Hey AT&T customers: Your Facebook data went to China and S. Korea this morning…

March 22nd, 2011 by Barrett Lyon
Quietly this morning customers of AT&T browsing Facebook did so by way of China then Korea. Typically AT&T customers’ data would have routed over the AT&T network directly to Facebook’s network provider but due to a routing mistake their private data went first to Chinanet then via Chinanet to SK Broadband in South Korea, then to Facebook. This means that anything you looked at via Facebook without encryption was exposed to anyone operating Chinanet, which has a very suspect Modus operandi.

This morning’s route to Facebook from AT&T:

route-server>show ip bgp 69.171.224.13 (Facebook's www IP address)
BGP routing table entry for 69.171.224.0/20, version 32605349
Paths: (18 available, best #6, table Default-IP-Routing-Table)
Not advertised to any peer
7018 4134 9318 32934 32934 32934

The AS path (routing path) translates to this:

  1. AT&T (AS7018)
  2. Chinanet (Data in China AS4134)
  3. SK Broadband (Data in South Korea AS9318)
  4. Facebook (Data back to US 32934)

Current route to Facebook via AT&T:

route-server>sho ip bgp 69.171.224.0/20
BGP routing table entry for 69.171.224.0/20, version 32743195
Paths: (18 available, best #6, table Default-IP-Routing-Table)
Not advertised to any peer
7018 3356 32934 32934, (received & used)

Translated: Your data goes from AT&T’s network to US based Level3 Communications to Facebook’s servers.

What could have happened with your data? Most likely absolutely nothing. Yet, China is well known for it’s harmful networking practices by limiting network functionality and spying on its users, and when your data is flowing over their network, your data could be treated as any Chineese citizens’. Does that include capturing your session ID information, personal information, emails, photos, chat conversations, mappings to your friends and family, etc? One could only speculate, however it’s possible.

This brings up a lot of questions:

  • Should Facebook and or AT&T have notified their customers that their personal information was flowing over a network that they may not trust?
  • Should Facebook enable SSL on all accounts by default?
  • Was this actually a privacy breach or just the way the Internet functions?
  • Does Facebook have an ethical responsibility to buy additional IP connectivity to major broadband and mobile networks to prevent routing mishaps?
  • Is it time to focus on new options within BGP to prevent high profile sites from routing to non-authenticated networks?

This happens all the time — the Internet is just not a trusted network. Yet, I prefer to know that when I am on AT&T’s network, going to US located sites, my packets are not accidentally leaving the country and being subject to another nation’s policies. I guess that’s why you should not use Facebook in “bareback” mode and use HTTPS (SSL) any time you can.

Food for thought.

Thanks to Tom Scholl for the head’s up and thoughtful commentary on this subject.

Tags: , , , ,

40 Responses to “Hey AT&T customers: Your Facebook data went to China and S. Korea this morning…”

  1. phedny says:

    It might also be interesting to find out what the legal implications of such events are for European websites, since the Data Protection Directive prohibits transfers of such data outside the EU.

  2. x says:

    The answer to all your questions is “no”, except for -> “Should Facebook enable SSL on all accounts by default?”

    The Internet is, as you say, not a trusted network. That’s the point. Your communication is as likely to be sniffed going through AT&T as it is in Chinanet. If you don’t want the communication between you and any Internet endpoint, encrypt the communication!

  3. y says:

    Completely agree with x. The only thing that should change is that more web sites should be using https by default, anything else is complete overkill and even against the principles of net neutrality I would say.

  4. Oh thy precious Facebook, what could they have done with it?!?!?!?!

    Really, considering the amount of other traffic that AT+T purposely routes to Chinanet and the ‘content’ therein, I can’t believe we’re freaking out over Facebook of all things.

    I realize the implications of mapping back social networks, I was not born yesterday. But as the Facebook traffic now flows strictly domestically, there is still way, way, way more extremely sensitive traffic that would glean much more for the Chinese that is actually routing across to them at this very moment without interruption.

    But hey, let’s raise some eyebrows once our Facebook accounts get spied on. Wow.

  5. Barrett Lyon says:

    I’m just glad that routing mistakes can be a common discussion and thought provoking. This conversation would have been limited to a couple people a few years ago and now it’s important to the lives of many.

    I think people just feel very exposed with Facebook and I am glad that y brings up the point about AT&T as well. I just did not have enough of a tinfoil hat on to do it. :)

    I just hope more people enable “Use SSL/HTTPS on everything” which will limit the data that others can see. No more “bareback” Internet browsing. :P

  6. Chris says:

    Where did you get access to one the routers on AT&T’s backbone and which hop is this?

    I’m not exactly familiar with AT&T’s network or backbone, but I have a hard time believing that the last hop on AT&T’s network before hitting Facebook have BGP routes going around the world to China, then back into the U.S.

    Lastly, none of the output here proves that the router you were accessing belongs to AT&T. To be honest, I think this entire article is a little fishy. What network engineer sets a router hostname to ‘route-server’?

  7. [...] brief routing error was highlighted by security researcher Barrett Lyon, who identified that AT&T customers, when requesting data from Facebook, were first sending their requests via [...]

  8. [...] brief routing error was highlighted by security researcher Barrett Lyon, who identified that AT&T customers, when requesting data from Facebook, were first sending their requests via [...]

  9. [...] said Barrett Lyon, the independent researcher who helped discover the anomaly and later blogged about it. Human rights groups have long accused China’s government of snooping on the internet [...]

  10. y says:

    Honestly, if you don’t want your personal information in the hands of China, then how can you trust Facebook with it?

  11. [...] brief routing error was highlighted by security researcher Barrett Lyon, who identified that AT&T customers, when requesting data from Facebook, were first sending their requests via [...]

  12. Neij says:

    Mabe AT&T along with all ISPs with large numbers of homeusers should stop beeing peering b******, and start peering with facebook, and other socialmedia sites to prevent their customers private data to leak out all over the Internet.

  13. Ken Schultz says:

    Your article talks about the route *from* AT&T’s network *to* Facebook, and your diagram’s arrow shows that. But the text in the diagram mentions the opposite direction.

    In the world of BGP policies and Internet routing, there really isn’t a way to infer FB’s route outward based solely upon the routing inbound to them.

    ie… your diagram is wrong

  14. Barrett Lyon says:

    @Ken Schultz – It’s just an info graphic. I’ve done real diagrams before but thanks for pointing that out for educational purposes to those who are still learning. :D

    Oh and y I think you are my hero. (I’m not being sarcastic – I like your comments)

  15. Russell VT says:

    It might be good to specifically mention, too, that your route in/to Facebook (or any other site) may vary wildly, depending on many factors (including geo-location or “entry point”). From one of my networks, for example, I resolve to a completely different subnet than you do (and the domain versus www server also resolve to separate networks). So, YMMV… BTW, welcome to Reddit!

  16. Jon says:

    hmmm who would I rather have my data – facebook or china. Well, given their records, I would have to say China, as they are less likely to be selling it on to make themselves some money.

  17. bob ama says:

    Serves you right for putting all your sh1t on a public website. Facebook = americans in the form of a website: HELLO EVERYBODY I AM GOING TO TELL YOU MY ENTIRE LIFE STORY EVEN IF YOU DON’T WANT TO HEAR IT I WAS BORN IN CHICAGO AND STARTED TAKING CRACK AT THE AGE OF 1 AND THEN I BOUGHT…

  18. This article implies that if data go through China or South Korea, they are treated worse than if they would go only through AT&T network. Please, read information about how AT&T spies on their users. It’s just the same as in China.

    https://secure.wikimedia.org/wikipedia/en/wiki/Room_641A
    http://arstechnica.com/tech-policy/news/2011/03/appeals-court-revives-lawsuit-challenging-nsa-surveillance-of-americans.ars

  19. n3kt0n says:

    What makes you so sure that your Facebook traffic ever left the United States? Both China Telecom and SK/Hanaro Telecom have *significant* US presences. China Telecom has a point of presence and IP space right (66.102.248.0/24 for example) in Herndon, and SK/Hanaro has several peerings in several US data centers. With the recent routing instability due to worldwide fiber cuts in the Pacific (think Japan) and a cross-Atlantic OC-192 outage, such a temporary routing path on a big peering center would no tbe unexpected. Next time, do a “traceroute -A” on a Linux system and combine with GeoIP from maxmind.com to determine where in the globe your traffic is going. You would be surprised. A lot of those “foreign” AS’s are advertising IPs physically located in the US.

    In the 48 hour period around when you saw this happen:

    Activity Within Selected Time Period
    Advertisements: There were 2695 advertisements in the selected period.
    Peers reporting route changes: Altogether, 282 peers reported at least one route change.
    Actual route changes: There were 845 route changes.
    Actual outages: There were 30 actual outages.
    These could be grouped into 29 events, ranging in duration from less than one second to one hour.
    Stability Patterns Noticed for Selected Time Period

    One prefix, Facebook, Inc. (69.171.224.0/20), exhibited strong route instability (845 changes and 30 outages, lasting as long as three hours, reported by dozens of peers)

  20. Jared Mauch says:

    May not matter if it was ssl’ed or not. a * TLD cert could have helped MITM issued by a a state-controlled agency, such as the Chinese SSL/DNS operators. Basically X.509 is “not secure enough”. You need look no further than the comdo incident.

  21. [...] Lyon had noted in his original post, anyone who viewed Facebook traffic through the link-up without encryption was subject to having [...]

  22. smalltime says:

    China, unlike Iran, can make SSL certs your browser trusts on a whim.

  23. [...] Lyon had noted in his original post, anyone who viewed Facebook traffic through the link-up without encryption was subject to having [...]

  24. [...] researcher Barrett Lyon, who has focused on mapping the Internet and its paths, wrote on his blog Tuesday that traffic to Facebook on ATTs network Tuesday morning traveled through Chinanetthe Internet [...]

  25. [...] in Palo Alto, Calif., was re-routed to first pass through Chinese and Korean servers, according to Barrett Lyon, a network security expert who flagged the incident on March 22. Lyon suggested in a blog post that [...]

  26. [...] Lyon reported on his blog that he noticed that AT&T was routing traffic to Facebook through a Chinese network (China [...]

  27. [...] Lyon had noted in his original post, anyone who viewed Facebook traffic through the link-up without encryption was subject to having [...]

  28. [...] Lyon had noted in his original post, anyone who viewed Facebook traffic through the link-up without encryption was subject to having [...]

  29. [...] ISP in South Korea, before finding their way to Facebook. Independent security researcher Barret Lyon saw the change and took note: This morning’s route to Facebook from AT&T: [...]

  30. [...] Provider Nahe Volksrepublik China Und Südkorea umgeleitet. NetzwerksicherheitsexperteBarrett Lyongeht davon aus, dass eins einander um Das Versehen [...]

  31. [...] in Palo Alto, Calif., was re-routed to first pass through Chinese and Korean servers, according to Barrett Lyon, a network security expert who flagged the incident on March 22. Lyon suggested in a blog post that [...]

  32. [...] Palo Alto, California was re-routed to first pass through Chinese and Korean servers, according to Barrett Lyon, a network security expert who flagged the incident on 22 March. Lyon suggested in a blog post that [...]

  33. [...] ISP in South Korea, before finding their way to Facebook. Independent security researcher Barret Lyon saw the change and took note: This mornings route to Facebook from ATT: route-servershow ip bgp [...]

  34. china latest news…

    [...]blyon.com | Hey AT&T customers: Your Facebook data went to China and S. Korea this morning…[...]…

  35. Michael says:

    Hey, it is easy to route traffic wherever you whant with BGP tools http://www.ospfmon.com/docs/bgptools.htm

  36. [...] Lyon had noted in his original post, anyone who viewed Facebook traffic through the link-up without encryption was subject to having [...]

  37. AT&T and China? Where’s the difference? Facebook? All doing the same, collecting data and spying on their users. You can find verified case studies all over the net…just saying.

Leave a Reply