Cybersecurity News & Commentary - January 2019

The Source Port is Georgia Tech's monthly cybersecurity newsletter, featuring commentary from its researchers about topics in the news over the past month, what wasn't written between the lines, the big (and sometimes nagging) questions driving our research, and new projects underway.

January, 2019


How One IoT Protocol has Become a Boon to Attackers

Constrained Application Protocol (CoAP) was designed to be a lightweight way for resource-constrained devices to communicate.  Unfortunately, the widespread use of CoAP in a mode without security has allowed attackers to launch Distributed Denial of Service (DDoS) attacks, the most powerful of which measured a whopping 320 Gbps.  Although CoAP includes security features that would prevent its use in DDoS attacks, device manufactures have failed to enable these features in devices that are now deployed online.

IISP Analyst Joel OdomDDoS attacks are one of the oldest attack classes in the book.  Classic DDoS attacks originate from botnets where the computers (bots) under control of the attacker (the botmaster) send a flood of data to the victim.  Bots have been known to flood victims with bogus TCP connection requests, web service requests, and Internet Control Message Protocol (ICMP) traffic.  Some of the most powerful DDoS attacks are amplification attacks where a network protocol responds to requests with much more data than it receives. This is the type of attack that the CoAP protocol can be used for when it is deployed without security features enabled.

Amplification attacks often happen over User Datagram Protocol (UDP), which bundles data into datagrams that include a destination address and a return address.  Since there is nothing stopping an attacker from forging the return address on a UDP datagram, servers that receive a UDP packet can be tricked into believing that a datagram is from the victim when it was really sent by a system under the attacker's control.  If the server is programmed to reply to the datagram with lots more data than it receives, the attacker can amplify one small packet into one (or many) large packets that are sent to the victim.  It's like sending postcards with a fake return address to thousands of catalog companies, all of whom react by sending the victim a flood of heavyweight catalogs. Soon the victim’s mailbox overflows and legitimate mail cannot  be received.

The DDoS potential of CoAP has been known for a long time.   Unfortunately, manufacturers of devices using CoAP deployed the protocol without the necessary security features to prevent these attacks.





Australia Passes the Assistance and Access Act

Australia recently passed the Assistance and Access Act, which allows law enforcement to compel service providers to assist in intercepting communications1. The bill is designed to aid law enforcement in surveilling and tracking targets that use messaging tools with end-to-end encryption. Messaging applications such as Signal and WhatsApp encrypt communication between users so that, among other things, the communications cannot be intercepted. End-to-end encryption is a good thing for user privacy but provides a challenge to law enforcement.

IISP Analyst Kennon Bittick

Since encryption has become widespread, there has been a debate about the tradeoff between general privacy and the ability of law enforcement to do their job. A recent incident in the United States occurred when the FBI tried to get Apple to decrypt an iPhone belonging to a perpetrator of the San Bernardino shooting. There was a legal battle between Apple and the FBI that ended without a clear resolution when the FBI received help from a third-party to unlock the phone in question.

The newest battleground of the privacy-security debate is Australia’s recently passed Assistance and Access Act, which mostly targets messaging software. Messaging software typically encrypts traffic between the server and each individual client. The server decrypts each message on arrival, re-encrypts it, then forwards the message to its destination. In this scheme, law enforcement could work with the application provider to sit in the middle and snoop on the traffic. Recently, there has been a push toward end-to-end encryption, in which the traffic is always encrypted between the two users and the service provider has no ability to decrypt it. This stymies law enforcement’s effort to intercept communication.

The main difficulty comes from the fact that, even with a warrant, the service providers are unable to assist law enforcement. This new Australian law would require service providers to have a way to crack the encryption of their own software, which necessarily reduces the security for all users. If a backdoor is inserted, it is possible that a malicious user could discover the backdoor and exploit it. If there is a master key to break every user’s encryption, the key could be stolen. And even discounting the impact of malicious third parties, there is a concern of abuse by law enforcement without proper oversight.

On the other hand, many law enforcement agents contend that widespread encryption has made it impossible to maintain public safety. Officials from the United Kingdom’s Government Communications Headquarters (GHCQ) wrote an articledescribing the modern difficulties of their job and proposed solutions that address the concerns of both law enforcement and advocates for privacy and security.  Although their specific ideas are still too broad, the point that parties with opposing views need to have open conversations about technological and social challenges is a good one.  Much of the current debate tends to the extremes rather than attempting to find compromise or at least understanding the various points of view. Fostering open, honest dialogue will go a long way toward creating solutions as end-to-end encryption becomes ubiquitous.