The P2P network may change into an anonymous cyber weapon that could ruin the world

(This article was posted on 3 July 2012 in Japanese)

There are many P2P network services in the world and some of them have critical vulnerabilities. Can you imagine someone depriving the control of a P2P network service with a hundred million users, and forcing it to attack the specific server? This is not fiction. This is a real situation that is going on in our world. I will introduce its risks to you and indicate three aspects of this problem: the features of the P2P network Xunlei as an example, its vulnerabilities, and its threats.

First, I will describe a real P2P network as an example. Xunlei is a famous Chinese P2P network service. It provides a great variety of content services to Chinese people via the Internet, and it also has another protocol to provide content. The users of Xunlei are estimated to be more than a hundred million. This number is based on several reports. See Ref A.

The second aspect of this problem is the vulnerabilities that P2P networks may have. We already know that no system can exist without the possibility of vulnerabilities. Xunlei has four vulnerabilities and while two of them have been fixed, the others haven’t. There are other serious vulnerabilities not being unveiled. These allow attackers to execute "DDos attacks", extract personal information from Xunlei users, and post an arbitrary command to Xunlei users. You can read Jun Xie's masterpiece, "New Threat-Based Chinese P2P Network", which analyzed the Xunlei network and its vulnerabilities. Xie worked for security researcher McAfee Labs China. His report will help you to understand this problem. In addition, the attackers can sabotage targets from inside of Xunlei to outside of China. There is a certain risk that someone can attack any servers on the Internet with more than a hundred million subordinates. All devices that are connected to the Internet face this menace; PCs in the home, cell phones, Internet banking, supply chain systems, power plants, factories, schools, government services etc.

Finally, I would like to explain the risks of Xunlei. If someone succeed in taking control of Xunlei, the person has a power based on a hundred million subordinates and is able to attack any targets on the Internet from anywhere in the world under the disguise of an attack from China. We cannot find who and where the attacker is immediately. It means there is the possibility of anonymous cyber-terror via Xunlei. It could cause serious trouble in nuclear facilities, cause widespread blackouts as well as an enormous number of personal information leaks: we know these incidents that have already happened in the real world. These are not hypothetical incidents.

In conclusion, I described three profiles of anonymous cyber weapons: the actual condition of P2P network Xunlei, its vulnerabilities, and its destructive power. Unfortunately, I have to point out the most important fact, which is that these risks do not come from only Xunlei. Xunlei is just an example as I mentioned before - the tip of the iceberg. We are familiar with many similar services and botnets in the world: they may also change into anonymous cyber weapons. There is the possibility that many people look for the vulnerabilities because they could be the key to taking control of anonymous cyber weapons. If they find it, they will have the power to ruin the world. I can easily predict that there will be a simple and powerful tool to take control of anonymous cyber weapons, so anyone could cause serious damage to our society regardless of technique. Japanese housewives may penetrate worldwide financial networks to increase their pin money. How do you feel about this situation? You may feel it’s silly because over-serious dangers appear ridiculous sometimes, so I should say it again; this is not fiction; this is a clear and present danger in our world. We are already living in the world of SF fictions that we had read about in our childhood.

（Kazuki Ichida with editorial assistance from Jennifer Mitchell）

REFERENCES
REF A About Xunlei company and its network services
Peer-to-Peer not piracy
P2P statistics of corporate usage
Application usage rates of corporate user

REF B About vulnerabilities of Xunlei network
New Threat Based Chinese P2P Network
Xunlei vulnerabilities
CVE Xunlei : Security Vulnerabilities
JVNDB-2012-002060 Xunlei vulnerability
Potential New Xunlei 0-day Exploit