Where’s your data going? Hacks redirect traffic through distant lands

A map of 150 cities where there have been victims of route hijacking.

A disturbing trend appeared in the world of computer security during 2013: subtle hacks that redirect traffic through foreign countries, where it may be inspected and even modified before moving on to its recipient. The scary part is that you'll never know, and may never find out.

Through a vast network of nodes monitoring traffic all around the world, network analysts at Renesys have observed this mysterious "route hijacking," which bends the path of packets so they pass through certain locations for a few minutes or hours.

In one case, data intended to travel between two points in Denver ended up crossing the pond to England and then Iceland before looping back to arrive at its destination — just a few miles from where it started.

Apart from a few extra milliseconds of delay in the arrival of that data (it traveled to Reykjavik and back in under a fifth of a second), neither the sender nor recipient would notice anything different. Even manually inspecting the route of the packet wouldn't show anything really suspicious, owing to limitations in how such things are tracked.

Of course, the Internet is a big place; even simple communications like chats and emails bounce around to servers in different states, countries, even continents. It seems a bit excessive when your music stream has to bounce through a server thousands of miles away, but there's a method to this madness.

Generally, the protocols governing Internet connections pick an efficient and agreed-upon route to send your packets along. But in the cases observed by Renesys, those protocols are clearly being subverted; traffic often goes to distant places, but this time those places make no sense.

"It's someone on the other side of the planet, someone who has no business with me at all," Renesys CEO Jim Cowie told NBC News in a phone interview. "There's absolutely no reason why they should have my traffic in their router."

A packet that should have remained within the vicinity of Denver went across the Atlantic to visit London and Reykjavik.

If it's just an error in the software running the Internet infrastructure, it's a very strange and dangerous error. If the traffic that's redirected isn't being carefully inspected or encrypted at both ends, it could easily be tampered with by the mystery node to which it was sent. This is often called a "man in the middle" attack.

Yet who or what is causing this is still unknown. "We can't really identify an obvious pattern," said Cowie. Network operators in Iceland blamed it on a bug in their software but wouldn't elaborate, but little information is available on the many other instances Renesys recorded.

Is it really something you need to be worried about? If you practice good "Internet hygiene," you should be all right: use encrypted HTTP connections (denoted by "https://" in the URL bar) and make sure basic security measures are in place for important communications (making sure the recipient receives the same exact file you sent).

"Anybody in this day and age, especially after the events of the summer, if they're not using Web encryption they really should start," advised Cowie. Encryption might not prevent the NSA from nabbing data directly from Facebook or Google's databases, but it will make your data safe from random snooping like these route hijacks.

But he also cautioned that it's an institutional problem, likely with institutional solutions: "It's an attack on the infrastructure, and obviously most people don't have a lot to do with the infrastructure." Still, so little is known right now that he wanted to get the word out and see if dragging this subtle new hack into the light will make the powers that be take action against it.

Devin Coldewey is a contributing writer for NBC News Digital. His personal website is