China Telecom Denies Internet ‘Hijack’ Intent

China Telecom, the Chinese wireless service provider at the centre of the recent Internet hijacking charges, has called the accusations against it “groundless,” but that has done little to squash a controversy that could have reaching implications.

In a report to Congress (PDF), the US-China Economic and Security Review Commission said China Telecom routed 15 percent of the Internet’s traffic through servers in China during a roughly 18-minute period on 8 April. The commission stopped short of saying this had been done deliberately, but noted that “the capability could enable severe malicious activities.”

“For about 18 minutes on April 8, 2010, China Telecom advertised erroneous network traffic routes that instructed US and other foreign Internet traffic to travel through Chinese servers,” according to the report. “Other servers around the world quickly adopted these paths, routing all traffic to about 15 percent of the Internet’s destinations through servers located in China. This incident affected traffic to and from US government (‘‘.gov’’) and military (‘‘.mil’’) sites, including those for the Senate, the army, the navy…and many others.”

China Telecom denies reports

In a statement to China’s state-run Xinhua News Agency however, Wang Yongzhen, a senior press official with China Telecom, said the company “has never done such an act.”

“These reports by foreign media are completely groundless,” Wang is quoted as saying.

“Although the Commission has no way to determine what, if anything, Chinese telecommunications firms did to the hijacked data, incidents of this nature could have a number of serious implications,” the commission report states. “This level of access could enable surveillance of specific users or sites. It could disrupt a data transaction and prevent a user from establishing a connection with a site. It could even allow a diversion of data to somewhere that the user did not intend (for example, to a ‘spoofed’ site.

“Perhaps most disconcertingly, as a result of the diffusion of Internet security certification authorities, control over diverted data could possibly allow a telecommunications firm to compromise the integrity of supposedly secure encrypted sessions.”

Gartner analyst John Pescatore told eWEEK that well-known vulnerabilities in the Border Gateway Protocol (BGP) allow this kind of incident to happen and that there have been initiatives for years to improve this.

“It is like DNS – DNS has huge holes that allow DNS hijacking, and it has taken more than 15 years to get to the point where we are almost implementing DNSSEC … Now, most BGP problems and redirects have been by ISP mistakes and largely resulted in random denial of service attacks. But the basic structure of BGP allows this be done maliciously as well,” he said.

Breaking global practices?

“If it is proven that the Chinese ISP (Internet Service Provider) did this purposely, then it is definitely against global Internet norms – it is more than just a breach of US-China cyber-relations, it is China breaking global practices on the global Internet,” he said.

Forrester Research analyst Jonathan Penn said he would not characterise the incident as a “hijacking of the Internet,” but added the situation highlights traffic routing as an element of cyber-security that’s been overlooked.

“Whether it was intentional or not, the concern over the integrity and availability of the Internet is now heightened, and the event has added to the national and global concerns about cyber-security,” Penn said. “I also think this will add fuel to the fire for the “Internet kill switch” proposals being bandied about in Congress, the thinking being that we need the ability to respond to a prolonged and intentional redirection, even if that means shutting down traffic.”

In a blog post, McAfee Vice President of Threat Research Dmitri Alperovitch wrote that while users may have experienced a slower than normal Internet connection, it’s likely they did not notice the event because the websites they were going to could still be reached. The incident was the one of the “biggest routing hijacks we have ever seen,” he wrote, and could happen again since a number of major telecommunications companies routing a lot of Internet traffic have the same capability.

“The incident took advantage of the vulnerabilities in the design of Internet’s fundamental building blocks, namely its routing protocols – vulnerabilities that were present in April and remain present today,” Alperovitch blogged. “Not only can this problem happen again, but it probably will. We have no way of knowing whether this event was done with malicious intent in mind or was an accidental failure as China Telecom operators have suggested, but it’s clear that with this capability demonstrated publicly, sooner or later someone will use it for nefarious purposes.”