China Telecom Internet Redirect Could Happen Again, Experts Say

Security experts said it is unclear whether an incident that redirected untold Internet traffic through China Telecom servers in April was intentional or malicious, but could happen again due to a fundamental flaw in the way the Internet handles communication.

The incident gained attention Wednesday after a Congressional report was issued indicating that an undetermined portion of the world's Internet traffic traveling on 15 percent of the world's Internet destinations was redirected through Chinese servers for about 18 minutes in April before reaching its intended destination.

In the U.S.-China Economic and Security Review Commission's 2010 Annual Report to Congress, members of the U.S. government claimed that China Telecom "compromised the integrity of supposedly secure, encrypted sessions."

The redirect was theoretically triggered due to a routing error that instructed Internet traffic to flow through its China Telecom's servers as the most direct route to its destinations.

China Telecom, a state run telecom organization, has since denied the allegations in a statement but offered no additional details. Subsequently, it is unclear whether it was denying that the redirect was intentional or denying that it occurred at all.

Included in the alleged Internet traffic hijacking was confidential data traveling over networks of the U.S. military and government, such as the U.S. Senate, NASA and U.S. Secretary of Defense, as well as NGOs, multinational corporations, and U.S. allies such as South Korea, India and Australia.

In addition, e-mails, instant messages and VoIP calls, could also have been intercepted and logged, and even altered as they were en route to its final destination.

Details such as motivations behind the redirect, whether or not the traffic was intentionally rerouted, or whether any sensitive information was accessed are still unclear, leaving a wide open playing field for speculation.

Experts say that a worst case scenario could have resulted in eavesdropping, Web traffic modification or communications being cut off altogether, among other things.

"Essentially anyone that controls those root certificates can execute a man in the middle attack or break of the encryption that would have occurred, look inside and re-encrypt it with their own keys," said Dmitri Alperovitch, vice president of threat research at McAfee. "The recipient of the data would not know that anything happened."

Thus far, there is no evidence that the information was tampered with or harvested, and the U.S. government has emphasized that they were unable to tell whether the rerouted Web data was used for nefarious purposes.

Next: China Telecom Redirect Could Be Repeated

Alperovitch said the massive redirect would have resulted in some Internet latency on April 8 when it occurred. However, other than that, it was unlikely that users would have noticed the event because eventually all Web traffic reached its intended destination.

Meanwhile, the incident couldn't technically be considered -- or treated as -- a cyberattack, due to the fact that Web sites weren't hacked, defaced or shut down, he said.

However, the event could potentially be repeated, due to the fact that numerous other software makers and telecoms have similar capabilities, he said. "Not only can this problem happen again, but it probably will," Alperovitch said.

Dozens of software makers and telecoms embed root certificates into Web browsers and operating systems, all of which have the capability of intercepting Web communications. Most of the time, the communication will travel over the intended network to reach the desired user or users. However, every once in a while, a glitch occurs in which e-mails, Web traffic or other communication goes through unintended servers, or is disrupted in some way, before reaching its final destination.

The China Telecom incident differed from others in that no observable disruption to the data occurred.

"Routing hijacks accidentally happen a few times a year, but this incident differs because China Telecom was able to absorb large amounts of the data and send it back out to its proper destination without any obvious disruption to service," Alperovitch said.

"Very few people realize just how weak the foundation of the Internet is," he added. "It's all based on trust. You implicitly trust what everybody says. "