AT&T is one of 48 carriers worldwide which have a network vulnerability that allows hackers to intercept cellular data and inject malicious content into the traffic that passes between smartphones and the websites they visit. The flaw can be used to transfer code to unencrypted pages which causes a user to perform unintended actions, like sending messages or friend requests from Facebook and Twitter. And your iPhone may be vulnerable.
What’s most worrying is that the attack can also be used to redirect users to fraudulent banking websites. The vulnerability lies within certain firewalls used by certain cellular carriers, which, ironically, are intended to make data networks safer. Ars Technica explains:
While intended to make the networks safer, these firewall middleboxes allow hackers to infer TCP sequence numbers of data packets appended to each data packet, a disclosure that can be used to tamper with Internet connections.
The vulnerability was discovered by researchers from the University of Michigan’s Computer Science and Engineering Department, who detailed their findings in a research paper which will be presented at this week’s IEEE Symposium on Security and Privacy. The paper reads:
The TCP sequence number inference attack opens up a whole new set of attack venues. It breaks the common assumption that communication is relatively safe on encrypted/protected WiFi or cellular networks that encrypt the wireless traffic. In fact, since our attack does not rely on sniffing traffic, it works regardless of the access technology as long as no application-layer protection is enabled.
Attacks were tested on 150 unnamed carriers worldwide — 48 of which were found to be using the vulnerable firewall — with a selection of Android-powered smartphones from HTC, Motorola, and Samsung. However, Zhiyun Qian, one of the coauthors of the paper, told Ars that “there’s no reason to believe iOS devices from Apple can’t be hijacked as well.”
AT&T claims that “the report does not provide enough detail for us to confirm a conclusion,” however, it does promise to “take a look at the issues raised.”
The researchers have developed a whole range of attacks that work in different scenarios. One uses a malicious app installed on an Android device to intercept certain data packets and hijack connections and inject malicious content, while another uses intermediate routers to send data through a carrier network.
But one variation requires no malware whatsoever, and uses URL phishing to lure users onto malicious websites.
When certain conditions are met, the attack can replace the content of the site with arbitrary traffic, or if the user is logged in to the targeted site, can inject JavaScript into the pages that steals authentication cookies or performs actions on behalf of the victim.
The ingredient present in all of these attacks is a vulnerable firewall on the carrier network, which uses sequence numbers for connections the end user has made with other address on the Internet. These firewalls come from a variety of manufacturers, including Cisco, Juniper, and Check Point.
“They all build on top of the sequence number inference,” Qian said of the attacks. “Without the sequence number, all of these attacks would not be possible, so you can think of sequence number inference as a building block for all of these attacks.”
Qian believes all of the firewalls should be turned off, but notes that carriers may have their own reasons not to disable them.
Source: Ars Technica
