A fundamental mechanism that secures the internet has been broken
Resource Public Key Infrastructure -- or RPKI -as it's better known -- is a security framework that is designed to prevent cybercriminals or rogue states from diverting internet traffic.
National research center for Cybersecurity ATHENE says it has found a way to easily bypass this security mechanism, and in a way that means affected network operators are unable to notice.
The ATHENE team led by Prof. Dr. Haya Shulman explains its findings:
Misdirecting bits of internet traffic causes a stir, as happened in March this year when Twitter traffic was partially diverted to Russia. Entire companies or countries can be cut off from the internet or internet traffic can be intercepted or overheard. From a technical point of view, such attacks are usually based on prefix hijacks. They exploit a fundamental design problem of the internet: The determination of which IP address belongs to which network is not secured. To prevent any network on the internet from claiming IP address blocks they do not legitimately own, the IETF, the organization responsible for the internet, standardized the Resource Public Key Infrastructure, RPKI. RPKI uses digitally signed certificates to confirm that a specific IP address block actually belongs to the specified network. In the meantime, according to measurements by the ATHENE team, almost 40 percent of all IP address blocks have an RPKI certificate, and about 27 percent of all networks verify these certificates.
The team discovered that RPKI has a design flaw: "If a network cannot find a certificate for an IP address block, it assumes that none exists. To allow traffic to flow on the internet anyway, this network will simply ignore RPKI for such IP address blocks, i.e., routing decisions will be based purely on unsecured information, as before."
The ATHENE team was able to show that an attacker can implement this situation and disable the mechanism without the action being noticed.
This attack, named "Stalloris", requires the bad actor to control an RPKI publication point, but the team notes this is not a problem for state attackers or organized cybercriminals.
The researchers say all popular products used by networks to check RPKI certificates were vulnerable in this way at the beginning of 2021.
Upon discovering the flaw, the team immediately informed manufacturers and has now published its findings at both Usenix Security 2022 and Blackhat USA 2022.
The work was a collaboration between researchers from ATHENE contributors Goethe University Frankfurt am Main, Fraunhofer SIT and Darmstadt University of Technology.
More details can be found on the APNIC blog.
Image credit: obs/Fraunhofer-Institut für Sichere Informationstechnologie SIT.