A scheme that gives U.S. law enforcement authorities with a warrant access to networking equipment could also be exploited by illegal snoopers.
Tom Cross, manager of X-Force research, a security unit at IBM, discovered this after reviewing details of a lawful intercept scheme used to access equipment made by the networking giant Cisco. Cross says he identified weaknesses in the communication protocol that could let hackers perform illegal wiretaps. Cross focused on Cisco because it’s the only company to have made the details of its system public, but he believes similar vulnerabilities exist with other intercept schemes.
“It’s not just the router vendor and the [Internet service provider] who have an interest in how this interface is built,” Cross said during a presentation at Black Hat DC, a computer-security conference held in Washington, DC. “We all do.”
Many networking and Internet companies have built backdoors into their systems to deal with a growing number of Internet wiretap requests. These backdoors provide members of law enforcement who have a warrant with immediate access to communications. But there is growing concern that these avenues could inadvertently make it easier for hackers to steal information. The espionage that prompted Google to consider pulling out of China last month drew attention to the existence of these wiretap backdoors after a prominent security expert suggested that such a system may have been used to infiltrate Google’s network.
The Cisco wiretap system uses a simple protocol, details of which have been published by the European Telecommunications Standards Institute. A law enforcement agency submits a request to a representative of an Internet service provider. This representative then sends a request to the device used to perform the surveillance, which is known as the intercept access point. For certain Cisco routers, the wiretap request is sent as a single packet of information, using a networking service called the Simple Network Management Protocol (SNMP). Cross identified a collection of problems with this setup.
First, he says, it’s too easy to bypass the authentication built into the system. The SNMP protocol provides a lot of information when access is denied, which can help an attacker guess the correct username and password for accessing the system. Worse yet, he says, a vulnerability disclosed in 2008 would allow an attacker to gain access to one such system with only 256 attempts (a trivial number for an automated system). Though patches have been issued for this flaw, service providers often do not keep routers patched because of the difficulty of taking them offline, Cross says.
Furthermore, while it would be possible to block repeated attempts at unauthorized access, and alert an administrator, the system that Cross analyzed isn’t designed to do so. And finally, although Cisco recommends that encryption be used, the system doesn’t require it. Without encryption, Cross says, it’s impossible for a lawful intercept system to function safely.
Cross suggests that simple changes to the SNMP protocol could make it much more secure. He also calls for companies to implement the system in a more secure way–by separating lawful intercept requests from regular network management traffic, encrypting data, and enforcing stricter controls over where requests come from and where intercepted data is sent.
Jennifer Greeson Dunn, communications director for Cisco, says the company published its lawful intercept infrastructure in 2004 so that it could receive this type of peer review. She also says that Cisco has already addressed many of the software and hardware vulnerabilities that Cross has found. She adds that Cisco has been talking with Cross, and plans to review his recommendations for changes to the architecture and infrastructure employed.
Although some experts say the entire concept of a permanent interface for intercepting communications undermines security, Cross believes that a system such as Cisco’s can help ensure that intercepts are performed lawfully, providing it is properly protected against unauthorized access.
Steven Bellovin, a professor of computer science at Columbia University who researches network security, says that if lawful intercept systems must exist, he would like to see them offer better protections. “It’s engineering a vulnerability into your network, and the question is how well you can protect it,” he says.