“I’m informed that, you think that within 30 minutes the seven of you could make the internet unusable for the entire nation, is that correct?”
That question came from Sen. Fred Thompson (R-Tenn.) on May 19, 1998, while speaking with members of a Cambridge, Massachusetts hacker group known as The L0pht.
“That’s correct. Actually one of us with just, a few packets,” said Peiter Zatko, who is better known by his hacker pseudonym of Mudge.
Sitting alongside Mudge were six other members of L0pht who specialised in various fields of computer and network security, from satellite communications to password cracking. One of them was Cris Thomas — also known as Space Rogue — who I spoke with last week.
“The famous testimony of being able to take down the internet in 30 minutes,” I asked Thomas in a phone interview. “Was that a boast or was that realistic…”
He cut me off. “No,” he said.
“In our particular case, we were looking at something called BGP, or border gateway protocol. We found a flaw in the protocol that would cause a cascading effect through most routers in use at the time,” said Thomas, who is now a strategist for Tenable Network Security.
The flaw L0pht had discovered would basically kick one network router offline, but before it died, it would send out information to the next router where data should go to instead. With “a few packets” as Mudge said, the hackers could have fed the system faulty information that would cascade one after the other, knocking systems offline left and right.
“Since it was cascading and automated,” Thomas said, “it would happen relatively quickly, probably less than 30 minutes.”
L0pht members testified that they had contacted numerous government agencies to try to figure out a fix, but no one was listening. Instead, Thomas said they contacted the makers of the routers and figured out a solution prior to their Senate testimony.
“The foundation of the internet is over 20 years old at this point,” Mudge said. “How can one be expected to protect a system on a network where any seven of the individuals seated before you can tear down the foundation the network was built upon?”
It’s an interesting question to ask even now, nearly two years after an ethical security researcher found a glaring vulnerability within the global cellular network that a hacker can use to read text messages, listen to calls, and grab personal information — with nothing more than a phone number.
‘The internet was very fragile’
L0pht’s testimony to a bipartisan group of senators was one more warning among a growing chorus of security professionals that had emerged in those nascent days of the internet.
They spoke of the problems with internet commerce, the lack of focus among companies on building secure software products, and the effects of the (at the time) relatively-unknown denial-of-service attack, that could take a website offline.
After their testimony, Thomas said, people would come up to members of the group and ask for specifics on how the shutdown would work.
“‘Were you talking about this [vulnerability]?’ Thomas said a fellow hacker might ask. “And we’d be like, uh, no. That’s not what we were talking about, but that would work too.”
He added: “The internet was very fragile. It still pretty much is very fragile. And there’s probably more than one way to cause similar issues today as it was then.”
The internet may not have been taken down in the years since, but there has been a boom of cyber criminals, hacktivists like Anonymous, and nation-states all putting it to the test. Besides the growing militarization of cyberspace, the proliferation of data breaches has resulted in billions of dollars being stolen, or in the case of the Ashley Madison hack, lives ruined.
“You’re starting to see degradation in trust,” said Malcolm Harkins, Global Chief Information Security Officer for Cylance.
Your phone’s fatal flaw
Eight years after L0pht’s chilling testimony, the smartphone has increasingly replaced the desktop computer as the main avenue for people to connect to the internet.
But a glaring security vulnerability still lies within the worldwide network of mobile carriers that use Signalling System Seven (SS7) to share data, which is not dependent on any particular phone. Though it was first exposed by security researcher Tobias Engel at the Chaos Communication Congress in Dec. 2014, it received newfound exposure after a “60 Minutes” report in April.
“It’s a real issue,” Thomas said. “It’s an important issue, but it’s not a new issue.”
You can think of SS7 as being sort of like the cellular version of banking communications standards. Just as different banks need a common language to be able transfer people’s money around the world, mobile carriers use SS7 to pass customer data and allow a person who lives in New York City to be able to jump onto a cell network in London when they travel there.
It’s a vital piece of the mobile puzzle, but the problem is, security among the 800-plus mobile operators with access can be hit-or-miss. The hackers working with “60 Minutes” obtained access legally with agreement from a mobile carrier for testing purposes, but it’s actually not that difficult to get in without a carrier’s blessing.
Hackers can break in illegally by going through unsecured access points on the internet, or they can even buy access from carriers for a few hundred bucks.
“[We can] track their whereabouts, know where they go for work, which other people they meet when,” researcher Karsten Nohl told “60 Minutes.”
“You can spy on whom they call and what they say over the phone. And you can read their texts.”
Many carriers are reportedly working on a replacement for SS7 with something more secure, but it will likely remain backward-compatible with the old system — leaving users vulnerable — for many years afterward as other carriers make the switch, according to Ars Technica.
For now, it seems, the only government official looking for a fix is Rep. Ted Lieu (D-Calif.), who has called for a congressional investigation into the SS7 flaw, following the “60 Minutes” report. As was the case in 1998, it’s likely that people in the government — especially in military and intelligence circles — have been aware of the flaw for some time, but have done nothing to correct it.
“It’s just been ignored,” Thomas said. “Since it was ignored and nobody really knew about it outside of certain circles, nobody cared.”
As with the NSA practice of hoarding zero-day vulnerabilities — security holes in software unknown to developers that government and criminal hackers alike can exploit — the priority for fixing SS7 doesn’t seem to be all that high. But Lieu has told the Daily Dot government employees who knew about it but did nothing should be fired.
“With the mobile phone becoming more ubiquitous every day,” Lieu told the Daily Dot. “This is going to affect all of society if we don’t fix it.”
Business Insider Emails & Alerts
Site highlights each day to your inbox.