CyberWire Daily - Leaky guest networks and covert channels. [Research Saturday]
Episode Date: September 21, 2019Many users of inexpensive internet routers use guest network functionality to help secure their home networks. Researchers at Ben Gurion University have discovered methods for defeating these security... measures. Dr. Yossi Oren joins us to share their findings. The original research is here: https://www.usenix.org/system/files/woot19-paper_ovadia.pdf Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
We were actually drawn to this research by the fact that there are many people,
many organizations will isolate their network into two parts using what's called the guest network on the routers.
That's Dr. Yossi Oren from Ben-Gurion University.
The research we're discussing today is titled Cross-Router Covert Channels.
So this research was performed by my graduate student, Adar Ovagia.
She was helped by Rom Ogan and Yaakov Malach.
And these routers actually don't have two guest networks.
They only have one network, and all the separation is done by software.
And we were curious to see whether this separation is actually effective.
We were very, very worried that it's only part-based isolated.
And we actually discovered that, indeed, this software isolation doesn't work in practice well let's go through together I think many of us are familiar
with how this works but I think particularly when folks have home
routers they will set it up to have a guest network what's going on in the
router when you go through that setup if you set up your router to have a guest
network it means that some of the
computers which connect to this router can't see the other computers. They can go to the internet,
but they can't actually connect to other computers on your network. So even if they try to look for
them or to scan for them, they won't be able to see. So if you have a device you really don't
trust, maybe you bought a really cheap camera or a monitor or a sprinkler or something like that, and you really needed to connect to
the cloud, but you don't want it to be hacking into your own network, you would put this device
on your guest network. And what happens is that every time this router gets a network packet
from this guest network, it won't send it over to the host
network, which is where all your sensitive stuff is hiding. It will only
send it to the Internet. This is at least how it's supposed to work.
And one of the things, the sort of foundational things that you're looking
into here is this notion of covert channels. Can you describe to us what is that about?
So a covert channel is a way for two parties, let's call them the sender and the receiver,
to talk to each other when they're not actually supposed to be talking to each other.
I think the most famous example we have is when you have students who are trying to chat with
each other and they're not allowed to use chat software, so they use a game, let's say Words with Friends, or they're both playing
this game, but they're not actually playing this game, they're sending messages through
the chat function of this game.
Or they're editing a draft document together and they're never actually sending it.
So this is an example where the school administrator is trying to stop you from sending data to each other.
But you can also imagine that the router
is trying to protect the guest network
and the host network from communicating.
So the router is going to look at all the traffic
which is going across,
and it's not going to let it across
if it's between the host and the guest networks.
So a covert channel is a way of getting around this.
And covert channels have been around
ever since the ancient Greek times.
There was, according to military history,
in ancient Greek times,
this general wanted to send a message
and he wanted to send the message
in a way where nobody can detect
he was sending the message.
So what this general did,
he shaved the head off one of his slaves,
tattooed the message on the slave's head,
and then sent the slave, waiting until the hair grew back,
and sent the slave with the message.
And nobody actually thought of, you know,
if you would capture the slave and search him, you wouldn't find any message.
But once the slave got to his destination,
the guy who got the slave shaved the head off the slave, and he could read the message. But once the slave got to his destination, the guy who got the slave shaved the
head off the slave, and he could read the message. So I'm not shaving the head off any message in the
network, but this is a way of hiding a message I want to send, and nobody will actually know I'm
sending the message. So the router won't be able to block it. So within these routers, what opportunities for covert channels exist?
So there are two ways of sending data across a router without the router detecting it.
One way is just looking for bugs in the router.
So the router is supposed to block all the traffic between the host and the guest network.
What happens if the code of the router has a bug in it and this packet is not blocked?
So we went over the big list of protocols that routers support, and we found three or four of these bugs in a lot of routers.
We actually found nine what's called CVE, vulnerability, where the router is supposed to be blocking traffic and it's not.
So these are bugs.
Another thing we can do is something which is a bit sneakier and this is just uh taking uh advantage
of the fact that these routers have really really slow cpus they're of course very cheap devices
their cpus aren't so fast so if we overload these cpus from the guest network, the router is going to be responding to traffic
slower, and we can check from the guest network if the traffic is getting slower. If it's getting
slower, it means we're actually trying to write something. We're trying to send a message. And
if it's fast, it means we're not trying to send the message. So I just gave you a very basic way
of sending one bit across. And from this, you can build a way of sending entire messages. The thing about these, what we call timing-based
covert channels, is that they're not bugs. It's very, very difficult to fix these timing-based
covert channels without completely redesigning the hardware and the software of the router.
Now, the first type of channel that you described, you say it was taking advantage of bugs.
Were these bugs in the protocols themselves?
Is that...
So, in other words, it's not specific to any particular brand of router?
Would it be available to you regardless of what brand you were attempting it on?
So some of these bugs were common between several routers.
Some of them were not to be found in any router.
We checked on a very expensive router,
and these so-called direct covert channels were not there.
But we found one of these in most of the routers we investigated.
So overall, your ability to do this is widespread across many different brands.
We didn't find a single router which doesn't have at least one kind of covert channel.
This goes from the cheapest router to the newest and biggest and most expensive router we check.
Now, so your abilities here to cross over from the guest network to the main network,
how does that give you access to devices on the other network that you're trying to infiltrate?
Okay, so I need everybody to calm down.
We're not going to be able to hack into the network using this cross-router-convert channel.
What we will be able to do is communicate from one side of the network to this cross-router covert channel. What we will be able to do is communicate
from one side of the network
to the other.
If I have two cooperating devices,
let's say, for example,
I have
malware running on
the guest network and I want to send a command
to this malware,
or I've spied
on somebody from the host network and I want to leak it
out through the guest network, then these two devices can cooperate and send data to
each other using this covert channel.
So the two examples we gave in the paper are, one, I have this hidden what's called a logic
bomb or a Trojan horse inside my network.
And the attacker just, let's say I bought a really cheap device and the cheap device
has some hidden functionality.
And now the attacker wants to trigger this functionality.
The attacker wants to turn it on.
So the attacker can do this using a covert channel.
And the other use case we discussed in our paper is that I have an implant
which is spying on me. And now this implant found something really interesting. Maybe we took a
picture of me doing something sneaky or it got a health measurement, which is going to be used
against me. And now this implant wants to what's called exfiltrate this data. It wants to get it
outside. And let's say this network is being monitored, so this can't be done directly, but if this implant is using this top-side
covert channel, then it can exfiltrate this data without getting caught.
I see. So it's a matter of having a method of communication between the two
channels, but it's not as if the two channels were open to each other for
direct digital sending of data back
and forth, the way we conventionally think about it.
Yes.
So I would need to have a foothold in at least one of the networks before I can do my sneaky
stuff.
But we've shown that there is an attack, and you can read the paper, it's called the CSRF ARP attack, which allows you to do it with only a foothold on one of the networks, and the other network
only need a web browser to be open. How much would this sort of thing affect people in the
enterprise space? Is this primarily hitting folks who have home routers, or should enterprise folks
be worried about it as well
uh... there are two kinds of enterprise which should be concerned the first of
them
is uh... small business offices
you know a doctor's lawyers dentists people have their practices
and they have really small networks and they have
uh... you know clients coming in
if it's you know
clients coming into a lawyer or people waiting in the waiting
room of a dentist or a small doctor, and these people use guest networks extensively as part
of their business, and on the host network they have really critical data for their work.
This situation would be very risky for these kinds of businesses.
And another enterprise situation which is very risky is a hospital actually.
So hospitals use a lot of medical devices which are kind of IoT devices.
You have connected heartbeat sensors and ECG systems and all sorts of infusions and all of these devices are
impossible to patch because they're medical devices you can't just go and connect your
medical device to the internet and update it so there is what's called the medical device
isolation architecture with veterans administrations published which says all of these medical devices are considered to be very,
very prone to viruses and so on. So we're going to isolate them from the network.
So when this isolation is done using what's called logical isolation, using a guest network and a
host network, then what we've shown is that these devices can still have access to the sensitive
network they're trying to be isolated from. And what are your recommendations
in terms of mitigation for people to protect themselves? My suggestion is a
bit trivial. Routers are very very cheap. I think in the US the cost of cable for
one month is about the cost of a router. So I suggest if you really value this isolation,
if you have very, very critical information on your host network, you should just spend $50
and buy another router and have this router for your guests or for your clients and so on.
So physical isolation is the way to get around this problem.
And for the average home user who's doing this,
is this something of genuine concern?
Or I guess how much of this is theoretical?
How much do you expect folks could actually take advantage of this?
So the attack is very practical in that we demonstrated
on all the routers we investigated.
When you're trying to decide,
do you want to spend extra money on
protecting your network? You should make the rational decision just when you decide whether
to lock your door at night. What have I got to lose? If what you've got to lose is, you know,
the high scores on your Xbox, maybe you don't want to do it. If what you've got to lose is
all the backups of your dental practice, maybe you should spend a little extra to protect yourself.
of your dental practice,
maybe you should spend a little extra to protect yourself.
Our thanks to Dr. Yossi Oren
from Ben-Gurion University
for joining us.
The research is titled
Cross-Router Covert Channels.
We'll have a link in the show notes.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
safe and compliant. And I'm Dave Bittner.
Thanks for listening.