lolloj - Fotolia
Technology found in white box switches used in software-defined networking (SDN) has flaws that hackers can exploit to severely damage corporate networks, a security researcher reported.
The discovery, presented this week at the Black Hat conference in Las Vegas, demonstrates that some SDN technology contains enormous security risks that have not been adequately addressed by technology providers.
"Their [vendors'] main focus right now is getting to market," Gregory Pickett, founder and head of cybersecurity operations at Hellfire Security, said before giving the Black Hat presentation. "The security they'll get in later." Hellfire is a Chicago-based managed security provider.
Pickett developed malware that could use any of three open network operating systems (NOS) to reach the switch's Open Network Install Environment (ONIE). ONIE is open source firmware that lets companies install the Linux-based NOS of their choice. Within SDN architectures, the switch OS executes traffic instructions from a controller running on a server.
The operating systems included Big Switch Networks Inc.'s Switch Light, Cumulus Networks Inc.'s Cumulus Linux and Mellanox Technologies Ltd.'s MLNX-OS.
Compromising a switch would let a hacker monitor traffic flowing through the device, according to Pickett. An attacker could also take down the switch or the whole network.
Attacking a switch OS
To get Pickett's malware inside a network, a hacker would hide it in an email attachment. If an administrator opened the file, the malware would enter the network through the management system on his workstation.
After finding a vulnerable switch, the malware -- Big Brother -- would install a secondary virus -- Little Brother -- which compromises the ONIE firmware. This bit of code would establish an Internet connection with the hacker's command-and-control server. At that point, more advanced malware would be downloaded and installed on the switch.
Cumulus Networks released a fix for the security flaw in its OS July 31. Nolan Leake, chief technology officer at Cumulus, based in Mountain View, Calif., said in a blog that the firmware defect Pickett exploited is in all switches, including proprietary switches and open hardware that use ONIE. "The vulnerability is not specific to software-defined or open networking," he said.
Pickett said he found that ONIE and network operating systems in general lack basic security features to prevent such an attack. The missing safeguards include authentication, encryption, and controls to prevent unauthorized access to hardware or to stop the malware from gaining permission to perform administrator tasks on the network.
Pickett believes SDN product developers are leaving it up to companies using the technology to install the intrusion detection systems, firewalls and other security devices to neutralize a Big Brother-like attack.
Building tighter security in the ONIE and NOS, for example, would make the technologies more difficult to use. As a result, potential customers would be "turned off by what is perceived as an obstacle," Pickett said.
Security an 'afterthought'
Developers of open SDN controllers and operating systems have prioritized capabilities over security because the former is what sells products, said Rohit Mehra, analyst at Framingham, Mass.-based IDC.
"The driver has been feature functions and providing true operational benefits, obviously with security somewhat as an afterthought," Mehra said.
The potential damage from inadequate security will grow, as SDN technology matures and is adopted by mainstream enterprises, such as manufacturers and large retailers. These industries often have less sophisticated IT departments than the primary SDN users today, which include telecommunication companies, large cloud service providers and Wall Street financial institutions.
"The open network vendors will have to tighten the screws, figuratively speaking, to ensure that they minimize any such holes in their platforms," Mehra said
Pickett finds a parallel between today's open NOS providers and Windows before Microsoft made security a top priority about a dozen years ago. "Microsoft learned its lesson, and now it's their turn," he said.
The basics of white box switches
Bare-metal switches becoming mainstream
Why bare-metal switches are shaking up networking
SDN security and integrity not quite proven yet
Gartner weighs in on SDN security risks