The Internet’s Vulnerable Backbone

How cybercriminals hijacked the Web’s architecture to mine bitcoins.

What to do when the vulnerability is built into the Internet?

Photo illustration by James Emmerman. Images courtesy of Shutterstock.

Some Internet security problems can be fixed. Vulnerabilities like Heartbleed, for instance, may have massive reach and widespread impact, but they ultimately come down to a clear flaw that we can mend by rewriting code. It’s a long, slow, painful process—but we know what needs to be done.

That’s not always the case. A report presented last week by researchers at Dell SecureWorks on malicious redirection of Internet traffic in order to mine cryptocurrency raises the question of what we do about the security problems that arise not from Internet weaknesses but instead from Internet strengths—or rather, from the fundamental design of the Internet.

In their report, the researchers detail how, beginning in early February, someone managed to redirect the online activity of several bitcoin mining groups and steal the bitcoins that they mined during those periods, amounting to at least $83,000 worth of stolen cryptocurrency over the course of four months. That’s a pretty trivial sum in the grand scheme of cybercrime. What makes this incident important is not how much was stolen, but rather how it was stolen. The heist demonstrates how old ways of exploiting the Internet’s architecture continue to be recycled and reused for new purposes as the Internet itself takes on new functions.

The theft discovered by SecureWorks relies on BGP hijacking—a technique we’ve known about for more than 15 years and still haven’t stopped, not because we don’t know it’s a problem, not because we haven’t seen it used for malicious purposes, but because it is essential to the operation of the Internet.

When we go online we take for granted that we’ll be able to reach content and communicate with people regardless of the Internet service provider they use. My home Internet connection comes via Comcast, but I can use that connection to email friends with Verizon or Time Warner, or any other service provider. Eventually, that email will have to make its way from my provider, where it originated, to the recipient’s. This is what the Border Gateway Protocol, or BGP, is for—to help autonomous networks like Comcast and Verizon connect and direct traffic between each other.

Using BGP routers, service providers announce which IP addresses they can easily deliver traffic to, so that other providers know which traffic to send them. If multiple providers advertise that they can deliver traffic to the same IP address, then whichever one serves a smaller set of addresses will receive traffic intended for that address. So networks are constantly updating and broadcasting these announcements to one another via BGP routers, letting their peers know which addresses they can deliver traffic to, and allowing the rest of us to ignore the question of which service providers everyone else is using.

Without BGP, there is no Internet as we know it. But that doesn’t mean it can’t cause problems—our reliance on the accuracy of the information provided by BGP routers means that anyone who can gain access to one can redirect some portion of online traffic by advertising a sufficiently small set of addresses whose traffic it wants to target. In other words, if you want access to some piece of online traffic directed to someone else, you can use BGP to announce that you will deliver it to its intended recipients—in the same way that Comcast announces it can deliver traffic to me—and the rest of the Internet will believe you. So this is probably what happened in the bitcoin theft incidents investigated by SecureWorks—the thief used the credentials of someone who worked at a Canadian ISP to send out false routing announcements. Using those announcements, the thief redirected the traffic of groups dedicated to bitcoin mining and was able to retain the bitcoins harvested by those groups’ machines rather than paying them out to the owners of the mining computers.

The theft apparently went unnoticed until late March, when users began posting to the forum about suspicious activity in their mining pools. The notion of surreptitious BGP hijacking dates back several years, to a 2008 presentation at the DefCon security conference. In the best-case scenario, problems caused by BGP routers are unintentional and easy to detect. They may occur as the result of a network making a mistake in its routing announcement and accidentally causing some traffic to be misrouted. Usually when this happens, those packets never arrive at their intended destination—because the incorrect routing information tells every network to send traffic to the wrong network. This means the problem can, at the very least, be detected—though it may still cause widespread outages.

But the 2008 research showed that BGP hijackers could actually limit the distribution of their fake routing announcements to be received by only a few routers and could then use the unaffected routers to send the intercepted traffic on to its rightful destination. This was the tactic that was used last year to intercept traffic sent to U.S. government agencies and corporations and redirect it through Belarus and Iceland, according to work done by network monitoring company Renesys.

So it’s not a new problem that the SecureWorks researchers have identified—quite the opposite, in fact, it’s an old one (by Internet standards). It’s not even a problem—or rather, it may be a problem but it’s not a flaw or a mistake or a coding error. It’s just how the Internet works. But over the years, as the design of the Internet has enabled an enormous variety of new uses and applications, so, too, has it created a vast set of new opportunities for the bad guys. Once upon a time, the malicious potential of BGP hijacking might have been limited to outages and easily detected mischief. It’s evolved to become a tool for espionage and, now, financial fraud. And there’s no reason to believe it will be going away any time soon.

Of course, there are plenty of potentially easier and more effective ways of stealing money or secrets online than rerouting traffic by means of BGP hijacking. But while these may not be the most frequent or even necessarily the most damaging cybersecurity incidents we see, we still need to pay close attention to the attacks that exploit the underlying architecture of the Internet. They will be with us for a long time—by Internet standards—and they are not problems we can easily escape. They serve as an important reminder that for every Heartbleed we find and patch, there are pervasive, inherent frailties of the online world built into its design and impossible to fix without fundamentally reimagining the Internet.

This article is part of Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.