A class of firewalls used by dozens of carriers worldwide may make smartphones vulnerable to hijacking. According to researchers at the University of Michigan, a feature found in many major firewall systems could let hackers identify and spoof the sequence number of a trusted data packet, injecting malicious code into unencrypted sites or directing users to fraudulent services. Of the 149 mobile carriers checked in the study, 48 were found to use the feature. Using an app designed by the researchers, Ars Technica was able to identify one of them as the US carrier AT&T.
The paper, which will be presented this week at the IEEE Symposium on Security and Privacy, describes a system it calls "TCP sequence number inference attack." TCP governs how packets are directed using a randomly generated sequence of numbers, thus stopping attackers from predicting the pattern and imitating trusted data. If a packet with an invalid sequence number is sent, it's simply discarded at the end point. Many network firewalls, however, include a feature that detects and drops these invalid packets before they reach their final destination. While this can reduce network burden, it also means that the researchers were able to check which sequence numbers went through successfully.
Using this, the team devised a number of potential hacks. Some more powerful ones, like that shown below, require malware to be installed on the phone as well, but others work as long as the firewall has a packet-dropping feature enabled. Although an Android phone was used in the test, co-author Zhiyun Qian says iOS devices are theoretically just as vulnerable. While Qian says it would be safest to turn off firewall sequence number checking, he also says he understands that carriers often rely on it to lighten traffic. AT&T, meanwhile, has said that the paper "does not provide enough detail for us to confirm a conclusion, but we plan to take a look at the issues it raises."