Security-Assessment Uncovers DSL Vulnerabilities
Security-Assessment.com, the world-leading IT security research and development company, has discovered a vulnerability that has the potential to impact millions of DSL internet users worldwide. 20 November 2009, Research conducted by New Zealand-based computer security company, Security-Assesment.com (SA), in the field of core DSL/ADSL technology has revealed a new class of attack against the most commonly used internet provider technology – DSL. Carl Purvis, SA Senior Security Consultant, has discovered it is possible to perform a “man in the middle” attack against any DSL/ADSL customer as long as physical access to the line can be obtained.
A “man in the middle” attack is a scenario where communications between two parties is monitored and then falsifies the exchanges to impersonate one of the parties. In this case, says Purvis, the malicious user monitors and in many cases may modify incoming and outgoing traffic. While there has been widespread publicity about similar attacks being made by computer hackers using incorrectly secured wireless access points. DSL infrastructure has, up until this point, been considered safe and has not been thought to be vulnerable to attack.
“The ability to monitor a DSL line is now accessible at a relatively low cost,” says Purvis, “This is an important discovery in relation to maintaining computer security across the internet and between interoffice networks”. The biggest surprise is just how simple – and inexpensive - it is to simulate the attack. The attack mimics a user’s ISP, forcing the user’s personal DSL modem to pass all traffic through an inspection tool running on a portable server platform. This is all possible using “off the shelf” equipment that can be assembled for around $1000, less than the cost of an average laptop computer.
One form of this attack would see a malicious user park outside a victim’s house or office building and physically attach their own network infrastructure to the DSL line and have the ability to access highly valuable information. Although there is very little in the way of published reports about these vulnerabilities Purvis believes it is highly likely they have already been exploited elsewhere in the world. The scale of the vulnerability is enormous, says Purvis, with DSL being the dominant broadband internet technology used by New Zealand businesses and consumers.
The latest Commerce Commission figures show 1,100,000 DSL connections in New Zealand as at 31 Oct 2009. Worldwide broadband subscriptions will exceed 536 million by 2011 with DSL representing over half the market. Purvis believes this vulnerability should be of particular concern to the thousands of New Zealand companies that communicate daily data via corporate networks that utilise DSL as an access mechanism. These companies include banks, government departments and retailers as well as many of the country’s largest organisations.
“Many of these corporate networks may be unencrypted and therefore susceptible to this attack.” In Purvis’ opinion the risk of businesses becoming victims of corporate espionage is very real. “A malicious attacker could, for example, connect to a branch office of a large company, gain access to its customer database and use the information within that database to contact the customers with competing product offerings.” Purvis says that at this stage there are no effective security controls which can be implemented en masse to reduce the risk from this attack.
He says that New Zealand companies typically harden the outer shell of their networks – business to business or internet communications for example – but don’t tend to harden their inter-office networks. “This is where the DSL attack can be used to gain access to the company’s network and data and is a security gap that needs to be addressed.”
“I’d recommend businesses and individuals focus on the basics; assess the sensitivity of what they are using DSL for and use encryption over the DSL link wherever possible.” Security-Assessment.com is one of the world’s only “pure play” security companies, specialising in research and development. It provides independent security advisory, assessment and assurance services to help organisations establish and maintain a secure environment. Doug Browne, SA General Manager, firmly believes that SA’s research will help organisations improve their overall information security stance.
“Security-Assessment.com adheres to a strict policy of responsible disclosure. In line with this policy, we have taken time to share this piece of research with the relevant organisations.” he says.