A scheme that gives U.S. law enforcement authorities with a warrant access to networking equipment could also be exploited by illegal snoopers.
Tom Cross, manager of X-Force research, a security unit at IBM, discovered this after reviewing details of a lawful intercept scheme used to access equipment made by the networking giant Cisco. Cross says he identified weaknesses in the communication protocol that could let hackers perform illegal wiretaps. Cross focused on Cisco because it’s the only company to have made the details of its system public, but he believes similar vulnerabilities exist with other intercept schemes.
“It’s not just the router vendor and the [Internet service provider] who have an interest in how this interface is built,” Cross said during a presentation at Black Hat DC, a computer-security conference held in Washington, DC. “We all do.”
Many networking and Internet companies have built backdoors into their systems to deal with a growing number of Internet wiretap requests. These backdoors provide members of law enforcement who have a warrant with immediate access to communications. But there is growing concern that these avenues could inadvertently make it easier for hackers to steal information. The espionage that prompted Google to consider pulling out of China last month drew attention to the existence of these wiretap backdoors after a prominent security expert suggested that such a system may have been used to infiltrate Google’s network.
The Cisco wiretap system uses a simple protocol, details of which have been published by the European Telecommunications Standards Institute. A law enforcement agency submits a request to a representative of an Internet service provider. This representative then sends a request to the device used to perform the surveillance, which is known as the intercept access point. For certain Cisco routers, the wiretap request is sent as a single packet of information, using a networking service called the Simple Network Management Protocol (SNMP). Cross identified a collection of problems with this setup.
First, he says, it’s too easy to bypass the authentication built into the system. The SNMP protocol provides a lot of information when access is denied, which can help an attacker guess the correct username and password for accessing the system. Worse yet, he says, a vulnerability disclosed in 2008 would allow an attacker to gain access to one such system with only 256 attempts (a trivial number for an automated system). Though patches have been issued for this flaw, service providers often do not keep routers patched because of the difficulty of taking them offline, Cross says.