News | July 26, 2000

ATM Vulnerabilities

Source: Celotek Corporation
Celotek Corporationny public telecom-munications network, Asynchronous Transfer Mode (ATM) networks are not secure.

ATM is vulnerable to attack. The physical media, the switch and the protocols can all allow unauthorized access to valuable information--voice, video or data-being trans-ported across the network.

Unless the user has implemented proper security measures his network, his organization, and the infor-mation it contains are all susceptible to ATM attacks.

Physical Plant Vulnerabilities

The ATM physical infrastructure cannot be guaranteed to be free of unauthorized access. In the US, because of the Telecommunications Act of 1996, more people than ever before have access to the physical plant, central office and point of presence. The carrier network may well traverse the infrastructure of third party carriers, in country or internationally. More people and more unknowns translate to greater security risk. Examples of Physical Plant attacks include fiber tapping, SONET drop/add multiplexor attacks, and snooping.

Fiber Tapping
Bending a fiber just a small amount causes it to leak light. By using a chemical solvent to dissolve the insulation surrounding a fiber and attaching a device to detect the leaked light, an attacker has access to all the data being transmitted through that fiber. The leaked light is undetectable at either end of the fiber.

SONET Drop/Add Multiplexor Attacks
SONET multiplexors can be found in the basements of many high rise buildings in city business districts. They offer little challenge to the experienced network attacker. Protected by no more than a combination lock on the entrance to the wiring closet, access to a customer's valuable data can be gained in minutes. Often cracking a password isn't even required to log in to a multiplexor; all that is required is knowledge of the management information base (MIB) variables. In most cases these MIB variables can be accessed from the manufacturer's web site.

Many switches have special "sniffer" ports for troubleshooting purposes, which allow easy access to data going through the switch. Use a simple password-cracking program on these ports and you can have access to all the data, voice or video that transmits through the switch. ATM analyzers can simply reassemble the cells into their higher-level protocol data units (PDUs)--data, voice and video; all at line rate.

Detection Tools
A common misconception is that broadband technologies are too fast or too complex to be intercepted. A few examples of technology that contradict this statement follow: - The Voice Channel De-Multiplexor from Applied Signal Technology Inc. scans 56,700 communications channels and extracts 3000 channels of interest. - TRAILMAPPER from AST intercepts and analyzes transmissions of 2.5 Gbps including ATM reassembly and decode.

Protocol Weaknesses

ATM protocols do not authenticate or encrypt. This means they are vulnerable to "snooping" and "spoofing". It is possible to have access to a single port in the ATM cloud and gain control of routing data through the cloud by pretending to be a trusted switch. This can be done without any access to the network management interface.

ILMI Attacks
The Integrated Local Management Interface (ILMI) protocol is used at the interface between the private and public networks. At boot time, a private switch may use ILMI to configure ATM addresses. But, because the ILMI protocol does not authenticate and is sent in the clear, it is possible for an attacker to register for additional ATM addresses. These additional ATM addresses can then be used to bypass any address filters configured on the public switch. Additionally ILMI can be used to configure the port type. An untrusted User Network Interface (UNI) port can be configured to be a trusted Network to Network Interface (NNI) port by means of a hacked ILMI message. Once the public network thinks the untrusted port is an NNI interface it is possible to attack the routing of the public ATM cloud via Private Network to Network Interface (PNNI).

PNNI Attacks
PNNI is a hierarchical routing scheme (unutilized by most carriers) to establish routing within the ATM public cloud. Using PNNI's HELLO messages, network elements exchange connectivity information in the clear to choose a Peer Group Leader (PGL). The PGL is then designated as the switch, which is allowed to interact with network elements outside the local peer group. The election of a PGL is based solely on a switch's address prefix. These messages are sent in the clear with no authentication. An attacker merely needs to craft a HELLO message with spoofed ATM addresses and he can designate a switch under his control as the PGL. Once he has control of the PGL, he has complete control over how data gets routed in the cloud. He can spoof routing connections, he can multicast data flows to transparently capture data, he can block the communication of whole peer groups, he can collapse the network.

Soft PVCs
A soft permanent virtual channel (PVC) is a popular feature on ATM switches. Soft PVCs allow carriers to offer PVCs with reliability without provisioning two separate PVCs. They are essentially switched virtual channels (SVCs) on the inside of the network and PVCs on the outside of the network. When a switch within the network fails, a new SVC is routed through the ATM cloud. Soft PVCs are vulnerable to ILMI and PNNI attacks and information can be rerouted. It is not uncommon for a carrier to offer PVCs that are in fact soft PVCs.

Internet Based Attacks
Many people are under the illusion that to attack an ATM network the attacker must have direct access to the ATM cloud. This, however, is not how most networks are compromised. Most networks are attacked, not from the attacker's home workstation, but from an already compromised network. Network hackers go after the weakest link in the chain. In the case of a hacker attacking an ATM network, he would most likely attack the network by accessing a poorly secured network on the Internet. From that vantage he could then go after the compromised network's ATM intranet or extranet connections.

The illusion that ones data is protected because fewer people have access to ATM networks and those networks are expensive is just that, an illusion. Hackers would perceive the compromise of an ATM network as an attractive challenge. But don't think that hackers are the only attackers: government, commercial and organized crime can see the value of the information being carried across networks--especially volume backbones, typically ATM!

Article provided by: <%=company%>