New Zealand-based security company Security-Assesment.com has discovered a new class of attack against the most commonly used internet connection technology — DSL, the company announced today.
Carl Purvis, senior security consultant with Security-Assesment.com, says it is possible to perform a “man in the middle” attack against any DSL/ADSL customer as long as physical access to the line can be obtained.
A “man in the middle” attack is where communications between two parties is monitored and then falsifies the exchanges to impersonate one of the parties.
In this case the malicious user monitors and in many cases may modify incoming and outgoing traffic, Purvis says.
While there has been widespread publicity about similar attacks using incorrectly secured wireless access points, DSL has, up until now, been considered safe from such attacks.
“The ability to monitor a DSL line is now accessible at a relatively low cost,” says Purvis.
“This is an important discovery in relation to maintaining computer security across the internet and between interoffice networks”.
The attack mimics a user’s ISP, forcing them to pass all traffic through an inspection tool running on a portable server platform.
This is all possible using “off the shelf” equipment that can be assembled for around $1000, less than the cost of an average laptop computer.
One form of this attack would see a malicious user park outside a victim’s house or office building and physically attach their own network infrastructure to the DSL line and have the ability to access highly valuable information.
Although there is very little in the way of published reports about these vulnerabilities Purvis believes it is highly likely they have already been exploited elsewhere in the world.
Purvis believes this vulnerability should be of particular concern to the thousands of New Zealand companies that communicate daily data via corporate networks that utilise DSL as an access mechanism.
In Purvis’ opinion, the risk of businesses becoming victims of corporate espionage is very real.
“A malicious attacker could, for example, connect to a branch office of a large company, gain access to its customer database and use the information within that database to contact the customers with competing product offerings,” he says.
Purvis says that at this stage there are no effective controls to reduce the risk from this attack.
He says that New Zealand companies typically harden the outer shell of their networks – business to business or internet communications for example – but don’t tend to harden their inter-office networks.