SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow2718
Router Network Isolation Broken By Covert Data Exfiltration
Software-based network isolation provided by routers is not as efficient as believed, as hackers can smuggle data between the networks for exfiltration.
Most modern routers offer the possibility to split the network into multiple segments that work separately. One example is a guest network that works in parallel with the host.
The boundary insulates sensitive or critical systems from others that enjoy less strict security policies. This practice is common and even a recommended security measure. It is a logical separation that occurs at software level, though, and it is not airtight.
Researchers at the Ben-Gurion University of the Negev discovered multiple methods to carry data across two segregated network segments on the same hardware.
They achieved this through direct or timing-based covert channels and tested the findings on seven routers in various price ranges from multiple vendors. The methods do not allow exfiltration of large aounts of data but shows that it is possble to break the logical barrier.
Clandestine direct communication is possible by encoding the data in packets that several protocols erroneously forward to both isolated networks. This method does not work on all tested routers and where it is valid, the transfer is not bidirectional in all cases.
Timing-based covert channels rely on shared hardware resources (CPU time, network and memory buffers) to send the information. This is done by influencing the use of those resources and reading the effect to interpret the bits of data.
"To exploit these [timing-based] channels, we need to construct sender and receiver gadgets which cause an increased demand on the router’s control plane or sample this demand, respectively."
[...] The flaws discovered by the researchers, though, received the following identification numbers and are tracked as:
- CVE-2019-13263
- CVE-2019-13264
- CVE-2019-13265
- CVE-2019-13266
- CVE-2019-13267
- CVE-2019-13268
- CVE-2019-13269
- CVE-2019-13270
- CVE-2019-13271
(Score: 0) by Anonymous Coward on Thursday August 22 2019, @11:13AM (1 child)
i'm teaching the kids to only use pen and paper.
and cutout newspapers for private stuff.
although I guess by the time they grow up the three letter agencies will have fired all their handwriting recognition experts.
(Score: 2) by takyon on Thursday August 22 2019, @12:12PM
Unlike encrypted email, their DNA will be all over the ransom letter made from newspaper clippings.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Thursday August 22 2019, @12:11PM (3 children)
Bad idea gone horrible.
(Score: 2) by Farkus888 on Thursday August 22 2019, @01:50PM (2 children)
Never even gonna make a dent in SDN adoption. Just look at the holes in IOT. They are much worse and harder to solve and society as a whole hasn't even flinched. Also to be clear SDN benefits also come from centralized provisioning. You can centrally provision an air gapped single network.
(Score: 0) by Anonymous Coward on Thursday August 22 2019, @03:49PM (1 child)
it's a bit funny that you mention "centrally provisioned air-gapped [...] network" ... via SDN.
the "provision" part is mostly ALSO accessed via network. if smart, then the device providing SDN is on its own MGMT network.
now with green pills (VM escape xor client VM cross-talk) and now this "gadget" stuff ... well something new to look out for?
one could argue, because of above, that devices that provide SDN can never ever create a real air-gapped network 'cause the SDN devic itself is accsed via network (even if a seperate MGMT network) and only dumb, physical and manually configured network elements (plug or unplug a real connector and using hardwired switching chips (which can also have a flaw or be cosmic ray bombarded)) can create a air-gapped network segment?
however, i can see SDN and "A.I." merging along the way. how cool is it that a virtual cable or port transferring the data that is it's own command to rewire?
(Score: 2) by Farkus888 on Thursday August 22 2019, @05:48PM
The only issue is whose product. Must be cloud controller then that is a problem. If you can house the controller on the network then it doesn't matter. If the network is isolated and you control every device they had to have physical access and this attack simply doesn't matter then. They are already on both networks.
(Score: 0) by Anonymous Coward on Thursday August 22 2019, @03:38PM
I believe these people have been on a roll publishing similar, not very groundbreaking, research before.
(Score: 0) by Anonymous Coward on Thursday August 22 2019, @03:41PM
So, plane entertainment systems share switches with critical control systems... but isolated ... but now ... wait ... so, what could possibly go wrong here??
(Score: 2, Insightful) by Anonymous Coward on Thursday August 22 2019, @07:32PM
Claude Shannon showed in the 1940s that statistically-error-free communication is possible over any medium, regardless of how much interference there is on the channel.
There is essentially no way to prevent "covert data exfiltration" outright -- we are talking about an application on the "secure" side intentionally transmitting information to a cooperating receiver on the "insecure" side. If an application on the secure network can cause _any_ externally visible effect whatsoever (which will be impossible to prevent), then communication is possible -- the only question is "what is the achievable data rate?"
Fixing these sort of issues may make communcation harder/slower but never impossible. As always in security, everything is a tradeoff, balancing how valuable the material being protected is compared to the effort put into protecting it.