Security-Assessment.com uncovers major vulnerability in DSL Technology Security-Assessment.com, the world-leading IT
security research and development company, has discovered a vulnerability that has the potential to impact millions of
DSL internet users worldwide. 20 November 2009, Research conducted by New Zealand-based computer security company,
Security-Assesment.com (SA), in the field of core DSL/ADSL technology has revealed a new class of attack against the
most commonly used internet provider technology – DSL. Carl Purvis, SA Senior Security Consultant, has discovered it is
possible to perform a “man in the middle” attack against any DSL/ADSL customer as long as physical access to the line
can be obtained.
A “man in the middle” attack is a scenario where communications between two parties is monitored and then falsifies the
exchanges to impersonate one of the parties. In this case, says Purvis, the malicious user monitors and in many cases
may modify incoming and outgoing traffic. While there has been widespread publicity about similar attacks being made by
computer hackers using incorrectly secured wireless access points. DSL infrastructure has, up until this point, been
considered safe and has not been thought to be vulnerable to attack.
“The ability to monitor a DSL line is now accessible at a relatively low cost,” says Purvis, “This is an important
discovery in relation to maintaining computer security across the internet and between interoffice networks”. The
biggest surprise is just how simple – and inexpensive - it is to simulate the attack. The attack mimics a user’s ISP,
forcing the user’s personal DSL modem to pass all traffic through an inspection tool running on a portable server
platform. This is all possible using “off the shelf” equipment that can be assembled for around $1000, less than the
cost of an average laptop computer.
One form of this attack would see a malicious user park outside a victim’s house or office building and physically
attach their own network infrastructure to the DSL line and have the ability to access highly valuable information.
Although there is very little in the way of published reports about these vulnerabilities Purvis believes it is highly
likely they have already been exploited elsewhere in the world. The scale of the vulnerability is enormous, says Purvis,
with DSL being the dominant broadband internet technology used by New Zealand businesses and consumers.
The latest Commerce Commission figures show 1,100,000 DSL connections in New Zealand as at 31 Oct 2009. Worldwide
broadband subscriptions will exceed 536 million by 2011 with DSL representing over half the market. Purvis believes this
vulnerability should be of particular concern to the thousands of New Zealand companies that communicate daily data via
corporate networks that utilise DSL as an access mechanism. These companies include banks, government departments and
retailers as well as many of the country’s largest organisations.
“Many of these corporate networks may be unencrypted and therefore susceptible to this attack.” In Purvis’ opinion the
risk of businesses becoming victims of corporate espionage is very real. “A malicious attacker could, for example,
connect to a branch office of a large company, gain access to its customer database and use the information within that
database to contact the customers with competing product offerings.” Purvis says that at this stage there are no
effective security controls which can be implemented en masse to reduce the risk from this attack.
He says that New Zealand companies typically harden the outer shell of their networks – business to business or
internet communications for example – but don’t tend to harden their inter-office networks. “This is where the DSL
attack can be used to gain access to the company’s network and data and is a security gap that needs to be addressed.”
“I’d recommend businesses and individuals focus on the basics; assess the sensitivity of what they are using DSL for
and use encryption over the DSL link wherever possible.” Security-Assessment.com is one of the world’s only “pure play”
security companies, specialising in research and development. It provides independent security advisory, assessment and
assurance services to help organisations establish and maintain a secure environment. Doug Browne, SA General Manager,
firmly believes that SA’s research will help organisations improve their overall information security stance.
“Security-Assessment.com adheres to a strict policy of responsible disclosure. In line with this policy, we have taken
time to share this piece of research with the relevant organisations.” he says.
ENDS