Research Saturday 9.21.19
Ep 103 | 9.21.19
Leaky guest networks and covert channels.

Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution, enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything - all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Yossi Oren: [00:01:53] We were actually drawn to this research by the fact that there are many people, many organizations who will isolate their networks into two parts, using what's called the guest network on the routers.

Dave Bittner: [00:02:05] That's Dr. Yossi Oren from Ben-Gurion University. The research we're discussing today is titled, "Cross-Router Covert Channels."

Yossi Oren: [00:02:13] So this research was performed by my graduate student, Adar Ovadya. She was helped by Rom Ogen and Yakov Mallah. And these routers actually don't have two guest networks – they only have one network, and all the separation is done by software. We were curious to see whether this separation is actually effective. We were very, very worried that it's only partly isolated, and we actually discovered that, indeed, this software isolation doesn't work in practice.

Dave Bittner: [00:02:43] Well, let's go through together. I think many of us are familiar with how this works, but I think particularly when folks have home routers, they will set it up to have a guest network. What's going on in the router when you go through that setup?

Yossi Oren: [00:02:57] If you set up your router to have a guest network, it means that some of the computers that connect to this router can't see the other computers. They can go to the Internet, but they can't actually connect to other computers on your network. So even if they try to look for them or to scan for them, they won't be able to see. So if you have a device you really don't trust – maybe you bought a really cheap camera or a monitor or a sprinkler or something like that – and you really need it to connect to the cloud, but you don't want it to be hacking into your network, you would put this device on your guest network. And what happens that every time this router gets a network packet from this guest network, it won't send it over to the host network, which is where all your sensitive stuff is hiding. It will only send it to the Internet. This is at least how it's supposed to work.

Dave Bittner: [00:03:51] Hmm. And one of the things - the sort of foundational things that you're looking into here is this notion of covert channels. Can you describe to us – what is that about?

Yossi Oren: [00:04:03] So, a covert channel is a way for two parties – let's call them the sender and the receiver – to talk to each other when they're not actually supposed to be talking to each other. I think the most famous example we have is when you have students trying to chat with each other and they're not allowed to use chat software, so they use a game – let's say Words With Friends. They're both playing this game, but they're not actually playing this game. They're sending messages to the chat function of this game, or they're editing a draft document together and they're never actually sending it. So, this is an example where the school administrator is trying to stop you from sending data to each other.

Yossi Oren: [00:04:44] But you can also imagine that the router is trying to protect the guest network and the host network from communicating, so the router is going to look at all the traffic which is going across, and it's not going to let it across if it's between the hosts and the guest networks. So covert channel is a way of getting around this, and covert channels have been around ever since the ancient Greek times. There was, according to military history, in ancient Greek times, this general wanted to send a message, and he wanted to send the message in a way where nobody can detect who was sending the message. So what this general did, he shaved the head of one of his slaves, tattooed the message on the slave's head and then sent the – waited until the hair grew back and sent the slave with the message. And nobody actually thought, you know, if you would capture the slave and search him, you wouldn't find any message, but once the slave got to his destination, the guy who got the slave shaved the head of the slave and he could read the message. So, we're not shaving the head of any message in the network, but this is a way of hiding a message I want to send, and nobody will actually know I'm sending the message. So the router won't be able to block it.

Dave Bittner: [00:06:00] So within these routers, what opportunities for covert channels exist?

Yossi Oren: [00:06:05] So, there are two ways of sending data across a router without the router detecting it. One way is just looking for bugs in the router. So, the router is supposed to block all the traffic between the host and the guest network. What happens if the code of the router has a bug in it and this packet is not blocked? So we went over the big list of protocols that routers support, and we found three or four of these bugs in a lot of routers, actually. We found nine what's called CVE vulnerabilities, where the router is supposed to be blocking traffic and it's not. So, these are bugs.

Yossi Oren: [00:06:42] Another thing we can do is something which is a bit sneakier. And this is just taking advantage of the fact that these routers have really, really slow CPUs. They're, of course, very cheap devices. Their CPUs aren't so fast. So, if we overload these CPUs from the guest network, the router is going to be responding to traffic slower, and we can check from the guest network if the traffic is getting slower. If it's getting slow, it means they're actually trying to write something – we're trying to send a message. And if it's fast, it means we're not trying to send a message. So, I just gave you a very basic way of sending one bit across. And from this, you can build a way of sending entire messages.

Yossi Oren: [00:07:24] The thing about these, what we call timing-based covert channels, is that they're not bugs. It's very, very difficult to fix the timing-based covert channels without completely redesigning the hardware and the software of the router.

Dave Bittner: [00:07:37] Now, the first type of channel that you described – you say it was taking advantage of bugs. Were these bugs in the protocols themselves? Is that – so, in other words, it's not specific to any particular brand of router? Would it be available to you regardless of what brand you were attempting it on?

Yossi Oren: [00:07:59] So, some of these bugs were common between several routers. Some of them were not to be found in any router. We checked on a very expensive router, and these so-called direct covert channels were not there. But we found one of these in most of the routers we investigated.

Dave Bittner: [00:08:19] So overall, your ability to do this is widespread across many different brands?

Yossi Oren: [00:08:25] We didn't find a single router which doesn't have at least one kind of covert channel. This goes from the cheapest router to the newest and biggest and most expensive router we checked.

Dave Bittner: [00:08:36] Now, so, your abilities here to cross over from the guest network to the main network – how does that give you access to devices on the other network that you're trying to infiltrate?

Yossi Oren: [00:08:50] Okay, so I need everybody to calm down. We're not going to be able to hack into the network using this cross-router covert channel. What we will be able to do is communicate from one side of the network to the other. So, if I have two cooperating devices, let's say, for example, I have malware running on the guest network and I want to send a command to this malware, or I've spied on somebody from the host network and I want to leak it out through the guest network. Then these two devices can cooperate and send data to each other using this covert channel.

Yossi Oren: [00:09:31] So the two examples we gave in the paper are, one, I have this hidden, what's called a logic bomb or a Trojan horse inside my network, and an attacker just – let's say I bought a really cheap device, and this cheap device has some hidden functionality, and now the attacker wants to trigger this functionality, the attacker wants to turn it on, so the attacker can do this using a covert channel.

Yossi Oren: [00:09:58] And the other use case we discussed in our paper is that I have an implant which is spying on me. And now this implant found something really interesting – maybe they took a picture of me doing something sneaky or it got a health measurement which is going to be used against me. And now this implant wants to what's called exfiltrate this data. It wants to get it outside. And let's say this network is being monitored, so this cannot be done directly. But if this implant is using this cross-router covert channel, then it can exfiltrate this data without getting caught.

Dave Bittner: [00:10:29] I see. So it's a matter of having a method of communication between the two channels, but it's not as if the two channels were open to each other for direct digital sending of data back and forth the way we'd conventionally think about it.

Yossi Oren: [00:10:47] Yes. So I would need to have a foothold in at least one of the networks before I can do my sneaky stuff. But we've shown that there is an attack – and you can read the paper – it's called the CSRF-ARP attack, which allows you to do it with only a foothold on one of the networks, and the other network only needs a web browser to be open.

Dave Bittner: [00:11:11] How much would this sort of thing affect people in the enterprise space? Is this primarily hitting folks who have home routers, or should enterprise folks be worried about it as well?

Yossi Oren: [00:11:22] There are two kinds of enterprise which should be concerned. The first of them is small business offices – you know, doctors, lawyers, dentists – people who have their practices. And they have really small networks, and they have, you know, clients coming in. It's, you know, clients coming into a lawyer or people waiting in the waiting room of a dentist or of a small doctor, and these people use guest networks extensively. It's part of their business. And on the host network, they have really critical data for their work. So this situation will be very risky for these kinds of businesses.

Yossi Oren: [00:12:03] And another enterprise situation which is very risky is a hospital, actually. So, hospitals use a lot of medical devices, which are kind of IoT devices. You have connected heartbeat sensors and ECG systems and all sorts of infusions. And all of these devices are impossible to patch, because they're medical devices – you can't just go and connect your medical device to the Internet and update it. So, there is what's called the "Medical Device Isolation Architecture" which the Veterans Administration published. It says all of these medical devices are considered to be very, very prone to viruses and so on, so we're going to isolate them from the network. And so, when this isolation is done using what's called logical isolation, using the guest network and a host network. Then what we've shown is that these devices can still have access to the sensitive network they're trying to be isolated from.

Dave Bittner: [00:13:04] And what are your recommendations in terms of mitigation for people to protect themselves?

Yossi Oren: [00:13:09] My suggestion is a bit trivial. Routers are very, very cheap. I think in the US, the cost of cable for one month is about the cost of a router. So, I suggest if you really value this isolation, if you have very, very critical information on your host network, you should just spend fifty dollars and buy another router, and have this router for your guests or for your clients and so on. So physical isolation is the way to get around the problem.

Dave Bittner: [00:13:38] And for the average home user who's doing this, is this something of genuine concern or, I guess, how much of this is theoretical? How much do you expect folks could actually take advantage of this?

Yossi Oren: [00:13:52] So, the attack is very practical in that we demonstrated on all the routers we investigated. When you're trying to decide, do you want to spend extra money on protecting your network, you should make the rational decision, just when you decide whether to lock your door at night. What have I got to lose? If what you've got to lose is, you know, the high scores on your Xbox, maybe you don't want to do it. If what you've got to lose is all the backups of your dental practice, maybe you should spend a little extra.

Dave Bittner: [00:14:25] Our thanks to Dr. Yossi Oren from Ben-Gurion University for joining us. The research is titled, "Cross-Router Covert Channels." We'll have a link in the show notes.

Dave Bittner: [00:14:36] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:14:45] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:14:53] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.