Students working in the Department of Computer and Information Technology have discovered “Ring-Road,” a software bug which could make it easier for hackers to breach popular services like Google’s Gmail.
While examining a security protocol designed to increase speed and performance of Internet applications, students working with John Springer, associate professor of computer and information technology, and Melissa Dark, W.C. Furnas professor of computer and information technology, discovered that they could determine the length of encrypted transmissions. This represents a vulnerability even if one does not have the encryption key, said Springer.
“If you know how long the encrypted data is, you’re much more likely to know what the unencrypted data looks like,” Springer said. “It provides a potential way to get around the built-in security used online in products and services such as Cisco’s virtual private network (VPN), sites like Gmail, and Google’s Chrome browser.”
Under the direction of Springer and Dark, the student team was examining a Cisco VPN product to determine if it were possible to derive any intelligence from the encrypted data sent through it. Cisco uses a security protocol developed by Google named QUIC, or Quick UDP Internet Connections. During the encryption process, random characters are usually added to the beginning, middle, or end of data to disguise the original data’s true length, Springer said. The team realized that QUIC fails to pad the data, potentially allowing eavesdroppers to discover the exact length of encrypted data which could include passwords.
The students named the bug “Ring-Road” because knowing the length of a password could provide a shortcut for hackers, Springer said.
Data breaches at Internet service company Yahoo in 2013 and 2014 exposed the passwords of over 1.5 billion users. “With those breaches, you have a substantial repository of commonly used passwords,” Springer said. “A hacker could use the Ring-Road bug to determine your password is 10 characters long, for example, and then use all of Yahoo’s 10-character passwords to try to access your accounts.”
Hackers could scale their attempts to crack into Google Gmail accounts or other popular services by writing software which automates login attempts.
“Given the quantity of users on Gmail, even a 10% accuracy rate could give you access to millions of accounts,” Springer said.
After a certain number of bad login attempts, Google employs CAPTCHA, a challenge-response test designed to determine if the user is human. “But there are ways out there to automate the CAPTCHA challenge to continue trying to breach the account,” said Springer.
Springer and the student team are conducting this research as part of an INSuRE (Information Security Research and Education) project. INSuRE, a National Science Foundation-funded partnership of 14 universities, the National Security Agency, the Department of Homeland Security, and other federal agencies, brings both classified and unclassified research problems in cybersecurity to the participating universities. The projects provide opportunities for student teams to work on real-world problems while benefitting from guidance by government scientists and interdisciplinary faculty at several institutions.
“INSuRE provides great opportunities for our students,” Springer said. “As faculty, we set up the active learning environment and serve as mentors, but the credit for the Ring-Road discovery really goes to the students.”
Purdue’s participation in INSuRE also helps the process of discovering solutions to cybersecurity-related problems move more quickly.
“We want to be agile,” said Springer. “We still need to worry about vulnerabilities in our traditional networks of computers and servers. But with today’s Internet of Things, the attack surface includes smart phones, devices hooked up to wireless networks, cameras, and more. In cybersecurity, you can’t wait for years to conduct research and publish results. INSuRE provides a way for us to test problems and suggest solutions within a semester.”