Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

The Seemingly Unfixable Crack in the Internet’s Backbone

Attacking the Internet’s core infrastructure to intercept Web traffic at mass scale is easier than it should be.

A 2003 cybersecurity policy statement from the White House said improving the security of BGP was in the nation’s “vital interest.”

It is disturbingly easy to attack the backbone of the Internet to block access to a major online service like YouTube, or to intercept online communications at vast scale.

So say security researchers trying to rouse their industry into doing something about long-standing weaknesses in the protocol that works out how to route data across the different networks making up the Internet. Almost all the infrastructure running that protocol does not even use a basic security technology that would make it much harder to block or intercept data.

“The technology is available—the problem is we’re not using it,” said Wim Remes, manager of strategic services at security company Rapid7, in a talk at the Black Hat security conference in Las Vegas Wednesday. “There is limited probability of these attacks but the impact once they happen is huge.”

The weakness lies in the border gateway protocol, or BGP. Large routers operated by Internet service providers and major corporations use BGP to figure out how to get data between different places. Each of these major routers turns to others like itself—ones operated by other companies—for the information it needs to most efficiently dispatch data to its destination. Companies operating the routers manually choose which other routers theirs will trust.

Unfortunately, BGP doesn’t have security mechanisms built in that allow routers to verify the information they are receiving or the identity of the routers providing it. Very bad things can happen when routers spread incorrect information about how to route data, intentionally or otherwise.

That problem has been known for decades. It was the basis of the hacking group L0pht’s 1998 claim before Congress that they could take down the Internet in 30 minutes. But incidents that have illuminated BGP’s flaws have prodded some security companies to take it more seriously.

In 2013, the security company Renesys observed several instances in which U.S. Web traffic was inexplicably diverted via Belarus and Iceland, in what may have been a “man in the middle” attack designed to covertly intercept data. In June this year, a Malaysian ISP misconfigured its routers and caused traffic from around the world to converge on its network, leading to hours of outages or sluggish performance for services including Snapchat, Skype, and Google. Artyom Gavrichenkov, a researcher with the security company Qrator, showed at Black Hat how BGP could be manipulated to obtain a security certificate in the name of a particular website without permission, making it possible to impersonate it and decrypt secured traffic.

Remes of Rapid7 says that companies running BGP infrastructure aren’t taking the risks of such problems seriously enough. A technology called RPKI can be used to give routers a way to verify that information they receive from others is valid. But only 16 of the world’s most heavily accessed sites have implemented it, and Facebook is the only site in the top 10 to have done so, he said.

Andree Toonk, manager of network engineering at OpenDNS, a security company recently acquired by Cisco Systems, says even wide adoption of RPKI would only go some way to addressing the hazards of BGP because it’s possible to work around it. “It solves 90 percent of the problem, but it is not foolproof,” he said.

In his own talk at Black Hat on Thursday, Toonk planned to describe a system of probes he set up around the world to track the activity of BGP routers. OpenDNS is to launch a kind of public alert system that will broadcast worrying changes in data routes via Twitter.

Get stories like this before anyone else with First Look.

Subscribe today
Already a Premium subscriber? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Premium.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look: exclusive early access to important stories, before they’re available to anyone else

    Insider Conversations: listen in on in-depth calls between our editors and today’s thought leaders

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.