Firewalls on AT&T and 47 other carriers make phones vulnerable to hijacking, researchers find


A class of firewalls used by dozens of carriers worldwide may make smartphones vulnerable to hijacking. According to researchers at the University of Michigan, a feature found in many major firewall systems could let hackers identify and spoof the sequence number of a trusted data packet, injecting malicious code into unencrypted sites or directing users to fraudulent services. Of the 149 mobile carriers checked in the study, 48 were found to use the feature. Using an app designed by the researchers, Ars Technica was able to identify one of them as the US carrier AT&T.

The paper, which will be presented this week at the IEEE Symposium on Security and Privacy, describes a system it calls "TCP sequence number inference attack." TCP governs how packets are directed using a randomly generated sequence of numbers, thus stopping attackers from predicting the pattern and imitating trusted data. If a packet with an invalid sequence number is sent, it's simply discarded at the end point. Many network firewalls, however, include a feature that detects and drops these invalid packets before they reach their final destination. While this can reduce network burden, it also means that the researchers were able to check which sequence numbers went through successfully.

Using this, the team devised a number of potential hacks. Some more powerful ones, like that shown below, require malware to be installed on the phone as well, but others work as long as the firewall has a packet-dropping feature enabled. Although an Android phone was used in the test, co-author Zhiyun Qian says iOS devices are theoretically just as vulnerable. While Qian says it would be safest to turn off firewall sequence number checking, he also says he understands that carriers often rely on it to lighten traffic. AT&T, meanwhile, has said that the paper "does not provide enough detail for us to confirm a conclusion, but we plan to take a look at the issues it raises."

Back to top ^
Log In Sign Up

Log In Sign Up

Please choose a new Verge username and password

As part of the new Verge launch, prior users will need to choose a permanent username, along with a new password.

Your username will be used to login to Verge going forward.

I already have a Vox Media account!

Verify Vox Media account

Please login to your Vox Media account. This account will be linked to your previously existing Eater account.

Please choose a new Verge username and password

As part of the new Verge launch, prior MT authors will need to choose a new username and password.

Your username will be used to login to Verge going forward.

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.



Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.