We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

The Seemingly Unfixable Crack in the Internet’s Backbone

Attacking the Internet’s core infrastructure to intercept Web traffic at mass scale is easier than it should be.

A 2003 cybersecurity policy statement from the White House said improving the security of BGP was in the nation’s “vital interest.”

It is disturbingly easy to attack the backbone of the Internet to block access to a major online service like YouTube, or to intercept online communications at vast scale.

So say security researchers trying to rouse their industry into doing something about long-standing weaknesses in the protocol that works out how to route data across the different networks making up the Internet. Almost all the infrastructure running that protocol does not even use a basic security technology that would make it much harder to block or intercept data.

“The technology is available—the problem is we’re not using it,” said Wim Remes, manager of strategic services at security company Rapid7, in a talk at the Black Hat security conference in Las Vegas Wednesday. “There is limited probability of these attacks but the impact once they happen is huge.”

The weakness lies in the border gateway protocol, or BGP. Large routers operated by Internet service providers and major corporations use BGP to figure out how to get data between different places. Each of these major routers turns to others like itself—ones operated by other companies—for the information it needs to most efficiently dispatch data to its destination. Companies operating the routers manually choose which other routers theirs will trust.

Unfortunately, BGP doesn’t have security mechanisms built in that allow routers to verify the information they are receiving or the identity of the routers providing it. Very bad things can happen when routers spread incorrect information about how to route data, intentionally or otherwise.

That problem has been known for decades. It was the basis of the hacking group L0pht’s 1998 claim before Congress that they could take down the Internet in 30 minutes. But incidents that have illuminated BGP’s flaws have prodded some security companies to take it more seriously.

In 2013, the security company Renesys observed several instances in which U.S. Web traffic was inexplicably diverted via Belarus and Iceland, in what may have been a “man in the middle” attack designed to covertly intercept data. In June this year, a Malaysian ISP misconfigured its routers and caused traffic from around the world to converge on its network, leading to hours of outages or sluggish performance for services including Snapchat, Skype, and Google. Artyom Gavrichenkov, a researcher with the security company Qrator, showed at Black Hat how BGP could be manipulated to obtain a security certificate in the name of a particular website without permission, making it possible to impersonate it and decrypt secured traffic.

Remes of Rapid7 says that companies running BGP infrastructure aren’t taking the risks of such problems seriously enough. A technology called RPKI can be used to give routers a way to verify that information they receive from others is valid. But only 16 of the world’s most heavily accessed sites have implemented it, and Facebook is the only site in the top 10 to have done so, he said.

Andree Toonk, manager of network engineering at OpenDNS, a security company recently acquired by Cisco Systems, says even wide adoption of RPKI would only go some way to addressing the hazards of BGP because it’s possible to work around it. “It solves 90 percent of the problem, but it is not foolproof,” he said.

In his own talk at Black Hat on Thursday, Toonk planned to describe a system of probes he set up around the world to track the activity of BGP routers. OpenDNS is to launch a kind of public alert system that will broadcast worrying changes in data routes via Twitter.

Keep up with the latest in cyber security at EmTech Digital.
Don't be left behind.

March 25-26, 2019
San Francisco, CA

Register now
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.