I don’t really understand the attack vector the ISP is using, unless it’s exploiting some kind of flaw in higher-level software than BitTorrent itself.
A torrent should be identified uniquely by a hash in a magnet URL.
When a BitTorrent user obtains a hash, as long as it’s from an https webpage, the ISP shouldn’t be able to spoof the hash. You’d have to either get your own key added to a browser’s keystore or have access to one of the trusted CA’s keys for that.
Once you have the hash, you should be able to find and validate the Merkle hash tree from the DHT. Unless you’ve broken SHA and can generate collisions – which an ISP isn’t going to – you shouldn’t be able to feed a user a bogus hash tree from the DHT.
Once you have the hash tree, you shouldn’t be able to feed a user any complete chunks that are bogus unless you’ve broken the hash function in BitTorrent’s tree (which I think is also SHA). You can feed them up to one byte short of a chunk, try and sandbag a download, but once they get all the data, they should be able to reject a chunk that doesn’t hash to the expected value in the tree.
I don’t see how you can reasonably attack the BitTorrent protocol, ISP or no, to try and inject malware. Maybe some higher level protocol or software package.
Do torrent clients actually check the hash? I’ve had borked downloads that qbittorrent showed as complete but had to be redownloaded upon a recheck before.
Webhard is Web Hard Drives - SK torrenting scene is very different from the west, to simplify from how I understand it (English info seems scarce) basically everyone uses seedboxes or “web hard drives” in SK to download stuff.
While I can’t seem to find out anything about what “The Grid system” is, if the whole thing is an online portal or software.
If ISP routers are anything like the west that means they control the DNS servers and the ones on router cannot be changed, and likely it blocks 1.1.1.1 and 8.8.8.8 and so on, as Virgin Media does (along with blocking secure DNS) in the UK for example, which definitely opens up a massive attack vector for an ISP to spin up its own website with a verified cert and malware and have the DNS resolve to that when users try to access it to either download the software needed to access this Grid System or if it’s a web portal - the portal itself.
I don’t think this included any attacks on the BitTorrent protocol at all, because as others said, it’s pretty secure, but another possibility is simply malicious torrents being distributed, which rights holders definitely done before (read decoying part in https://arstechnica.com/tech-policy/2007/03/mediadefender/)
If ISP routers are anything like the west that means they control the DNS servers and the ones on router cannot be changed, and likely it blocks 1.1.1.1 and 8.8.8.8 and so on, as Virgin Media does (along with blocking secure DNS) in the UK for example, which definitely opens up a massive attack vector for an ISP to spin up its own website with a verified cert and malware and have the DNS resolve to that when users try to access it to either download the software needed to access this Grid System or if it’s a web portal - the portal itself.
Browser page integrity – if you’re using https – doesn’t rely on DNS responses.
If I go to “foobar.com”, there has to be a valid cert for “foobar.com”. My ISP can’t get a valid cert for foobar.com unless it has a way to insert its own CA into my browser’s list of trusted CAs (which is what some business IT departments do so that they cans snoop on traffic, but an ISP probably won’t be able to do, since they don’t have access to your computer) or has access to a trusted CA’s key, as per above.
They can make your browser go to the wrong IP address, but they can’t make that IP address present information over https that your browser believes to belong to a valid site.
or has access to a trusted CA’s key, as per above.
I don’t see why they wouldn’t, or couldn’t do this if they wanted to if they were also willing to straight up resort to spreading malware, which idk about SK but that’s illegal anywhere in the west under very broad laws.
EDIT: They could also do a redirect to a different URL with a valid cert I guess, though I’m sure browsers block that too. Well I’m out of ideas then, I feel bad for cybercriminals these days.
EDIT2: Wait a sec, how does government censorship work then? Like e.g. https://ttrpg.network/post/7634428
How is the government able to MITM this person? The website is HTTPS and they’re using a VPN, but presumably locked to the DNS of the ISP. How are they able to block websites at all in this case with anything other than a termination of a connection (i.e. displaying a banner)?
Even without a VPN by your logic if the ISP can’t present a foobar.com cert then they couldn’t block it via just DNS. How do FBI takedown notices work? Shouldn’t all of these throw up SSL errors and “back to safety” prompts?
If whatever cert is presented by a remote website doesn’t have a certificate signed by one of those 52 organizations, your browser is going to throw up a warning page instead of showing content. KT Corporation, the ISP in question, isn’t one of those organizations.
They can go create a CA if they want, but it doesn’t do them any good unless it’s trusted by Firefox (or whatever browser people use, but I’m using Firefox, and I expect that basically the same CAs will be trusted by any browser, so…)
Thanks for the explainer, but that’s not what I meant.
For example: If I, an ISP in Beijing went to BEIJING CERTIFICATE AUTHORITY Co., Ltd. which is on the list, and had my cert issued by them for foobar.com that listed them as the root trust, wouldn’t that work? Because the service operating there currently is illegal and I need to take it down, i don’t see how or why they could refuse. If they can’t do this for ISPs, then certainly law enforcement should be able to force them to comply, I would assume.
If I then went to abuse that cert and spread malware on my fake cloned site, then what are the affected users going to do, call the cops and tell them the illegal seedbox is down?
This is the only way I can see governments being able to display blocked website notices, takedown notices and other MITM insertions demonstrably happening in all sorts of countries without triggering a “back to safety” warning in most browsers.
This has to be possible, because otherwise the observable results don’t make any sense.
I’m not necessarily saying they did the attack this way instead of just simply spreading malicious torrents which is far easier, but I don’t see why they wouldn’t be able to do this.
I’d also add, on an unrelated note, that if the concern is bandwidth usage, which is what the article says, I don’t see why the ISP doesn’t just throttle users, based entirely on bandwidth usage. Like, sure, there are BitTorrent users that use colossal amounts of bandwidth, will cause problems for pricing based on overselling bandwidth, which is the norm for consumer broadband.
But you don’t need to do some kind of expensive, risky, fragile, and probably liability-issue-inducing attack on BitTorrent if your concern is bandwidth usage. Just start throttling down bandwidth as usage rises, regardless of protocol. Nobody ever gets cut off, but if they’re using way above their share of bandwidth, they’re gonna have a slower connection. Hell, go offer to sell them a higher-bandwidth package. You don’t lose money, nobody is installing malware, you don’t have the problem come right back as soon as some new bandwidth-munching program shows up (YouTube?), etc.
if they’re using way above their share of bandwidth
Based on the numbers reported in the article, that’s a significant chunk of their customers. The ISP was probably reluctant to upgrade their infra like they should have.
Some software check for updates without requiring the packages to be signed. The ISP could do a HTTP redirect to a fake torrent client update. The program says “Update available”. It downloads a malicious version.
Other ISPs have been caught injecting adverts into their traffic. So there’s ways.
I don’t really understand the attack vector the ISP is using, unless it’s exploiting some kind of flaw in higher-level software than BitTorrent itself.
A torrent should be identified uniquely by a hash in a magnet URL.
When a BitTorrent user obtains a hash, as long as it’s from an https webpage, the ISP shouldn’t be able to spoof the hash. You’d have to either get your own key added to a browser’s keystore or have access to one of the trusted CA’s keys for that.
Once you have the hash, you should be able to find and validate the Merkle hash tree from the DHT. Unless you’ve broken SHA and can generate collisions – which an ISP isn’t going to – you shouldn’t be able to feed a user a bogus hash tree from the DHT.
Once you have the hash tree, you shouldn’t be able to feed a user any complete chunks that are bogus unless you’ve broken the hash function in BitTorrent’s tree (which I think is also SHA). You can feed them up to one byte short of a chunk, try and sandbag a download, but once they get all the data, they should be able to reject a chunk that doesn’t hash to the expected value in the tree.
I don’t see how you can reasonably attack the BitTorrent protocol, ISP or no, to try and inject malware. Maybe some higher level protocol or software package.
Do torrent clients actually check the hash? I’ve had borked downloads that qbittorrent showed as complete but had to be redownloaded upon a recheck before.
I think it’s much simpler than that.
Webhard is Web Hard Drives - SK torrenting scene is very different from the west, to simplify from how I understand it (English info seems scarce) basically everyone uses seedboxes or “web hard drives” in SK to download stuff.
While I can’t seem to find out anything about what “The Grid system” is, if the whole thing is an online portal or software.
If ISP routers are anything like the west that means they control the DNS servers and the ones on router cannot be changed, and likely it blocks 1.1.1.1 and 8.8.8.8 and so on, as Virgin Media does (along with blocking secure DNS) in the UK for example, which definitely opens up a massive attack vector for an ISP to spin up its own website with a verified cert and malware and have the DNS resolve to that when users try to access it to either download the software needed to access this Grid System or if it’s a web portal - the portal itself.
I don’t think this included any attacks on the BitTorrent protocol at all, because as others said, it’s pretty secure, but another possibility is simply malicious torrents being distributed, which rights holders definitely done before (read decoying part in https://arstechnica.com/tech-policy/2007/03/mediadefender/)
Browser page integrity – if you’re using https – doesn’t rely on DNS responses.
If I go to “foobar.com”, there has to be a valid cert for “foobar.com”. My ISP can’t get a valid cert for foobar.com unless it has a way to insert its own CA into my browser’s list of trusted CAs (which is what some business IT departments do so that they cans snoop on traffic, but an ISP probably won’t be able to do, since they don’t have access to your computer) or has access to a trusted CA’s key, as per above.
They can make your browser go to the wrong IP address, but they can’t make that IP address present information over https that your browser believes to belong to a valid site.
I don’t see why they wouldn’t, or couldn’t do this if they wanted to if they were also willing to straight up resort to spreading malware, which idk about SK but that’s illegal anywhere in the west under very broad laws.
EDIT: They could also do a redirect to a different URL with a valid cert I guess, though I’m sure browsers block that too. Well I’m out of ideas then, I feel bad for cybercriminals these days.
EDIT2: Wait a sec, how does government censorship work then? Like e.g. https://ttrpg.network/post/7634428 How is the government able to MITM this person? The website is HTTPS and they’re using a VPN, but presumably locked to the DNS of the ISP. How are they able to block websites at all in this case with anything other than a termination of a connection (i.e. displaying a banner)?
Even without a VPN by your logic if the ISP can’t present a foobar.com cert then they couldn’t block it via just DNS. How do FBI takedown notices work? Shouldn’t all of these throw up SSL errors and “back to safety” prompts?
There are only 52 organizations that Firefox trusts to act as CAs. An ISP isn’t normally going to be on there.
https://wiki.mozilla.org/CA/Included_Certificates
https://ccadb.my.salesforce-sites.com/mozilla/CACertificatesInFirefoxReport
If whatever cert is presented by a remote website doesn’t have a certificate signed by one of those 52 organizations, your browser is going to throw up a warning page instead of showing content. KT Corporation, the ISP in question, isn’t one of those organizations.
They can go create a CA if they want, but it doesn’t do them any good unless it’s trusted by Firefox (or whatever browser people use, but I’m using Firefox, and I expect that basically the same CAs will be trusted by any browser, so…)
Thanks for the explainer, but that’s not what I meant.
For example: If I, an ISP in Beijing went to BEIJING CERTIFICATE AUTHORITY Co., Ltd. which is on the list, and had my cert issued by them for foobar.com that listed them as the root trust, wouldn’t that work? Because the service operating there currently is illegal and I need to take it down, i don’t see how or why they could refuse. If they can’t do this for ISPs, then certainly law enforcement should be able to force them to comply, I would assume.
If I then went to abuse that cert and spread malware on my fake cloned site, then what are the affected users going to do, call the cops and tell them the illegal seedbox is down?
This is the only way I can see governments being able to display blocked website notices, takedown notices and other MITM insertions demonstrably happening in all sorts of countries without triggering a “back to safety” warning in most browsers.
This has to be possible, because otherwise the observable results don’t make any sense.
I’m not necessarily saying they did the attack this way instead of just simply spreading malicious torrents which is far easier, but I don’t see why they wouldn’t be able to do this.
I’d also add, on an unrelated note, that if the concern is bandwidth usage, which is what the article says, I don’t see why the ISP doesn’t just throttle users, based entirely on bandwidth usage. Like, sure, there are BitTorrent users that use colossal amounts of bandwidth, will cause problems for pricing based on overselling bandwidth, which is the norm for consumer broadband.
But you don’t need to do some kind of expensive, risky, fragile, and probably liability-issue-inducing attack on BitTorrent if your concern is bandwidth usage. Just start throttling down bandwidth as usage rises, regardless of protocol. Nobody ever gets cut off, but if they’re using way above their share of bandwidth, they’re gonna have a slower connection. Hell, go offer to sell them a higher-bandwidth package. You don’t lose money, nobody is installing malware, you don’t have the problem come right back as soon as some new bandwidth-munching program shows up (YouTube?), etc.
Based on the numbers reported in the article, that’s a significant chunk of their customers. The ISP was probably reluctant to upgrade their infra like they should have.
Some software check for updates without requiring the packages to be signed. The ISP could do a HTTP redirect to a fake torrent client update. The program says “Update available”. It downloads a malicious version.
Other ISPs have been caught injecting adverts into their traffic. So there’s ways.
On the other hand: HTTPS