Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Security Implications of the End of Net Neutrality

Internet Traffic Modifications by ISPs After the Decision to End Net Neutrality Create a Huge Potential Attack Surface

Internet Traffic Modifications by ISPs After the Decision to End Net Neutrality Create a Huge Potential Attack Surface

A huge amount of ink has been spilled over the FCC decision to roll back Net Neutrality rules.

Many articles analyze which businesses will benefit and which will be harmed by the change, while others look at it from a political perspective. It is critical that we also understand the security implications of changes Internet Service Providers (ISPs) are likely to make under this deregulation.

As a general principle, Net Neutrality holds that the internet should be a passive conduit for data between any endpoints. It should not make any difference to a carrier who is initiating the connection and what service they are using. It is similar to the way utilities provide their services. My water company has no control over what I choose to do with my water, only metering how much of it I use. Before the breakup of AT&T, customers were only allowed to attach AT&T provided phone hardware to their lines. Now anything that meets the standards can be hooked up and are treated equally by the network. 

Internet MapThe FCC decision ending net neutrality re-categorizes ISPs from being telecommunication systems governed by title II, to being information services under title I. As telecommunication systems, ISPs were prohibited from blocking, throttling, or providing paid prioritization. As telecommunication services which create, modify, store, or make information available, none of these restrictions apply. As important as the regulatory change is the signal this sends to the ISPs. The administration is clearly articulating a much more hands-off policy towards ISPs. This signaling is likely to embolden them to take actions which are unpopular but had not been banned by the title II rules.

ISPs have a long history of blocking, slowing, or modifying internet activity for their own business purposes. Some examples are:

● 2004 – Madison River Communications blocked VoIP traffic to protect their own landline phone business

● 2007 – Comcast sued for causing BitTorrent connections to disconnect and lies about doing so

● 2008 – Comcast imposes data caps but exempts its own streaming service on Xbox

Advertisement. Scroll to continue reading.

● 2012 – AT&T block Apple FaceTime unless the customer is on a premium plan

● 2013 – Comcast injecting JavaScript code into website code as the flow through their servers

This kind of behavior slowed significantly when net neutrality was implemented in 2015.

With the removal of the restrictions, it is likely that ISPs will start these kinds of activities again. They are likely to create fast and slow lanes, making the net pay to play for content providers. They could implement user fees to access certain services, creating access fees for consumers. And, they could outright block or censor certain content. All of these changes would be phased in slowly to avoid a huge public backlash. 

So, what are the security implications of these changes? All of these traffic modification systems are a potential attack surface. For example, a hacker could create a denial of service by tricking major ISPs into blocking data to or from certain domains. Systems that inject benign code into pages could be retasked to inject malware. All this also adds significant complexity to the system, which always br
ings with it new vulnerabilities.

A common reaction is to call for the widespread use of VPNs to prevent ISPs from seeing the destination or contents of internet traffic. If the ISP can’t tell what website or service you are visiting, then they can’t prioritize traffic on that basis. The VPN’s encryption also effectively prevents content inspection or modification. 

However, the use of VPNs is not a perfect solution. Patterns in the traffic can reveal the type of connection running within the VPN. Video, VoIP, websites, and P2P file sharing all have very different signatures that are clearly visible even through the encryption. Additionally, it is obvious to the ISP that you are using a VPN, which could be used as the basis for traffic slowing or blocking. This is already happening with many paid Wi-Fi services, like at hotels, where a connection that supports VPNs is significantly more expensive than the basic service.

Widespread adoption of anti-VPN policies would bring significant backlash, particularly from the business community which relies heavily on them for secure remote work and telecommuting.

The dangers of code injection also show the importance of universal adoption of TLS / HTTPS on all websites and services. Universal adoption of end-to-end encryption makes such injection virtually impossible and also prevents content based filtering or prioritization.

All this might be less concerning if there was real competition in the home broadband market. In that case ISPs could compete, in part, on their privacy and security policies / practices. Unfortunately, most households in the US have only one realistic option for broadband service.

It is impossible to know in advance exactly what ISPs will do under the new regulatory regime, but it is clear that there are significant potential risks. As security practitioners, it is critical that we do what we can to mitigate risks to our own organizations and watch closely for new vulnerabilities and attack surfaces.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.