"A Fundamental Mechanism That Secures the Internet Has Been Broken"
The Resource Public Key Infrastructure (RPKI) is a security framework designed to keep cybercriminals and rogue states from redirecting Internet traffic. The National Research Center for Cybersecurity ATHENE has discovered a way to easily bypass this security mechanism in such a way that affected network operators are unaware. Misdirected Internet traffic creates a commotion, as happened in March when Twitter traffic was partially redirected to Russia. The Internet can be cut off to entire companies or countries, or internet traffic can be intercepted or overheard. Such attacks are typically based on prefix hijacking. They take advantage of a fundamental design flaw in the Internet. Determining which IP address belongs to which network is not secure. The Internet Engineering Task Force (IETF), the organization in charge of the Internet, standardized RPKI to prevent any network on the Internet from claiming IP address blocks it does not legitimately own. To confirm that a specific IP address block belongs to the specified network, RPKI employs digitally signed certificates. Meanwhile, according to ATHENE team measurements, nearly 40 percent of all IP address blocks have an RPKI certificate, and approximately 27 percent of all networks verify these certificates. The team discovered an error in the design of RPKI. If a network cannot locate a certificate for an IP address block, it assumes there is none. In order to enable traffic to flow on the Internet, this network will ignore RPKI for such IP address blocks, implying that routing decisions will continue to be based solely on unsecured information. The ATHENE team demonstrated that an attacker could exploit this situation and disable the mechanism without being detected. This "Stalloris" attack requires the malicious actor to control an RPKI publication point, but the team says that this is not a challenge for state attackers or organized cybercriminals. This article continues to discuss the RPKI design flaw discovered by the ATHENE team.
BetaNews reports "A Fundamental Mechanism That Secures the Internet Has Been Broken"