Flaw found in VPN crypto security

Problem in a popular encryption technology could let hackers intercept communications between remote workers and a company network.

May 13, 2005 6:24 a.m. PT

A flaw in a popular VPN technology could allow hackers to obtain a text version of encrypted communications with only "moderate effort," a tech security body has warned.

Britain's national emergency response team, the National Infrastructure Security Coordination Centre, issued a warning this week about the safety of virtual private networks that use IPsec encryption and tunneling to connect remote workers to corporate networks.

The flaw, which the NISCC rates as "high" risk, makes it possible for an attacker to intercept IP packets traveling between two IPsec devices. They could then modify the encapsulation security payload--a subprotocol that encrypts the data being transported. This could ultimately expose this data to an unauthorized third party.

On its Web site, NISCC stated: "By making careful modifications to selected portions of the payload of the outer packet, an attacker can effect controlled changes to the header of the inner (encrypted) packet?If these messages can be intercepted by an attacker, then plaintext data is revealed."

The NISCC includes a number of solutions to this issue in its advisory.

Dan Ilett of ZDNet UK reported from London.