Cell network security holes revealed, with an app to test your carrier

May 21, 2012

Popular firewall technology designed to boost security on cellular networks can backfire, unwittingly revealing data that could help a hacker break into Facebook and Twitter accounts, a new study from the University of Michigan shows.

The researchers also developed an Android app that tells when they're on a vulnerable network. They will present their work May 22 at the IEEE Symposium on Security and Privacy in San Francisco.

Using Android smartphones, computer science associate professor Z. Morley Mao and doctoral student Zhiyun Qian revealed how an could hijack a TCP Internet connection by taking advantage of publicly available information on smartphones; users' willingness to download untrusted apps; and network firewall middleboxes, which block data bundles that don't appear to be part of the flow of information traffic.

The researchers detected these middleboxes on 32 percent of the nearly 150 networks they tested worldwide.

This video is not supported by your browser at this time.

"Firewall middleboxes are supposed to protect against this kind of attack, but it turns out they do the opposite," Qian said. "Most vendors and carriers that deploy such firewall middleboxes still believe they are safe and we want them to be aware of this design flaw."

Middleboxes monitor the "sequence numbers" of on their way to . When you snap and share a photo with a friend, for example, it gets chopped into numerous packets before it's sent across the network. Your friend's smartphone looks to the sequence numbers to put the picture back together. Middleboxes could help hackers use the process of elimination to home in on a number in the right range.

"An attacker can try to guess at sequence numbers. It's usually hard to get feedback on whether a guessed number is correct, but the firewall middlebox makes this possible," Qian said. "The attacker can try a range of sequence numbers. The firewall will only allow one through if it is in the valid range."

In their test, the researchers used a binary search process that can rule out half of the possible numbers at a time. In 32 rounds, which take just seconds to complete, this process guarantees that they'll arrive at a valid number and get a packet through.

How does the attacker know he has succeeded? That's where the spyware comes in (smartphone malware is already very popular, the researchers say, and it wouldn't be hard for an attacker to add this capability into an existing program). The intelligence the spyware needs is not privileged information. It doesn't need special administrator or root access. It would just read a couple of the phone's publicly available incoming packet counters and let the attacker know when the counters advanced.

Armed with a valid sequence number, the hacker could spoof or Twitter's HTTP (as opposed to the more secure HTTPS) web login page and gain the user's passwords.

The attack Qian and Mao propose illustrates a susceptibility in the so-called sandboxing safety mechanism that platforms utilize. Sandboxing isolates an app to a certain piece of memory, with the intention of protecting the rest of the phone from any tampering.

"What's surprising here is that this shows how malware can, in a sense, reach out of its sandbox and tamper with other legitimate apps such as your browser," Qian said.

Explore further: Madison, Wis., becoming a force in video game industry

More information: Qian's app, Firewall Middlebox Detection, is available free of charge at play.google.com/store/apps/det… .umich.eecs.firewall

The paper is called "Off-Path TCP Sequence Number Inference Attack, How Firewall Middleboxes Reduce Security."

Project website: web.eecs.umich.edu/~zhiyunq/tc… ce_number_inference/

Related Stories

Researchers find way to measure effect of Wi-Fi attacks

Sep 12, 2011

Researchers from North Carolina State University have developed a way to measure how badly a Wi-Fi network would be disrupted by different types of attacks – a valuable tool for developing new security technologies.

Android mug shots have no lock and key

Mar 04, 2012

(PhysOrg.com) -- If Google loyalists will persist that this Internet Goliath can do no evil, they at least need to admit, based on new evidence this week, that Google can do a lot of mindless harm. A security ...

Simple security for wireless: no password required

Aug 22, 2011

In early August, at the Def Con conference — a major annual gathering of computer hackers — someone apparently hacked into many of the attendees’ cell phones, in what may have been the first successful breach ...

Recommended for you

Madison, Wis., becoming a force in video game industry

23 hours ago

In the 20-plus years that Tim Gerritsen has been creating video games, working in the realm of imaginary battlefields and mythical kingdoms, the Wisconsin native has found himself in many of the real world's most innovative ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

MIAmobi
not rated yet May 22, 2012
There are solutions but until we get proper legislation making app developers have you op in instead of opting out, you will never know what you have downloaded to your mobile device. There will be a backlash as people learn how their privacy has been compromised.
Using a SilentPocket allows you to take control of your own privacy when it comes to Smartphone tracking. MIAmobi addresses this issue and many more problems associated with mobile devices.
With over 500,000 mobile app developed for smartphones, many of which are stealth and are eavesdropping on your every move. Some are capable of turning on functions on your phone like your mic, camera, GPS, address book and more, even when it has been turned off. There is only one way to stop this if you really want to know for sure that you have control of your mobile device is to block all forms of wifi coming in or going out. Get informed at MIA-mobi

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.