Experts have warned that devices across the internet could be vulnerable to endpoint takeover because they run a decades-old encryption protocol.
Academic researchers Sharon Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl recently published a paper detailing how multiple devices, including industrial controllers, telecommunications services, and others, built by 90 different vendors, still operate using Remote Authentication Dial-In User Service, or RADIUS, which was first introduced in 1991.
RADIUS is a network protocol that provides centralized authentication, authorization, and accounting (AAA) management for users connecting to and using a network service. It was developed to authenticate remote users and grant them network access, while ensuring that their actions are logged and monitored.
Problems with MD5
When a user attempts to connect to a network, a request is sent to a RADIUS server, which verifies the user's identity by comparing the user's credentials, such as username and password, to a database. If the credentials are correct, the RADIUS server authorizes the user to access the network and specifies the level of access granted. It also keeps a log of the user's activity, including the duration of the user's session and the resources accessed.
Despite being decades old, RADIUS is still used for VPN, DSL and fiber access, Wi-Fi and 802.1X authentication, 2G and 3G roaming, 5G data network name authentication, mobile data offloading, and more.
“The core of the RADIUS protocol predates modern secure cryptographic design,” the researchers stated in the paper. “Surprisingly, in the two decades since Wang et al. demonstrated an MD5 hash collision in 2004, RADIUS has not been updated to remove MD5. In fact, RADIUS appears to have received very little security analysis given its ubiquity in modern networks.”
MD5 was a widely used cryptographic hash function, but it was eventually found to be flawed, so it was phased out from 2012.
Now, researchers say many of the 90 vendors have already implemented short-term fixes and are currently working on long-term solutions.