# Cross-Router Covert Channels

**Authors:** Adar Ovadya, Rom Ogen, Yakov Mallah, Niv Gilboa, Yossi Oren

arXiv: 1908.02524 · 2019-08-08

## TL;DR

This paper reveals that logical network isolation between host and guest networks can be bypassed using cross-router covert channels, enabling data leakage through shared router hardware across multiple vendors.

## Contribution

It demonstrates the vulnerability of router-based network isolation to covert channels and surveys multiple routers to show widespread susceptibility, even with limited attacker permissions.

## Key findings

- All surveyed routers are vulnerable to at least one covert channel class.
- Attack success does not require high-level permissions or malicious code execution.
- Metrics for channel effectiveness include pervasiveness, rate, and covertness.

## Abstract

Many organizations protect secure networked devices from non-secure networked devices by assigning each class of devices to a different logical network. These two logical networks, commonly called the host network and the guest network, use the same router hardware, which is designed to isolate the two networks in software.   In this work we show that logical network isolation based on host and guest networks can be overcome by the use of cross-router covert channels. Using specially-crafted network traffic, these channels make it possible to leak data between the host network and the guest network, and vice versa, through the use of the router as a shared medium. We performed a survey of routers representing multiple vendors and price points, and discovered that all of the routers we surveyed are vulnerable to at least one class of covert channel. Our attack can succeed even if the attacker has very limited permissions on the infected device, and even an iframe hosting malicious JavaScript code can be used for this purpose. We provide several metrics for the effectiveness of such channels, based on their pervasiveness, rate and covertness, and discuss possible ways of identifying and preventing these leakages.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1908.02524/full.md

## Figures

16 figures with captions in the complete paper: https://tomesphere.com/paper/1908.02524/full.md

## References

24 references — full list in the complete paper: https://tomesphere.com/paper/1908.02524/full.md

---
Source: https://tomesphere.com/paper/1908.02524