Attackers using a feature that is common to many firewalls, switches and other networking gear could silently hijack Web sessions on mobile and desktop devices, according to a research paper presented by two Ph.D students from the University of Michigan.
The two discovered that so-called TCP initial sequence number (ISN) checking features that are common to many network devices, including firewalls, could allow an attacker to use a lightweight malware client to probe active services using packets with spoofed IP addresses and checking which sequence numbers are valid. By inferring valid sequence numbers, then using the network device to verify valid ISNs, the malware can provide an Internet-based attacker to carry out successful TCP hijack attacks – such as spoofing a login page to Facebook, Twitter or another social network.
The two students, Zhiyun Qian and Z. Morley Mao, presented their findings at the IEEE Security And Privacy Conference in San Francisco, California on Tuesday and in a paper, “Off-Path TCP Sequence Number Inference Attack: How Firewall Middleboxes Reduce Security,” (PDF) which was published on the University of Michigan Web site.
Their findings could have big implications for networking equipment and firewall vendors such as Cisco Systems, Juniper Networks and Check Point, which use ISN inference features to drop malicious or suspicious packets and preserve network resources and bandwidth.
Speaking to Threatpost on Tuesday, Qian said that the research grew out of a prior survey of the use of middleboxes such as firewalls, proxy and NAT devices on U.S. cellular networks. The survey found their use widespread – largely in response to the need for better bandwidth management on those networks, Qian said.
However, the security implications of the devices wasn’t clear. “We weren’t sure what not sure of attacks (on middleboxes) might do. When we looked at the problem more closely, we determined that it was a serious risk.”
ISN sequence numbers are randomized to prevent TCP hijacking. The problem is that some firewalls and other network devices are programmed to track ISN numbers and then calculate
valid ISN sequence numbers. Incoming packets with ISNs that don’t check out can be dropped immediately, conserving network bandwidth and increasing throughput. However, Qian and Mao reasoned that a malicious program could co-opt that security feature: monitoring open connections from a compromised device, such as a cell phone, then polling the middlebox with packets using spoofed IP addresses. By monitoring which packets are dropped and which are accepted, the researchers posited and confirmed three possible TCP hijacking attacks that they tested against a “nation-wide cellular network” that would allow a malicious actor to hijack a connection between a compromised mobile device and a legitimate server on a cellular network, replacing the legitimate network server with one controlled by the attackers.
Qian said that he has heard from a variety of companies that feel they might be vulnerable to this kind of attack, including a major U.S. Cellular provider. He has also contacted on major networking equipment vendor with products that are vulnerable to the ISN inference attack, but was told that the company doesn’t consider the problem a serious one.
For customers, there is no easy or immediate fix for the problem, short of disabling the ISN number checking feature on affected devices. Now that his research is published, Qian expects malicious attackers to take note of it. Carriers and other customers that use affected hardware will then have to determine whether the benefit of the ISN checking feature outweighs the risks that it poses.
