A couple of years ago, among the trove of documents released by Edward Snowden, there was information about a “man-on-the-side” attack called Quantum Insert. The way it works is that the attacker listens in to the Internet traffic from the target organization and when an employee accesses a particular webpage, the attacker steps in and serves up a fake version of that page before the real page has time to respond.
In order to exploit QUANTUMINSERT (QI), you will need a monitoring capabilities to leak information of observed TCP sessions and a host that can send spoofed packets. Your spoofed packet also needs to arrive faster than the original packet to be able to be successful. QUANTUMINSERT is described as a ‘HTML Redirection’ attack by injecting malicious content into a specific TCP session. The injection is done by observing HTTP requests by means of eavesdropping on network traffic. When an interesting target is observed, another device, the shooter, is tipped to send a spoofed TCP packet. In order to craft and spoof this packet into the existing session, information about this session has to be known by the shooter.
All the information required by the shooter is available in the TCP packet containing the HTTP request:
Source & Destination IP address
Source & Destination port
Sequence & Acknowledge numbers
For the attack to succeed the packet injected by the shooter has to arrive at the target before the ‘real’ response of the webserver. By exploiting this speed difference or race condition, one can impersonate the webserver.
Anyone who can passively or actively monitor a network and send spoofed packets can perform QUANTUM-like attacks. The NSA is allegedly able to perform this attack on a large scale on the internet and with a high success rate, which of course not everyone can simply do. This is because it requires the capability to listen in on potentially high volumes of internet traffic, which requires substantial resources and a fast infrastructure. This means that internet service providers (ISP) can potentially also perform these attacks.
A nation state could perform QUANTUM-like attacks when traffic passes through their country. NSA has QUANTUMINSERT capabilities since 2005. The first QUANTUM tool was QUANTUMSKY, realised in 2004. The most recent development, according to the slides was done in October of 2010.
The Dutch company Fox-IT has revealed a detailed information about Quantum Insert Attack. They had come up with a way of protecting enterprises against such attacks. Fox-IT built a controlled environment and ran Quantum Insert attacks against it.