In the early 1990s, the dial-up predecessor to what we call the internet today needed a way to authenticate users. A way that was flexible, hardware-agnostic, lightweight, and extensible. RADIUS, a proposed protocol from a little-known networking firm, Livingston, fit the bill. And extensible it was, for, three decades later, that same system with little modifications still underpins hundreds of thousands of wireless and mobile networks across the world. It’s also a far-reaching, global cybersecurity liability.
RADIUS, short for Remote Authentication Dial-In User Service, sits at the core of network infrastructures worldwide and enables centralized remote logins for users and admins to the devices on it. Although most people may never hear of it, it’s close to everywhere, from home fiber connections to Wi-Fi authentication, cellular networks, and more. It even keeps critical services like fire and rescue systems running.
Yet, RADIUS has remained largely stuck in time. The key to its omnipresence has been its functional simplicity, much of which hasn’t changed in years. Once a client, such as a router, receives an authentication request from a user, all it does is pass that request on to the RADIUS server, which then cross-checks the credentials against a set directory, and responds whether it matches or not. But now, this seemingly rudimentary mechanism is proving to be a grave weakness for enterprises.
A Ticking Cybersec Bomb
Last month, a group of researchers discovered a vulnerability in RADIUS that allows attackers to hijack a network within minutes. Termed the Blast-RADIUS threat, it’s a vulnerability that has been present potentially for decades. The vulnerability, which rates 7.5 out of 10 on the CVSS severity scale, exploits the protocol’s archaic MD5 cryptographic hash function, a famously weak and outdated algorithm used to encrypt files and messages.
“The core of the RADIUS protocol predates modern secure cryptographic design,” the researchers wrote in the paper. The premise of the Blast-RADIUS proof-of-concept is straightforward. It leverages an MD5 hash collision vulnerability first demonstrated way back in 2004, despite the mechanism still being widely used for RADIUS. The attack allows a man-in-the-middle adversary to manipulate a RADIUS server’s response and forge a valid accept message in response to a failed authentication request. Doing so enables attackers to gain access to any device on a given network.
“You lock your office doors to protect business assets, but without RADIUS-authenticated users, everyone has open access to your network, and no keys are required,” said Alan DeKok, CEO of InkBridge Networks, a champion of the RADIUS protocol.
While Nadia Heninger, a computer science professor at the University of California, San Diego, and one of the Blast-RADIUS study’s authors, agrees the attack is not within the capabilities of unsophisticated attackers like script-kiddies, it is “something that would be eminently feasible for sophisticated adversaries like governments.”
Too Little, Too Late
Although the RADIUS protocol has been steadily updated over the past three decades, it’s still insecure, adds Dr. Heninger. On top of that, “there has been very little research on RADIUS,” she told Access Point Consulting.
Since the Blast-RADIUS discovery was made public, vendors have rolled out firmware updates that protect devices against the attack, but these patches are no more than short-term band-aids. Long term, organizations will need to phase out RADIUS/UDP traffic and switch to RADIUS over TLS (or DTLS) where possible in their networks.
Unfortunately, some RADIUS implementations, such as the one from Microsoft, have yet to support TLS. Therefore, it’s imperative for enterprises to evaluate the applications they are using and their current infrastructure in order to deliberately choose appropriate protocols for specific scenarios, suggests Anthony Rivera, the Chief Information Officer at Access Point Consulting.
Apart from RADIUS over TLS and RADIUS/DTLS, adds Rivera, there are various other authentication methods available, such as TACACS+, LDAP, Kerberos, OAuth2, and SAML.
The Need for a Collective Overhaul
More importantly, the Blast-RADIUS incident is a wake-up call for the cybersecurity industry, regulatory bodies, and enterprises to urgently transition to modern, more secure standards and protocols. One analysis found that more than half of security vulnerabilities in corporate networks are from 2016 or earlier, despite available patches. Similarly, ninety-one percent of codebases contained components that were ten or more versions out-of-date. Late last year, for example, the health records of millions of patients were compromised online due to a decades-old protocol bug.
In the White House’s latest report on the United States’s cybersecurity posture, it too outlined the need to move on from legacy architectures. From outdated mobile networks to routing methodologies, these continue to be susceptible to traffic hijacking and manipulation. Earlier this year, the FCC, at long last, began to crack down on aging vulnerabilities in protocols Signaling System No. 7 (SS7) and Diameter, which jointly enable phone calls’ and text messages’ movement across networks.
Moving on, however, is easier said than done. The need for backward compatibility and interoperability typically prevents the adoption of modern cryptographic protocols, says Dr. Heninger. Modern networking relies on a complex stack of protocols and by design, simple and insecure ones are often the easiest ways for infrastructure to be interoperable.
But as in the case of the Internet Protocol, the industry should focus on adding security guarantees and cryptography at other layers of the network that are easier to update or ensure compatibility such as the application layer, Dr Heninger told Access Point Consulting, and a holistic attempt to adopt RADIUS’s designated successor, Diameter, is long-overdue.
That said, balancing the ever-present dichotomy of continuing to provide services while also building a modern and future-proof environment will always be a challenge for organizations. In order to avoid drowning in technical debt, recommends Rivera, find and engage professionals with the expertise to help move your organization forward safely.