Multipath TCP Introduces Security Blind Spot

A talk at Black Hat will expose security weaknesses introduced by multipath TCP, extensions to TCP that bring resilience and efficiency to networking.

If multipath TCP is the next big thing to bring resilience and efficiency to networking, then there are some serious security issues to address before it goes mainstream.

MPTCP is an extension to the Internet’s primary communication protocol. It allows a TCP session to move over multiple connections and network providers to the same destination. Should one drop, the session seamlessly moves to its second, backup connection, keeping phone calls or Internet sessions alive.

Right now, multipath TCP is not deployed on Windows machines or in the mainstream Linux kernel, for example. Apple iOS devices have it, but for now, Siri is the only function to make use of it. Networking giants such as Cisco and Juniper, however, are starting to deploy it in networking gear.

At next week’s Black Hat conference in Las Vegas, two researchers from Neohapsis hope their talk on MPTCP’s security shortcomings urges the industry to address the security implications before the technology is rolled out, causes a major shift, and no one is ready for the consequences.

“It solves big problems we have today in an elegant fashion,” said Catherine Pearce, security consultant and one of the presenters, along with Patrick Thomas. “You don’t have to replace hardware or software; it handles all that stuff behind the scenes. But security tools are naïve [to MPTCP], and make assumptions that are no longer valid that were valid in the past.”

Pearce said the extensions cause three fundamental security shifts for traditional intrusion detection, intrusion prevention and other security gear. First, the way the protocol reroutes traffic on the fly and changes network addresses during a connection leaves detection technologies blind to traffic. Security gear, Pearce said, cannot correlate and reassemble traffic as it is split over multiple streams.

Trust models users and networks have fostered with Internet providers are also changed—and in some cases broken.

Trust models users and networks have fostered with Internet providers are also changed—and in some cases broken. Contrary to that, providers will no longer be able to sniff traffic—under court order for example—unless they work hand in hand with other providers handling split traffic sessions.

“Technology like MPTCP makes it much harder for surveillance states,” Pearce said. “If I split traffic across my cell provider and an ISP I may not trust, in order for a surveillance state to snoop they have to collaborate with all these parties. It’s a much harder proposition.”

Finally, Pearce said, there will be ambiguity for firewalls about what incoming and outgoing traffic looks like. She said that MPTCP enables endpoints to tell servers there are other addresses to which the server may connect, but the firewall may not necessarily interpret that as an outgoing connection.

“You’re going to be dealing with architectural shifts that force you to solve problems in a different way,” Pearce said. “MPTCP is small now, but it’s gaining momentum. It will be in a lot of venues and have a lot of vendors’ support. My focus will be to try to make sure the security industry keeps up with protocol development and secures it properly. It’s not about marketing something for the next three months.”

Pearce concedes that attacks exploiting weaknesses caused by MPTCP are not practical yet, but cautions that there are serious privacy implications on the horizon as well as a shift forcing more protection toward the endpoint, wresting control away from network providers.

“Current security presumes that if I can see traffic, I can understand it,” Pearce said. “If I control a server at either end of a session, I can use it to evade IDS or provide resilient connections if a defender locks me out. It changes things quite a bit.”

Suggested articles


  • Mark S on

    Worked that out a year ago. Sky isn't falling.
    • LaughingSkeptic on

      Nice presentation (The_Rapid_Rise_of_the_MMHH). I have an answer to your "Any point to VPNs?" question: A BIG YES. VPNs protect the endpoint from malicious content, which is a much bigger worry for most end point users than all of the rest of the issues in your slides combined. Anti-virus software's success rates are in rapid decline, while services like OpenDNS and Google DNS provide ever more protection from bad content. Between these, these is a huge role for VPNs to play.
      • Mark S on

        How do VPNs protect the endpoint from malicious content? VPNs don't perform any form of traffic inspection or any other form of security policy enforcement. All they basically do is allow you to create virtual network with flexible boundaries over a physical network. Other devices, such as network firewalls or IDSes, installed in parallel with VPNs might try to do that, but they're middleboxes and I'm sure you've seen the slides about how effective they might be in the presence of encryption and multipathing. You might be thinking that a VPN allows you to create choke point between the Internet and the rest of the trusted network. That would only be true for a corporate VPN service (e.g., an MPLS based IP-VPN). The trouble is, mobile devices physically violate that boundary, allowing malicious software easily cross the VPN boundary. For example, do you let the CEO take home their laptop and use it, and how do you know their home network is as secure as the corporate IP-VPN?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.