Malware-based Information Leakage over IPSec Tunnels

ABSTRACT

IPSec-based protocols are often presented by practitioners of information security as an efficient solution to prevent attacks against data exchange. More generally, use of encryption to protect communication channels or to seclude sensitive networks is seen as the ultimate defence. Unfortunately, this confidence is illusory since such “armoured” protocols can be manipulated or corrupted by an attacker to leak information whenever an access is managed with simple user’s permission. In this paper, we present how an attacker and/or a malware can subvert and bypass IPSec-like protocols to leak data from the system under attack. By using a covert channel, we show how to code the information to be stolen, how to insert it in the legitimate encrypted traffic and finally collect/decode the information on the attacker’s side. We first present how to exploit the covert channel and to steal sensitive data without triggering any alert. Subsequently, the detailed results of extensive experiments to validate the attack techniques on an operational level are given. Finally, some potential prevention and protection techniques are presented to limit such attacks. However, this analysis demonstrates that residual weaknesses are bound to remain unless the communication protocols involved are significantly modified.


AUTHORS

Photo of Eric Filiol

E.S.I.E.A Laval,
France

Eric Filiol is the head of the (C+V)O Research Lab at ESIEA, France and a senior consultant in offensive cyber security and intelligence. He spent 22 years in the French Army (Infantry/Marine Corps). He holds an Engineer diploma in cryptology, a doctorate in applied mathematics and computer science, and a Habilitation Thesis in computer science. He also graduated from NATO in InfoOps. He is the editor-in-chief of the Journal in Computer Virology and has been a speaker at international security events including Black Hat, CCC, CanSecWest, PacSec, Hack.lu, Brucon, and H2HC.

Virology and Cryptology Laboratory, Army Signals Academy
France

Frédéric Jennequin is a researcher at the Virology and Cryptology Lab at the Army Signals Academy in Rennes, France. He holds an engineer diploma in computer security.

I.U.T de Saint Malo Université de Rennes I
France

Guillaume Delaunay is an undergraduate student in network security at the Dept. of Network and Communications of the University of Rennes.

Journal of Information Warfare

The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.

Quick Links

View the latest issue of JIW.

Latest Edition

Purchase a subscription to JIW.

Subscribe

Keywords

C

C2
C2S
CDX
CIA
CIP
CPS

I

IA
ICS

S

SOA

X

XRY

Quill Logo

The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.

SUBSCRIBE NOW

Get in touch

  • Journal of Information Warfare
    114 Ballard Street
    Yorktown, VA
    23690
  • 757.871.3949
  • jiw@gbpts.com