Malware-based Information Leakage over IPSec Tunnels

ABSTRACT

IPSec-based protocols are often presented by practitioners of information security as an efficient solution to prevent attacks against data exchange. More generally, use of encryption to protect communication channels or to seclude sensitive networks is seen as the ultimate defence. Unfortunately, this confidence is illusory since such “armoured” protocols can be manipulated or corrupted by an attacker to leak information whenever an access is managed with simple user’s permission. In this paper, we present how an attacker and/or a malware can subvert and bypass IPSec-like protocols to leak data from the system under attack. By using a covert channel, we show how to code the information to be stolen, how to insert it in the legitimate encrypted traffic and finally collect/decode the information on the attacker’s side. We first present how to exploit the covert channel and to steal sensitive data without triggering any alert. Subsequently, the detailed results of extensive experiments to validate the attack techniques on an operational level are given. Finally, some potential prevention and protection techniques are presented to limit such attacks. However, this analysis demonstrates that residual weaknesses are bound to remain unless the communication protocols involved are significantly modified.


AUTHORS

Photo of Eric Filiol

ENSIBS Vannes,
France

Eric Filiol is an Associate Professor at ENSIBS, Vannes, an Associate Professor at CNAM, Paris, an associate professor at Moscow’s HSE University in the field of information and systems security and a senior consultant in cybersecurity and intelligence. He directed the research of the ESIEA group and its cybersecurity laboratory for 12 years. He spent 22 years in the French Army (Infantry/Marine Groups). He holds an engineering degree in cryptology, a doctorate in applied mathematics and computer science from the École Polytechnique and an authorisation to conduct research (HDR) in information from the University of Rennes. He holds several NATO intelligence certifications. He is the editor-in-chief of the Journal in Computer Virology and Hacking Techniques published by Springer. He regularly presents at international conferences in the field of security (Black Hat, CCC, CanSecWest, PacSec, Hack.lu, Brucon, H2HC...). He enjoys walking and hiking and playing the bass guitar (jazz).

Virology and Cryptology Laboratory, Army Signals Academy
France

Frédéric Jennequin is a researcher at the Virology and Cryptology Lab at the Army Signals Academy in Rennes, France. He holds an engineer diploma in computer security.

I.U.T de Saint Malo Université de Rennes I
France

Guillaume Delaunay is an undergraduate student in network security at the Dept. of Network and Communications of the University of Rennes.

Journal of Information Warfare

The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.

Quick Links

View the latest issue of JIW.

Latest Edition

Purchase a subscription to JIW.

Subscribe

Keywords

A

AI
APT

C

C2
C2S
CDX
CIA
CIP
CPS

D

DNS
DoD
DoS

I

IA
ICS

M

S

SOA

X

XRY

Quill Logo

The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.

SUBSCRIBE NOW

Get in touch

Registered Agent and Mailing Address

  • Journal of Information Warfare
  •  ArmisteadTEC
  • Dr Leigh Armistead, President
  • 1624 Wakefield Drive
  • Virginia Beach, VA 23455

 757.510.4574

 JIW@ArmisteadTec.com