Experts warn that multiple devices spread across the internet could be vulnerable to endpoint takeover due to the use of a decades-old encryption protocol.
Academic researchers Sharon Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl recently published a paper describing how multiple devices, including industrial controllers, telecommunications services, and others, from 90 different vendors still use Remote Authentication Dial-In User Service, or RADIUS for short, which was first introduced in 1991.
RADIUS is a network protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users connecting to and using a network service. It is designed to authenticate remote users and grant them access to the network, while ensuring that their actions are logged and audited.
MD5 issues
When a user attempts to connect to a network, a request is sent to a RADIUS server, which verifies the identity by checking credentials, such as a user name and password, against a database. If the credentials are correct, the RADIUS server authorizes the user to access the network and specifies the level of access granted. It also keeps a record of the user’s activity, including the duration of the session and the resources they have accessed.
Despite being around for decades, RADIUS is still used for VPN access, DSL and fiber, Wi-Fi and 802.1X authentication, 2G and 3G roaming, 5G data network name authentication, mobile data offloading, and more.
“The core of the RADIUS protocol predates modern secure cryptographic design,” the researchers wrote in the paper. “Surprisingly, in the two decades since Wang et al. demonstrated an MD5 hash collision in 2004, RADIUS has not been updated to remove MD5. In fact, RADIUS appears to have received surprisingly little security analysis given its ubiquity in modern networks.”
MD5 was a widely used cryptographic hash function, but over time it was found to contain bugs and was therefore phased out in 2012.
The researchers now say that many of the 90 vendors have already implemented short-term fixes and are currently working on long-term solutions.