What are the risks of a network-device exploit? The flap about Huawei has raised the question of a deliberate, even state-sponsored, built-in vulnerability, but of course network devices have the potential for a hack/exploit created by a failure in testing and quality control. Cisco recently had to patch one in an SD-WAN product. We hear about exploits regularly in the world of personal computers, particularly Windows systems. Are networks at risk? It’s hard to gather buyer data on this sort of thing, but here’s my summary of our current reality, starting with general comments on exploits and attacks and moving on to network devices.
To start with, a network device is like a computer system in that its functionality is made up of a combination of hardware and software. Everyone I’ve talked with indicates that potentially harmful exploits, meaning ones that can impact functionality or create a security breach, says that ultimately it’s software that does the exploiting, but that hardware can open the door. That means that the “risky” attacks would likely come by exploiting a software fault (as is the case with most Windows exploits) or by exploiting a hardware problem with a software-based attack (the Intel data protection exploit is an example).
The next question is how an attack could be launched. With computer systems, applications are supposed to run on the platform, which means that applications themselves are usually part of the attack vector. Sometimes the application is itself malware, and sometimes the application contains some vulnerability that allows malware to be planted; browsers or media players are examples. In a smaller number of cases, there’s a vulnerability in the “platform software”, the operating system and middleware, that can be directly exploited.
All these mechanisms require one thing—access. The Internet has been the greatest hole in security of our age, because it provides a means of access to launch an attack. A system that’s not connected to anything is difficult to attach, and further the benefits of attacking it are limited since it has no observable external behavior that an attacker could benefit from.
You can now summarize the options for a computer attack. You get malware on the system, either by loading it on by subterfuge or by creating a “hole” that could be exploited to load it. One popular example is the “buffer overflow” hole, where you send a long packet that overflows the data buffer and overwrites code. In your packet, you put some code that then bootstraps the malware in, and you then cause that code to be run by causing the condition that executes the overwritten code. You now have malware loaded and run, and that malware can do whatever internal platform controls (memory and storage protection tools) don’t prevent.
Another similar option that’s less flexible in terms of what the attacker gains is that you can create a fault instead of creating a hole. If you overwrite code with our buffer overflow, and if you simply crash the software that’s been overwritten, you probably break the computer. This would likely be done only if there were protections in the computer platform that essentially prevented “exploiting” a hole to steal data or do more subtle manipulations.
Let’s now contrast the computer situation with that of network devices. A network device has the same hardware/software platform combination, but in most cases it’s not used to run external third-party applications. That means that introducing malware onto the device is more difficult. To do so, you’d have to somehow exploit a platform vulnerability, and that would mean either sending a particular combination or type of packet that created a fault that could be exploited, or using the device management system.
It’s much harder to find an exploitable problem with a network device because the device doesn’t run third-party software and isn’t generally available to hackers in a way that would let them play with possible exploit problems. Buying a router is harder than buying a PC, and you’d actually probably have to buy a number of them and set up a live network to create an intrusion. Most operators think that network device hacks are probably going to be undertaken not by lone black-hats, but rather by criminal organizations or state-sponsored entities.
If you had the resources, could you hack a router as easily as a PC? Probably not, because the router is probably not designed with as many “hackable features” and probably doesn’t present as many places to “dig a hole” in. However, it could be done if there were any errors in coding that could be exploited. Or if there were hardware issues, including chip issues.
A chip or hardware defect that could be used to open a hole could be exploited in a router in much the same way it could be exploited in a computer, but with the greater difficulty in finding it and then gaining access to it that I already noted. If we assume the “criminal enterprise or state-sponsored” source of the hacking, we could assume that the goal was either to disable the device on demand and so break the network it was in, or gain access to the management channel to perform more subtle manipulations that could include security violations like stealing packets. Either would be possible, but difficult.
Unless you could introduce the hole, which is why there’s a concern in some quarters about Huawei. NPR did a program (the transcript is available HERE) outlining the possible links between the company and the Chinese government and military. Other links have been cited by other sources in the past. The Chinese military have long been suspected of hacking US sites, including government sites. If these connections are real, and if there is a desire in the Chinese government and/or military to exploit networks, could Huawei be building hardware that included holes waiting to be exploited?
The short answer is, in theory, “Yes”. A proprietary network device, meaning one that’s supplied with a network operating system from the same vendor, could easily be designed to incorporate an exploitable hole. To incorporate one in the software would be almost childishly simple; think of how so many Linux systems were exploited because the default userid (“admin”) and password (none) were allowed to remain valid. To incorporate one in hardware would also be fairly easy, particularly if the device used custom semiconductors (including FPGAs) that were programmed by the device company itself.
A hole introduced in hardware, waiting to be activated with a seemingly innocent packet, could let a hacker gain control of a device. It would then be easy to disable the device, and possible for the device to be used to gather information about the network overall. It would be possible, but more difficult, to use the hole to inspect device traffic and “spy” on packet flows.
Could the hole be located with careful analysis? Probably, but perhaps not easily. The smarter a chip, the more difficult it would be to identify all its behaviors by examining it, particularly if “examining” meant exploring its behavior by running it. If you asked for the program or logic description of a chip rather than trying to explore its behavior in operation, could you be sure you were getting the correct information? Not if you presumed the equipment vendor was deliberately creating an exploitable hole.
The reason why 5G is such a hot button on the issue of the security of network devices is that when you introduce a new technology you introduce a lot of new devices. Not only does that multiply the possibility of hacking one or more of them, it means that the devices could “cover for each other”, meaning that systemic goals like spying would be harder to detect because the extra traffic created would pass through other compromised devices. It’s not that faster wireless offers more hacking opportunities, but that more new devices offer more opportunities to introduce and disguise a hole.
The truth is that any network vendor could build any or all of their devices with exploitable holes. So could any chip vendor, as Intel proved with its accidental data protection error. Every box we have out there, in every network, could be waiting for the command to turn itself into a zombie. No traffic, no application, no secret, is completely safe. We know that because we’ve seen the “accidental” holes already. What can be done by accident could be done on purpose.
Nothing is ever certain or safe, of course. I remember when I was in high school and taking an advanced lecture course in quantum theory, the thing they called the “tunnel effect”. Imagine a marble on a track that had a hump in the middle. You could calculate, based on the shape of the track and the material used for both track and marble, the force needed to push the marble fast enough to get over the hump. Less force means (in Newtonian physics) the marble would never make it. Quantum theory says that it has to make it with a very low probability, so the marble must be able to “quantum tunnel” through the hump. This is sound theory, but very few quantum physicists would spend much time flicking marbles to try to prove it out—the probability is so low it would take longer than the universe is likely to last. My point is that we can’t make networks safe, only make them safe enough for all practical purposes.
How safe would that be, though? I do not believe that any testing or examination of any vendor’s hardware would be sufficient to absolutely assure there’s not an exploitable hole built in, deliberately introduced or otherwise. With respect to a willful creation of an exploitable hole, I don’t think any vendor assurances that there were no such holes could be trusted unless the vendor was trusted. If an exploit occurred, no monitoring or management process could be expected to detect it. It comes down to trust.
I can’t assess the validity of the concerns expressed about the risk that the Huawei relationship with the Chinese government and military might pose, or whether that relationship even exits. I have no comment on whether Huawei’s devices pose any threat to networks, and in particular on whether such a threat would be intentional. I’m sure there are people here in the US and in other countries that believe that the US’s National Security Agency is planting exploits and spying on everyone, and I can’t assess whether that’s true either. All I can say is that if you believe that you’re at risk to willfully introduced exploits with a given vendor or piece of equipment, I don’t believe you can test your way out of that belief. That’s the view I express to any who ask me, client or otherwise.