A chief technology officer (CTO) of one of world's top mobile service providers is worried about the fact that his company routinely sources critical equipment from a top Chinese vendor. After all, Chinese vendors come ten times cheaper than other Western vendors and the decision is based on purely commercial considerations.
However, the worry is that when critical components in the telecom infrastructure are in control of a potentially hostile country, the whole network could be brought down by just sending a couple of broadcast packets.
Not that there is any evidence that the Chinese have planted Trojans or backdoors in such infrastructure. In fact, there is no evidence either way, but the technology needed to reverse-engineer such components is either not available or would require millions of dollars of research to develop, so we do not know.
The software as it currently stands may even be clean but a routine firmware update could plant software having such nefarious commands. So, the detection problem becomes even more complex. Given that the Chinese government has cyber-war as its high priority strategy, and given that it gives millions of dollars in aid/subsidy to Chinese telecom vendors—heck, we don’t even know who exactly owns Huawei, the top Chinese telecom company—there is surely reason for suspicion that control of telecom infrastructure via equipment sold by Chinese vendors could be part of the Chinese government’s strategy, and this control can then be leveraged in case of any cyber-war.
In the Indian context, BSNL and Reliance routinely source from Chinese vendors. A year back, a couple of hackers demonstrated at the Defcon conference in the US, how mass traffic from an Internet service provider can be completely redirected to another country using a critical routing software called BGP. BGP is software that helps two routers talk to exchange routing information. The interesting part is that the hackers didn’t take advantage of any bug in BGP. BGP written decades ago when the Internet was in the hands of academicians, is a trusting protocol that just believes the data that it receives is true. To give an example, all of a particular ISP's traffic from India that is bound for the US, could go through, say, a node in Dubai, which then forwards it to the US. Another route to the US could be via Pakistan or China. If the Pakistani node's BGP software sends a message to the Indian ISP's BGP router saying that a better route to the US exists via Pakistan, the Indian ISP's router would just believe the above, and change its routing table so as to send all US-bound traffic to Pakistan instead. The traffic can then be legitimately sent to the US from Pakistan, but meanwhile it could also be sniffed and thus all traffic viewed.
So, to the end user, everything would look fine, just that the intermediate node's owner could have a look at all the traffic.
Given that today, economies are so crucially dependent on the Internet, ability to view a country's traffic is the equivalent of knowing nearly all what goes on in the country, something that could give huge leverage to competitive business, not to mention the criticality of this data if the two neighbours are hostile to each other. A new version of secure BGP is in the offing.
The question is: Have all our Indian ISPs updated their BGP protocols to secure BGP? We don’t know.
A year back, when the Kaminsky vulnerability was announced worldwide, it was months before many of the Indian ISPs fixed the bug. Using Kaminsky vulnerability, websites could be hijacked as it was a vulnerability in the DNS servers. DNS servers are the ones which translate a website name such as www.icicibank.com to an equivalent IP address such as 203.x.x.x.
It at least appears that in India we seem to be as complacent as ever as far as security is concerned. Well, it is not just appearance but reality too reflects this point. There have been security bugs found in some of the major payment gateways of India for instance. Many of our home routers can be logged into as people do not change their default passwords. Moreover, our CERT-in seems to have as its high priority dealing with sites like savitabhabhi.com and going after guys hosting porn sites. That is not bad in itself, but surely it does not have the same level of visibility as the American CERT.
Our ministry of external affairs network has now been hacked a number of times by the Chinese and our army network too. Our Internet is forever vulnerable, and it would not take that much to bring down the whole of our Internet economy for some determined and well-financed hackers.
Home minister P Chidambaram is talking about increasing the bureaucracy. He suggests a new ministry of internal security, and says that it is partly luck due to which we have not faced another 26/11 type of attack this year.
Imagine a DDOS—distributed denial of service—attack on India for a week. A denial of service attack floods the Internet with useless traffic so that normal operation becomes impossible. How much would we tend to lose?
Add to it the fact that we are getting into other areas such as microfinance where embedded devices such as small microprocessor based hand-held devices or mobiles are going to have critical financial information inside them. How secure are these?
Skype is another area which is a potential security risk. Skype encrypts the communication; terrorists are known to use Skype to communicate, and as of last known reports, the Indian IB (intelligence bureau) has been unable to decipher Skype conversations. In fact, IB has recommended to DoT that they block Skype, a solution which I feel is akin to throwing the baby out with the bathwater. Nevertheless, it is important for national security that our intelligence agencies are able to listen to Skype conversations. The 26/11 handlers used VoIP and though at that time the terrorists themselves used regular mobile phones, the next time over they could use Skype or other encrypted VoIP and we may not be so lucky.
Decoding satellite communication is another issue. Some satellite vendors such as Thuraya for instance don’t have their presence in India and hence are not under Indian government control. Hence, IB cannot force them to decrypt the communication.
What we need is a more serious effort into tracking and fixing security bugs in our critical infrastructure and dealing with issues such as decoding encrypted conversations. Perhaps we need an agency where top hackers would sit day in and day out trying to find security holes in our Internet infrastructure, and work closely with compliance agencies in the government to fix the holes found. One argument is that it is all there, and the public is in the dark. Though it may be a possibility, from the reports emanating to the public, it is frankly hard to believe.
Finally, the above potential threat scenarios mentioned are not about crying wolf. With some investment, most of the above hackings mentioned can be shown to work.
(Dr Samir Kelekar has over 23 years of experience in the global IT industry. He is currently the founder-director of Teknotrends Software, Bengaluru). — Dr Samir Kelekar