNT).
The backdoor also remained in the code even after IBM acquired BNT in 2010. Lenovo bought IBM's BNT portfolio in 2014.
Updates released for Lenovo and IBM switches
"The existence of mechanisms that bypass authentication or authorization are unacceptable to Lenovo and do not follow Lenovo product security or industry practices," Lenovo said. "Lenovo has removed this mechanism from the ENOS source code and has released updated firmware for affected products."
Updates are available for both newer switches wearing the Lenovo branding, but also for older IBM-branded switches still in circulation and running ENOS. A list of switches that received firmware updates, along with download links for the firmware, are available in a Lenovo security advisory.
Lenovo said the backdoor is not found in the CNOS (Cloud Network Operating System), so switches running this OS are safe.
Backdoor is hard to exploit
The so-called "HP backdoor" is not a hidden account, but an authentication bypass mechanism that occurs under very strict conditions.
RackSwitch and BladeCenter switches support various authentication methods, via SSH, Telnet, a web-based interface, and a serial console.
An attacker can exploit this backdoor and bypass authentication when affected switches have various authentication mechanisms and security features turned on or off. Lenovo describes the various configurations in which the backdoor becomes active in the aforementioned security advisory.
If customers using these switches can't update right away, there are mitigations they can apply and prevent the backdoor from activating.
This issue is tracked under the CVE-2017-3765 identifier.
In the wake of the Spanish conquest of the Aztec Empire in 1521, waves of epidemics slammed Mexico. By 1576, the population, which had been more than 20 million before the Spanish arrived, had crashed to two million. One brutal outbreak in 1545 was estimated to have killed between five and 15 million alone—or up to 80 percent of the population.
But, like the other epidemics, the disease behind the 1545 outbreak was a complete mystery—until now.
Genetic evidence pulled from the teeth of 10 victims suggests that the particularly nasty bacterium Salmonella enterica subsp. enterica serovar Paratyphi C contributed to the scourge of fever, bleeding, dysentery, and red rashes recorded at the time. The genetic data, published Monday in Nature Ecology and Evolution, offers the first molecular evidence to try to explain what’s “regarded as one of the most devastating epidemics in New World history,” the authors conclude.
Last week, we shared our 2018 roadmap preview and today, we’re excited to announce the first of many new updates for developers: new Droplet plans. We know that price-to-performance is an important consideration when choosing where to host your application, whether it be a small side project or a large business. That is why we’re upgrading resources across our plans and introducing new plans to give you even more flexibility to choose the right Droplet for your application.
We have updates to share across all three classes of Droplet plans: Standard, High CPU, and High Memory Droplets. These updates are available immediately through the Cloud Control Panel and API in the majority of our datacenters. Here are the full details of the updated plans:
Standard Droplet plans have always offered a healthy balance of CPU, memory, and SSD storage to get blogs, web applications, and databases off the ground. With today’s changes, we have 14 brand new Standard Plans to ensure that these applications can grow and scale as your projects grow.
These updated plans are listed below, with some before and after looks at how resources have changed at various monthly price points:
These updated Standard Droplets offer more resources for either the same or a lower price than our previous generation.
We’ve also introduced three flexible plans, all priced at $15 with varying sets of CPU and memory combinations to give you resource flexibility without worrying about price.
Finally, all original “first generation” Standard Droplet Plans are still available via the API. This will ensure any applications you host that are hard-coded for those plans aren’t negatively impacted. We intend to fully deprecate those plans on July 1, 2018 and will send more updates throughout the year.
High CPU Plans were released just six months ago and we’re excited to make our first upgrades to these plans which are great for CI/CD, batch processing, and other compute-intensive workloads. We’re also renaming High CPU Droplets “Optimized Droplets”. These Droplets are still powered by dedicated hyper-threads from best-in-class Broadwell and Skylake CPUs, but now come with additional memory and local SSD disk for the same price. In the future, we’ll be looking to boost performance not only for CPU but also for memory and disk performance. The updates are shown below:
Competitively, these plans line up well with similar offerings from other providers in the market. Below you can see that DigitalOcean’s Optimized Droplets are priced competitively from a price-to-performance perspective:
High Memory Plans are being deprecated as a result of the upgrades made to Standard Plans, which come with ample amounts of RAM and SSD storage at competitive price points. The API will support High Memory Droplets created until July 1, 2018, but we recommend transitioning over to the new Standard Droplet Plans before then. (If you have an active High Memory Droplet, it will simply continue to be charged at the same rate for the duration that it remains active.)
Coming Soon: Per-Second Billing
We’re working hard at making continuous improvements to our billing system in order to align with changes in customer Droplet usage behavior. We’re happy to share that starting later this year, Droplets will be billed by the second instead of by the hour. This means that you’ll only be charged for exactly the amount of time you use your instance to the second. We understand it is important for customers scaling instances up and down regularly to have the best rate available and we’re happy to get this update shipped for you. Keep an eye out for a future announcement specifically on billing improvements.
We understand that price-to-performance ratios are of utmost consideration when you’re choosing a hosting provider and we’re committed to being a price-to-performance leader in the market. As we continue to find ways to optimize our infrastructure we plan on passing those benefits on to you, our customers.
Technical solutions for authentication are orthogonal to political abuse of power structures
Before the release of the iPhone X there were some assessments of thesecurity value of FaceID against authoritarian governments, as well as how secure it would actually be (pretty secure, it turns out). It seems appropriate to address the flawed understanding of security threats prompted by the FaceID authentication mechanism when it was announced. Particularly frustrating was the deep confusion around how coercion works at different levels, and why the sinister threat of “authoritarian regimes” is a poor threat model to apply to authentication mechanism security. It is popular to ask “how will this technology enable abuse by authoritarian regimes,” but the people asking that question, the technologies they choose to fret about, and the fantasy logic they use constructing threat models, need the cold water of reality.
You can’t solve social problems with technology
Your threat model is wrong…no…more wrong.
Very few people face nation state adversaries (sorry Western privacy activists, you’re not on anyone’s radar.) Most of those who do, explicitly signed up for it (foreign service departments, intelligence services, terrorist groups, transnational criminal groups), although some just fell into it (dissidents). The former group, well, they have the resources and expertise to play the game. The latter group typically do not. They lack security training, security experience (although they gain it the hard way), and have essentially no access to security assistance. They typically use available platforms for organising, coordinating, and messaging (read: Facebook, Facebook, other social media platforms like Twitter, and mobile phones...with Facebook.)
There are very important reasons why dissident groups use Facebook (other than Metcalfe’s Law):
Exposure – Dissident groups must be visible and public, otherwise not only are they failing to reach their target audience but they run the risk of being labeled terrorists (so most covert communications technology is a terrible fit for them — they need billboards and broadsheets, not digital dead drops and chalk signs.) Of course, everyone deserves (and needs) the privacy of secure ephemeral communications.
Expansion – Dissident groups that aren’t growing are dying. Organisations have to persist, and there is natural attrition (even if they aren’t being hunted by death squads, like the Raqqa is Being Slaughtered Silently group.) People lose interest, work gets in the way, priorities change, etc. To simply persist and stay the same size, organisations have to constantly recruit new members (at least as many as leave.) For dissident groups that hope to effect change, they need to recruit more new members than leave.
This combination of exposure and expansion means that typically dissidents must accept the risk that the regime’s secret police will penetrate their ranks (there are 110 year old secret police manuals on this). Being a dissident means accepting the risk and trying to grow the movement to a point where it is large enough that it can force change (thus eliminating said risk.)
Dissidents — their strength is numbers and their safety is visibility.
Dissident tech is Facebook and YouTube, their crypto is TLS
Technology that empowers dissidents, and dissident groups, is almost always just going to be Facebook (and Twitter, and WhatsApp or whatever the dominant is messenger for their region [see: Metcalfe’s Law]). Security for dissidents comes from being in the public eye, protecting them against secret reprisals.
When the secret police move against dissident groups, the individuals are going to face coercion that is state level. They will vanish while traveling alone. They will kill themselves while in police custody “in order to embarrass the police.” They will throw themselves off tall buildings “rather than face arrest” — no autopsy possible, their bodies cremated within 24hrs as they always wanted. They will commit suicide by shooting themselves twice in the back of the head, just to be sure. If they survive secret police reprisals long enough, they will go to jail for decades…
The usual goal for a dissident who is captured is to remain silent for 24–48hrs, long enough to enable their comrades to escape. If there is some law governing their detention it may be “endure torture for 7 days, or jail for 30 years.”
At no point in time will dissidents think “if only my mobile phone was protected by an authentication mechanism that could not be tricked by physically forcing me to cooperate against my will.” In many cases, the coercion will be like a parent telling a child to go to their room. The weaker party will simply cooperate.
The strong do what they can, the weak do what they must.
Security technology is not without purpose or use
There is certainly a place for the role of technology to help protect dissidents, such as better protection of their Facebook accounts, some uses of Tor, and better mobile phone protections that protect the data from seizure and the accounts from takeover. But the capability of security technology to aid dissidents has to cope with the fact that some dissidents will cooperate with security forces, and some will be agents of security forces. The authentication mechanism of mobile phones is, quite literally, the least important area of a dissident’s digital life that needs to be secured.
One of the dumbest takes about iPhone FaceID is that it would enable human rights abuses by authoritarian regimes. This ridiculous opinion demonstrates a profound lack of understanding about authoritarian regimes. It’s a sort of fantasy idea rooted in the belief that political problems have technological solutions — then misapplied to the wrong part of the technology stack.
The risks that dissidents face in authoritarian countries are not going to be solved with a mobile phone authentication mechanism. The ability to coerce someone to unlock a device is a very generic capability, the specifics of the lock aren’t relevant. For example, when you arrive at the US border and the officer says “unlock your phone” — you either comply or you don’t. The specifics of whether your phone is locked with a 32 character passphrase, FaceID, or a four digit PIN is completely irrelevant. ¹
 Yes there are legal issues about biometrics vs PIN/passwords that are relevant in the US some of the time, but they are never relevant for authoritarian regimes.
Coercion is about power structures.
Technology can play an important role in safe guarding dissidents. However, the places where technology can provide relief do not include the authentication mechanism on a mobile phone. The confusion here may be because of inherent vulnerabilities with biometrics, the ability of corrupt officials to exploit those vulnerabilities, and the conflation of “corrupt officials” with “authoritarian regime.”
Biometrics identify, not authenticate, users
Biometrics authenticate the identity of a user, which is not the same thing as authenticating the user. They’re problematic in that way— they’re more suited to verifying identity than access. A fingerprint is a better username than password. ²
Some scenarios involving a corrupt official, an iPhone, and discreet physical coercion are easy to imagine. For example, during an arrest a finger could be forced onto a home button and, miracle!, “the suspect was seized with the device in an unlocked state.” That same corrupt security forces approach might be used with FaceID, because that’s a fundamental limitation of biometric authentication. The power of a corrupt official to unlock a device is partially reliant on secrecy and force. The tradeoff is against ease of use (thus higher adoption of any authentication security at all), and security for lost or stolen devices. In almost every case this is the correct tradeoff to make.
 The value of a fingerprint as a password is that it mitigates against shoulder surfing the PIN, a critical part of a robbery. Threat model, geez!
Coercive corrupt cops and state level coercion
This problem of biometrics being abused by corrupt security forces is not the same problem as authoritarian governments using coercion. In the first case— corrupt security forces bypassing authentication — the threat can be completely mitigated by simply disabling the biometric authentication mechanism. In the second case — authoritarian regimes — the method of authentication is not relevant.
Authoritarian regimes compel the user to provide access to the unlocked phone. They’re not physically, forcefully, manipulating the user into a position where they unwillingly biometrically identify (and thus authenticate) themselves to the device. Real coercion is not “hurt them until they comply” but being able to command obedience.
Coercion is applied to people, not technology.
Authentication is not the place where coercion can be mitigated — locking the Facebook account of an arrested dissident is more important than a “duress finger” option for a phone. Allowing organisations to securely compartment access to data, and remotely wipe a seized device, is more important than the limitations of FaceID.