It is disturbingly easy to attack the backbone of the Internet to block access to a major online service like YouTube, or to intercept online communications at vast scale.
So say security researchers trying to rouse their industry into doing something about long-standing weaknesses in the protocol that works out how to route data across the different networks making up the Internet. Almost all the infrastructure running that protocol does not even use a basic security technology that would make it much harder to block or intercept data.
“The technology is available—the problem is we’re not using it,” said Wim Remes, manager of strategic services at security company Rapid7, in a talk at the Black Hat security conference in Las Vegas Wednesday. “There is limited probability of these attacks but the impact once they happen is huge.”
The weakness lies in the border gateway protocol, or BGP. Large routers operated by Internet service providers and major corporations use BGP to figure out how to get data between different places. Each of these major routers turns to others like itself—ones operated by other companies—for the information it needs to most efficiently dispatch data to its destination. Companies operating the routers manually choose which other routers theirs will trust.
Unfortunately, BGP doesn’t have security mechanisms built in that allow routers to verify the information they are receiving or the identity of the routers providing it. Very bad things can happen when routers spread incorrect information about how to route data, intentionally or otherwise.
That problem has been known for decades. It was the basis of the hacking group L0pht’s 1998 claim before Congress that they could take down the Internet in 30 minutes. But incidents that have illuminated BGP’s flaws have prodded some security companies to take it more seriously.
In 2013, the security company Renesys observed several instances in which U.S. Web traffic was inexplicably diverted via Belarus and Iceland, in what may have been a “man in the middle” attack designed to covertly intercept data. In June this year, a Malaysian ISP misconfigured its routers and caused traffic from around the world to converge on its network, leading to hours of outages or sluggish performance for services including Snapchat, Skype, and Google. Artyom Gavrichenkov, a researcher with the security company Qrator, showed at Black Hat how BGP could be manipulated to obtain a security certificate in the name of a particular website without permission, making it possible to impersonate it and decrypt secured traffic.
Remes of Rapid7 says that companies running BGP infrastructure aren’t taking the risks of such problems seriously enough. A technology called RPKI can be used to give routers a way to verify that information they receive from others is valid. But only 16 of the world’s most heavily accessed sites have implemented it, and Facebook is the only site in the top 10 to have done so, he said.
Andree Toonk, manager of network engineering at OpenDNS, a security company recently acquired by Cisco Systems, says even wide adoption of RPKI would only go some way to addressing the hazards of BGP because it’s possible to work around it. “It solves 90 percent of the problem, but it is not foolproof,” he said.
In his own talk at Black Hat on Thursday, Toonk planned to describe a system of probes he set up around the world to track the activity of BGP routers. OpenDNS is to launch a kind of public alert system that will broadcast worrying changes in data routes via Twitter.
This new data poisoning tool lets artists fight back against generative AI
The tool, called Nightshade, messes up training data in ways that could cause serious damage to image-generating AI models.
Rogue superintelligence and merging with machines: Inside the mind of OpenAI’s chief scientist
An exclusive conversation with Ilya Sutskever on his fears for the future of AI and why they’ve made him change the focus of his life’s work.
The Biggest Questions: What is death?
New neuroscience is challenging our understanding of the dying process—bringing opportunities for the living.
Data analytics reveal real business value
Sophisticated analytics tools mine insights from data, optimizing operational processes across the enterprise.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.