HEADWATER: NSA Exploit of the Day

Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog:

HEADWATER

(TS//SI//REL) HEADWATER is a Persistent Backdoor (PDB) software implant for selected Huawei routers. The implant will enable covert functions to be remotely executed within the router via an Internet connection.

(TS//SI//REL) HEADWATER PBD implant will be transferred remotely over the Internet to the selected target router by Remote Operations Center (ROC) personnel. After the transfer process is complete, the PBD will be installed in the router's boot ROM via an upgrade command. The PBD will then be activated after a system reboot. Once activated, the ROC operators will be able to use DNT's HAMMERMILL Insertion Tool (HIT) to control the PBD as it captures and examines all IP packets passing through the host router.

(TS//SI//REL) HEADWATER is the cover term for the PBD for Huawei Technologies routers. PBD has been adopted for use in the joint NSA/CIA effort to exploit Huawei network equipment. (The cover name for this joint project is TURBOPANDA.)

STATUS: (U//FOUO) On the shelf ready for deployment.

Page, with graphics, is here. General information about TAO and the catalog is here.

This one is interesting. It basically turns the router into an eavesdropping platform.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.