Tuesday, July 10, 2007

FIX (financial trading) protocol flawed and hackable

You'd think electronic financial trading would be extra secure, but not so much: One of the most popular application-layer protocols in the financial industry leaves these money applications wide open to attack, according to researchers.

The application-layer FIX (financial information exchange) protocol is used by financial services firms, stock exchanges, and investment banks for automated financial trading. But apps written to the protocol can be vulnerable to denial-of-service, session hijacking, and man-in-the middle attacks over the Internet, as well as an attacker actually able to "watch" the transactions, says David Goldsmith, CEO of Matasano Security, who will present the firm's new research on FIX at the upcoming Black Hat USA briefings later this month.

Goldsmith says he can't divulge details on the specific vulnerabilities Matasano found in applications deploying FIX, as well as other financial industry-specific protocols, but the bottom line is that these protocols weren't built with security in mind. "For the most part, when you look under the hood of these protocols, we find almost no means of security," he says. The FIX spec, for instance, barely touches on how to secure data as it travels over the Internet.

And most apps that use FIX are written in C and C++, he notes, "which is not always super well-audited code."

FIX has no session-layer encryption built into it, so it isn't easy to encrypt the sessions. "So most people encrypt using external devices like VPNs or tools like 'stunnel,'" Goldsmith says. Although the FIX protocol was updated in the past year to free FIX apps from that session layer, he says, most of these apps are still running the FIX session layer.

And many FIX-enabled financial apps don't even use passwords for their sessions, mainly because the apps were originally mostly built for use internally for a private connection between business partners -- rather than over the Internet, which is increasingly becoming the preferred method.

Plenty of financial firms may be at risk of these types of attacks. According to the FIX Protocol Website, 75 percent of buy-side and 80 percent of sell-side financial services firms use FIX for electronic trading, with both types of organizations planning to expand FIX, according to a survey taken by TowerGroup. The site says more than three fourths of all financial exchanges surveyed support FIX in their applications, and that most major stock exchanges and investment banks use FIX for their electronic trading. Mutual fund, money manager, and small investment firms also deploy FIX.

Unlike credit-card theft, which ultimately can be stopped before causing much financial damage, an attack on FIX could be silent and deadly: "If a hacker was monitoring or viewing [the transactions], you may never know they are there," Goldsmith says. "[He] could take that information and use it to their advantage for insider trading... or to cause significant financial damage."

So what should financial institutions do in the meantime to protect themselves from attackers that hone in on financial protocols? Goldsmith says start by taking a look at applications "you haven't looked at in a while... When was the last time you changed passwords on applications built on FIX?"

"Even doing basic due-diligence goes a long way," he says. "It's very easy to treat these as internal apps and to not consider all the security ramifications. But these apps need to be treated very seriously."

And security tools really don't help here, Goldsmith says, although strong firewalling and external session-layer encryption are helpful. "You're not going to find that the IDSes of today are supporting FIX, or vulnerability scanners are finding FIX vulns," he says. "It's a little more narrow market."

Plus it's tough for researchers to even gain access to FIX-based systems to study their weaknesses since you can't just take down a financial trading app to test it, for instance. "These systems cannot be [taken] offline," he says.

FIX is just the tip of the iceberg for financial protocols at risk, however. "We'll be tightly focused on FIX" in the Black Hat talk, entitled "Hacking Capitalism," Goldsmith says. "But there's more to talk about."

No comments: