Getting Rid of the Man-in-the-Middle
A Critique of “Man-in-the-Middle Attacks on Auto-Updating Software”
Abby Slattery
Student Research Paper
CPSC 5157G – Computer Networks – Summer 2010
University of Columbus, Columbus, GA
Abstract—Automatic software updates, in the form of executable files, are vulnerable to man-in-the-middle (MITM) attacks during the update process. These attacks place the user’s system at risk and can affect the performance of the software as well. These MITM attacks occur primarily on unprotected LAN environments. As people continue to use their computers in more and more public, unsecure environments, they are often exposed to MITM attacks if their software chooses that time to attempt an update. This paper critiques the 2007 Bell Labs Technical Journal article, “Man-in-the-Middle Attacks on Auto-Updating Software”, by Bjoern Luettmann and Adam Bender. Luettmann and Bender’s solution to man-in-the-middle attacks is discussed and an alternative solution is proposed. A comprehensive approach is needed to combat and prevent MITM attacks on automatic software updates.
Keywords-security, automtic update, man-in-the-middle attack, proxy attack, injection attack
I. Introduction
Many of today’s computer users are constantly on-the-go and want immediate access to the newest programs and the most current versions of existing software. Much of the software available today is auto-updating; that is, the software automatically performs periodic checks to determine whether new versions of the software or any patches are available. If the software finds that an update or patch is available, it automatically begins the process of downloading executable files to be installed and run on the user’s computer.
In their 2007 Bell Labs Technical Journal article, “Man-in-the-Middle Attacks on Auto-Updating Software”, Bjoern Luettmann and Adam Bender considered two possible types of man-in-the-middle (MITM) attacks on auto-updating software and examined code signing, specifically Microsoft’s Authenticode, as a solution to MITM attacks on the software updating process. Luettmann and Bender explained how four software applications available at the time the article was written were susceptible to MITM attacks during automatic updates. The two types of attack attempted with these applications were proxy attacks and injection attacks. The authors disclosed that these types of attacks were usually limited by the need for the attacker to reside, or at least have access via a proxy, to the victim’s local area network (LAN).
Luettmann and Bender offered code signing, “the process of digitally signing executables or source code before distribution” [1], as a means of preventing MITM attacks and ensuring security and authenticity of downloaded code. This however, verifies only the source of the code and does not guarantee the integrity and correctness of the code. The authors specifically discussed Microsoft’s Authenticode as a suitable code signing implementation. Microsoft’s Authenticode works only on Windows-based systems and would require non-Microsoft applications to purchase and utilize a competing company’s security protocol. Although Luettmann and Bender offered an alternative to completely unsecured automatic updates, they failed to offer any sufficient solutions to MITM attacks or provide any guidelines for possible industry standards.
The purpose of this paper is to offer a set of mutually supporting procedures that will prevent successful MITM attacks. Further study may allow this proposed set of procedures to become the basis for industry standards for secure automatic updates of application software. Related works are considered in Section II. Section III further develops the problem, details this paper’s proposed solution, and contrasts the proposed solution to that of Luettmann and Bender. The paper is concluded in Section IV and implications for further study are discussed.
II. RELATED WORKS
Several other authors have also examined the risks of automatic software updates. Dunn [2] explained a range of exploitation methods possible with automatic updates, and he identified three main areas of vulnerability: source identification, source authentication, and data integrity. Dunn suggested that those three areas of vulnerability be addressed in order to secure the automatic update process. However, unlike Luettmann and Bender, Dunn did not provide a specific protocol or process to accomplish any of the above.
Automatic software updates were also tested for susceptibility to man-in-the-middle attacks by Bellissimo, Burgess, and Fu [3]. Similarly to Luettmann and Bender, Bellissimo, Burgess, and Fu analyzed a variety of software packages in order to determine the level of weakness of each. They concluded that there were technical, economic, and even social challenges that left automatic software updates unsecure. The authors suggested an open design principal and the development of a set of industry-wide standards to ensure update security.
Ruissen and Vloothuis [4] undertook a similar study of update security and found a similar need for a variety of secure protocols to be implemented. They emphasized that just one unsecure application update can compromise the entire system. They suggested a combination of security efforts be made by both developers and users in order to prevent man-in-the-middle attacks on software updates.
III. PROBLEM STATEMENT AND SOLUTION
A. Problem Statement
Automatic software updates, available for a wide variety of software applications and packages, are vulnerable to man-in-the-middle attacks during the update process. Regardless of the availability of features and protocols that could help protect users from these attacks, software developers are not implementing these features and protocols and users are usually not aware of the dangers at all. These MITM attacks occur primarily on unprotected LAN environments. As people continue to use their computers in more and more public, unsecure environments, they are often exposed to MITM attacks if their software chooses that time to attempt an update. Is it the responsibility of the developer or the user to ensure the software and system remain secure throughout the update process?
Luettmann and Bender detailed two possible attacks on shareware utility Cam2PC. First, a proxy attack involves the victim computer connecting accidently to a proxy server controlled by the attacker. Incoming packets are monitored by the proxy server until a specific update packet is found. The proxy server can then edit the information included in the package and trick the victim into believing an update is available. The victim computer accepts as an update whatever malicious executable packet the proxy server chooses to send. The Cam2PC software then executes the malicious packet believing it to be a needed update to the Cam2PC software. Instead, the packet unleashes an attack on the victim’s system.
Another type of attack described by Luettmann and Bender is the packet injection attack. Using only a simple packet sniffer and packet-writing program, this attack creates additional packets and injects them into the communication traffic between the victim and a valid server. As the victim system waits for responses from the valid server, the attacker’s packets may be received by the victim before those of the valid server. The victim will then accept the attacker’s packets as the response packets and reject as duplicates any future packets arriving from the valid server. The attacker’s packets are therefore readily accepted and executed by the victim system without any further effort on the part of the attacker.
Luettmann and Bender suggested code signing as a means of preventing MITM attacks and ensuring security and authenticity of downloaded code. However, their narrow consideration of MITM attacks addresses only the source of the code and does not guarantee the integrity or authenticity of the update. Even if code signing is implemented, automatic updates are still vulnerable to other types of attack if a comprehensive approach is not taken to ensure update security.
B. Proposed Solution
A comprehensive approach is undoubtedly needed to combat and prevent MITM attacks on automatic software updates. A combination of the solutions proposed by Dunn and Bellissimo, Burgess, and Fu will best protect users from MITM attacks and allow for secure software updates. As recognized by Ruissen and Vloothuis, both developers and users are responsible for ensuring that the software and user system remain secure throughout the update process.
A threefold set of security measures should be implemented by developers to provide for source authentication, encryption, and data integrity. Source authentication would allow a user to verify the identity and security of the update server and would permit the user to refuse the connection if the update server was not satisfactorily verified. Encryption is necessary in order to safeguard an end-to-end communication protocol that cannot be imitated by an attacker. Third, data integrity must be ensured so that the user is fully confident that no changes have been made to the update code en route.
Finally, the above security measures should be combined to form a set of industry-wide standards. This set of standards must be implemented to compel developers to employ the above security measures when developing software. Currently, software developers are under no obligation to include any of these security measures in their software updates. The responsibility to ensure a safe system falls solely on the often unaware user. With a set of well-known security standards in place, developers would be induced to comply with these standards to avoid being considered subpar.
Users have their own responsibilities in ensuring secure software updates. They must educate themselves concerning security risks via software updates and should restrict auto-updating software. Users are ultimately responsible for their own systems and must ensure that they do not allow updates to automatically occur when connected to unsecure networks.
IV. CONCLUSION
This paper has examined the man-in-the-middle security concerns related to automatic software updates as proposed by Luettmann and Bender. Examples of a variety of man-in-the-middle attacks have been considered and a comprehensive solution including a set of software security standards and user responsibility has been proposed.
Implementing this proposed comprehensive solution will allow for secure software updates, fewer overall man-in-the-middle attacks, and reliable and effective software use. Users’ systems will be protected from MITM attacks and will therefore provide a better overall experience for the user.
The limitations of this paper include a lack of testing of the proposed security measures. This paper addresses only specific man-in-the-middle attacks as discussed by Luettmann and Bender, and does not consider other types of attacks that may not be thwarted by the proposed security measures.
Further research is needed to test the proposed security measures and to develop feedback from industry developers about the implementation of a set of security standards for automatic software updates. Further work is also required concerning other types of security attacks not discussed in this paper.
References
[1] B. M. Luettmann and A. C. Bender, “Man-in-the-middle attacks on auto-updating software,” Bell Labs Technical Journal, vol. 12(3), pp. 131-138, September 2007.
[2] K. Dunn “Automatic update risks: Can patching let a hacker in?,” Network Security, vol. 2004(7), pp. 5-8, July 2004.
[3] A. Bellissimo, J. Burgess, and K. Fu, “Secure software updates: Disappointments and New Challenges,” Proceedings of the 1st USENIX Workshop on Hot Topics in Security, Vancouver, B.C., Canada, 2006.
[4] P. Ruissen and R. Vloothuis, “Insecurities within automatic update systems v1.16: Can patching let a cracker in?,” Bell Labs Technical Journal, vol. 12(3), pp. 131-138, http://staff.science.uva.nl/~delaat/sne-2006-2007/p32/report.pdf , July 2007.