BT 'offering backdoor access to NSA and GCHQ'

News by Doug Drinkwater

BT Group has been accused of shipping hardware with backdoors for secret government surveillance.

BT Group has been accused of shipping hardware with backdoors for secret government surveillance, something the telecoms provider vehemently denies.

In a paper titled The Internet Dark Age, a group of anonymous security researchers claim that the company sells home and office hardware products with backdoor access for the GCHQ and NSA to potentially mine for data.

"BT are directly responsible for covertly embedding secret spy equipment in millions of homes and businesses within the UK," the paper reads.

Specifically, the paper purports to detail how both government agencies employ a potential Computer Network Exploitation (CNE) program to infiltrate residential and Small Office and Home Office (SOHO) networks, as well as enterprises. 

The researchers, who wished to remain anonymous but who say they are prepared to appear in a court of law to present their findings, say that they came to their findings after forensically analysising private SOHO networks in the UK. They stressed that this experiment was conducted “legally, and on private property using privately owned equipment.”

They tested the BT Open Reach modems Huawei EchoLife HG612 and ECI B-FOCuS VDSL2 and pointed out that BT developed the firmware, leaving no blame attached to Chinese vendor Huawei.

According to the paper, a secondary hidden virtual local area network and IP address is secretly assigned to each BT modem, which enables the 'attacker' – such as the NSA or GCHQ – to access the modem and the systems on their LAN from the Internet.

The second modem, which isn't visible on the device's web interface, will work even when it is believed to be offline and can reportedly connect direct to the NSA and GCHQ's data capture network.

In addition, the researchers modified firmware can be used to duplicate results.

"This spy network is hidden from the LAN/switch using firewall rules and traffic is hidden using VLANs in the case of BT et al, it uses VLAN 301, but other vendor's modems may well use different VLANs," the paper explains.

In response to these allegations, a BT spokesperson told that BT was “surprised” at the “unfounded claims” and issued a strongly worded statement:

“BT routers have a second IP address so we can make software updates without the need for an engineer visit,” read the statement.

“This is extremely common in the industry and it is well known. It is also the case that many other devices such as gaming consoles and smart TVs have such addresses. As for the anonymous report, it is not our policy to comment on conspiracy theories.”

Cyber security expert Robert David Graham, CEO of Errata Security, was also critical of the report and, while suggesting that this data would be “enormously valuable to the GCHQ/NSA”, said that there was no evidence.

“ISP-provided modems usually come with a second IP address for management. It's how things usually work,” he said to “[It is] extremely normal, and for that hidden IP address to be assigned to the United States DoD.”

In other news, Bruce Schneier confirmed his exit from the telecoms giant BT. ‘Security futurologist' Schneier has been a fierce critic of the National Security Agency surveillance and even recently detailed how the agency typically infiltrates systems.

"The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to surreptitiously turn them on," he wrote, adding, "This is an especially fruitful avenue of attack; routers are updated less frequently, tend not to have security software installed on them, and are generally ignored as a vulnerability."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews