China Hijack Raises Concerns for Internet Security

Reports have emerged about an event earlier this year when much of the Internet traffic from around the world was temporarily hijacked–rerouted through China Telecom. China Telecom claims the incident was an accident, but regardless of intent it demonstrates that the Internet itself can be hijacked, and raises concerns over how to prevent future occurrences.

McAfee’s Dmitri Alperovitch provides a detailed recounting of the incident in a blog post. “At 15:54 GMT on April 8, 2010, McAfee detected a routing announcement from China’s state-controlled telecommunications company, China Telecom, which advertised 15 percent of the world’s Internet routes. For at least the next 18 minutes, up until China Telecom withdrew the announcement, a significant portion of the world’s Internet traffic was redirected through China to reach its final destination. This included data from U.S. military and government networks, civilian organizations and U.S. allies such as South Korea, India and Australia. Commercial companies were also affected.”

Alperovitch continues, “What happened to the redirected traffic during those 18 minutes? That’s a great question but no one except China Telecom operators are in a position to answer it. E-mails, instant messages and VoIP calls could have been intercepted and logged, data could have also been changed as it was passing through the country as well. The possibilities are numerous and troubling, but definitive answers are unknown. It is also unclear whether the incident was deliberate. This is one of the biggest routing hijacks we have ever seen, and it could happen again since a number of major telecommunications companies routing a lot of Internet traffic have the same capability.”

Routing errors occur every so often, and are typically quite obvious and easily detected because data is unable to reach its intended destination. With this incident, though, China Telecom had the network infrastructure to absorb and reroute the traffic to its final destination–meaning end users did not see any indication that the connection was intercepted or hijacked other than perhaps a slight delay.

McAfee’s Alperovitch explains, “The incident took advantage of the vulnerabilities in the design of Internet’s fundamental building blocks, namely its routing protocols–vulnerabilities that were present in April and remain present today. Not only can this problem happen again, but it probably will. We have no way of knowing whether this event was done with malicious intent in mind or was an accidental failure as China Telecom operators have suggested, but it’s clear that with this capability demonstrated publicly, sooner or later someone will use it for nefarious purposes.”

If the rerouting of traffic was in fact intentional, this incident can be filed alongside the Stuxnet worm–malware that appears to have been developed specifically to compromise Iranian nuclear facility capabilities–as a new generation of cyber attacks with geo-political implications.

Even if neither the China Internet hijacking incident or the Stuxnet worm are truly state-sponsored attacks, they still illustrate what is possible for attackers with the skills and resources to pull it off.