Chinese Web Hijack Poses Huge Security Risk

When a large amount of global Internet traffic was briefly rerouted through a small Chinese ISP back in April, there was likely little impact on the US government addresses that were affected.

However, the fact that a Chinese ISP could do this should be a significant warning that simple trust isn’t adequate for the security of the Internet. The fact that a Chinese ISP could do such a redirection, even briefly, using the fundamentally insecure Border Gateway Protocol tells us that anyone else can do the same thing.

This event took place because the Chinese ISP provided routing alternatives that told the Internet routers that sending traffic through the ISP was the most efficient route. Some routers accepted the suggested routes, and sent the traffic through this one network. This affected about 15 percent of the world’s Internet sites, including some belonging to the US military and other parts of the US government.

The traffic that was redirected in the US appears to have been email and web traffic. In addition to affecting some government traffic, the redirection also affected some large companies including IBM, Dell and Microsoft. The disruption lasted about 18 minutes back at the beginning of April. The US Congress, having only lately realised that this happened, is demanding an explanation.

Mostly Chinese traffic

So here’s an explanation. Traffic to about 15 percent of web sites was affected. This is not the same thing as 15 percent of all Internet traffic. In fact, the most affected websites were those in Asia, most notably in China. Very little traffic from sites outside China and its immediate neighbors actually went to China before being sent along to its ultimate destination. It’s not clear how much traffic from the US was affected, but it was clearly not much of it.

What’s also not clear is what happened to that Internet traffic while it was transiting that ISP’s network in China. It may have simply been routed across the network and back to its destination. It’s possible that the Chinese government siphoned off some of the traffic for further examination. It’s even possible that they read some of the emails intended for members of Congress.

Assuming the theoretical Chinese monitors survived the experience of reading congressional email, most of the rest was, at least in theory, unclassified in nature. The government doesn’t send classified data across the open Internet for precisely this reason.

But that doesn’t mean the information can’t be used for bad things. First, if you go through a great deal of any communications, including unclassified email, it’s still possible to determine at least the outline of what the traffic means.

So while the details of a classified operation wouldn’t be found, there might be enough references to it that something meaningful could be discerned. To accomplish this, you have to go through a LOT of data. The US used to do this kind of monitoring on the old Soviet Union’s communications by tapping its undersea cables, and recording everything. In the process, the spooks involved were eventually able to decrypt the traffic, but in the mean time they could figure out the broad outlines.

The data itself is not the point

The problem here is that there was only 18 minutes of data, most of which was for places like joy.cn, not for army.mil. So even if some information was captured, it was unlikely that it was enough to be useful.

However, the Chinese did learn something that may be extremely useful. They learned that they could, in fact, redirect a significant portion of the world’s traffic through their servers. However, they also found out that network managers noticed.

So the question is, was this really a sort of proof-of-concept? Was the Chinese government really probing the Internet to see what it could do and how quickly it would be found out? If so, they learned that they can, indeed reroute some of the Internet. They also found out that they would be noticed.

But think about what could be accomplished even with 18 minutes of redirecting the right kind of traffic. You could create targeted Internet outages, for example. You could probably read commercial traffic, which has been a significant target for the Chinese government for a while. You could also disable communications for some agencies for long enough to be a diversion for some other activity.

Furthermore, the Chinese aren’t the only people who now realise that this is possible. Use your imagination and you’ll think of any number of groups for whom disrupting even a portion of international communications would be considered a victory.

This event has also done one other thing that we should thank the Chinese for. It has forcefully illustrated just how susceptible the Internet is to tampering. The problem is, unlike other critical protocols, there is no move to make BGP secure. Basically, if someone decides they want to do something like redirect Internet traffic, they’ll get what they want. There’s no protection. Maybe it’s time that the IETF or some other group started paying attention to this problem.