Cross-Router Covert Channels

Many organizations protect secure networked devices from non-secure networked devices by assigning each class of devices to a different logical network. These two logical networks, commonly called the host network and the guest network, use the same router hardware, which is designed to isolate the two networks in software. In this work we show that logical network isolation based on host and guest networks can be overcome by the use of cross-router covert channels. Using specially-crafted network traffic, these channels make it possible to leak data between the host network and the guest network, and vice versa, through the use of the router as a shared medium. We performed a survey of routers representing multiple vendors and price points, and discovered that all of the routers we surveyed are vulnerable to at least one class of covert channel. Our attack can succeed even if the attacker has very limited permissions on the infected device, and even an iframe hosting malicious JavaScript code can be used for this purpose. We provide several metrics for the effectiveness of such channels, based on their pervasiveness, rate and covertness, and discuss possible ways of identifying and preventing these leakages.

[1]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[2]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[3]  Ralph E. Droms,et al.  Dynamic Host Configuration Protocol , 1993, RFC.

[4]  Sebastian Zander,et al.  Pattern-Based Survey and Categorization of Network Covert Channel Techniques , 2014, ACM Comput. Surv..

[5]  Chong Kuan Chen,et al.  IoT Security: Ongoing Challenges and Research Opportunities , 2014, 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications.

[6]  Yossef Oren,et al.  Sensorless, Permissionless Information Exfiltration with Wi-Fi Micro-Jamming , 2018, WOOT @ USENIX Security Symposium.

[7]  Brad Cain,et al.  Internet Group Management Protocol, Version 3 , 2002, RFC.

[8]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[9]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[10]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[11]  William C. Fenner Internet Group Management Protocol, Version 2 , 1997, RFC.

[12]  Theodore G. Handel,et al.  Hiding Data in the OSI Network Model , 1996, Information Hiding.

[13]  Kay Römer,et al.  Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud , 2017, NDSS.

[14]  Jim Kurose,et al.  Computer Networking: A Top-Down Approach (6th Edition) , 2007 .

[15]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[16]  David C. Plummer,et al.  Ethernet Address Resolution Protocol: Or Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware , 1982, RFC.

[17]  Kamran Ahsan,et al.  Covert Channel Analysis and Data Hiding in TCP/IP , 2002 .

[18]  Jon Postel,et al.  Internet Control Message Protocol , 1981, RFC.

[19]  Aurélien Francillon,et al.  C5: Cross-Cores Cache Covert Channel , 2015, DIMVA.

[20]  Roman L. Lysecky,et al.  Security challenges for medical devices , 2015, Commun. ACM.

[21]  Sebastian Zander,et al.  A survey of covert channels and countermeasures in computer network protocols , 2007, IEEE Communications Surveys & Tutorials.

[22]  Tatu Ylönen,et al.  The Secure Shell (ssh) Transport Layer Protocol , 2006 .

[23]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[24]  Craig H. Rowland,et al.  Covert Channels in the TCP/IP Protocol Suite , 1997, First Monday.