This worrying cyberattack targets one of the key protocols propping up the whole internet

Different devices, all over the internet, could be vulnerable to endpoint takeover, due to running a decades-old encryption protocol, experts have warned.

Academic researchers Sharon Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl recently published a paper detailing how multiple devices, including industrial controllers, telecommunications services, and others, built by 90 different vendors, still operate on Remote Authentication Dial-In User Service, or RADIUS for short, which was first introduced back in 1991.

RADIUS is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service. It was developed to authenticate remote users and grant them access to the network while ensuring that their actions are logged and monitored.

MD5 woes

When a user tries to connect to a network, a request is sent to a RADIUS server, which verifies their identity by checking their credentials, such as a username and password, against a database. If the credentials are correct, the RADIUS server authorizes the user to access the network and specifies the level of access granted. It also keeps a record of the user’s activity, including the duration of their session and the resources they accessed.

Despite being decades old, RADIUS is still used for VPN access, DSL and Fiber, Wi-Fi and 802.1X authentication, 2G and 3G roaming, 5G Data Network Name authentication, mobile data offloading, and more.

“The core of the RADIUS protocol predates modern secure cryptographic design,” the researchers said in the paper. “Surprisingly, in the two decades since Wang et al. demonstrated an MD5 hash collision in 2004, RADIUS has not been updated to remove MD5. In fact, RADIUS appears to have received notably little security analysis given its ubiquity in modern networks.”

MD5 was a widely used cryptographic hash function, but over time it was found to be flawed, which is why since 2012 it was being phased out.

Now, the researchers are saying that many of the 90 vendors have already implemented short-term fixes and are currently working on long-term solutions.