At the backbone of all Internet traffic are the carrier networks, with their own networking protocols like MPLS (define), BGP (define) and Carrier Ethernet.

While carrier networks have faced threats like denial-of-service attacks in the past, they've generally been seen as relatively protected. As a result, security researchers typically have not focused on rooting out weaknesses in their systems.

That's now about to change, with security researchers Enno Rey and Daniel Mende claiming that they can highlight areas in which carrier networks are vulnerable to attack.

And they're willing to prove their conclusions before the security community when they release their findings at the Black Hat Europe conference in April.

The likelihood for carrier networks to come under attack could signal the creation of a new area of security risk and research for the IT industry, at a time when carrier network traffic is growing at a rapid rate.

During a Webcast on Thursday discussing his upcoming presentation, Rey noted that BGP, MPLS and Carrier Ethernet security all depend on a dangerous trust model.

"Within all those technologies, it's like you're part of some old boys club, where once you're in, you can do all kinds of nasty stuff," Rey said. "They can't be attacked from an Internet perspective, [but] once you belong to the network, it's easy to perform all kinds of disastrous attacks. So far, most of these attacks have been purely regarded as purely theoretical."

One of the theoretical attacks that Rey said he plans on discussing is directly related to the carrier networks' use of MD5 cryptography within their network protocols. MD5 has been criticized on the enterprise side as being vulnerable to attack. Even so, Rey claimed that in his view MD5 is used by at least 40 percent of global carriers in their networks.

"The security impact of MD5 might be debatable, but it's not about MD5," Rey said. "The main problem is once you are somehow part of the club, the MD5 won't help you ... we can brute-force it quickly."

Beyond MD5, Rey noted that carriers are also prone to traffic interference, and has created a tool to demonstrate the flaw. "We have written a tool that can interfere at a given point and inject traffic, redirect traffic and do all kinds of stuff," he said.

For example, Rey said a carrier network with a site in Seattle and one in Washington, D.C. could be susceptible to an attack that could inject another site into the network at an arbitrary location.

So what should carrier network operator do to mitigate the risks?

Rey argued that he believes in full disclosure of security issues, but claimed that to date, the network operators have not seen the issues he's talking about as a problem.

"They say, 'We keep intruders outside of the network, so no one could ever perform this,'" Rey said. "But once that assumption is broken, it will be quite difficult to keep this under wraps."

He noted that carrier networks could do monitoring of their internal networks to try and identify threats, though he said it's not clear whether current methods would be sufficient to track attackers using tools like the one he developed.

Making the matter even more complex, Rey said that the vulnerabilities are not specific to any one hardware vendor. Instead, they're inherent in the protocols themselves, he said -- making the next steps for fixing the security risk even less clear.

This article was first published on