Computer scientists have identified a vulnerability in the network of AT&T and at least 47 other cellular carriers that allows attackers to surreptitiously hijack the Internet connections of smartphone users and inject malicious content into the traffic passing between them and trusted websites.

The attack, which doesn't require an adversary to have any man-in-the-middle capability over the network, can be used to lace unencrypted Facebook and Twitter pages with code that causes victims to take unintended actions, such as post messages or follow new users. It can also be used to direct people to fraudulent banking websites and to inject fraudulent messages into chat sessions in some Windows Live Messenger apps. Ironically, the vulnerability is introduced by a class of firewalls cellular carriers use. While intended to make the networks safer, these firewall middleboxes allow hackers to infer TCP sequence numbers of data packets appended to each data packet, a disclosure that can be used to tamper with Internet connections.

"The TCP sequence number inference attack opens up a whole new set of attack venues," the researchers from the University of Michigan's Computer Science and Engineering Department wrote in a research paper scheduled to be presented at this week's IEEE Symposium on Security and Privacy. "It breaks the common assumption that communication is relatively safe on encrypted/protected WiFi or cellular networks that encrypt the wireless traffic. In fact, since our attack does not rely on sniffing traffic, it works regardless of the access technology as long as no application-layer protection is enabled."

The researchers tested their attack on Android-powered smartphones manufactured by HTC, Samsung, and Motorola. When the devices were connected to a "nation-wide carrier" that used sequence number-checking, the researchers were able to able to hijack connections to online services including Facebook, Twitter, Windows Live Messenger, and the AdMob advertising network. They could also spoof traffic from four unidentified banks and an unnamed Android app that gives real-time stock quotes. Zhiyun Qian, a recent PhD recipient and one of the coauthors of the paper, told Ars the attack will also work against computers connected to networks using cellular cards or smartphone tethers. He said there's no reason to believe iOS devices from Apple can't be hijacked as well.

This week's paper reports that of 150 worldwide carriers tested, 48 were found to use firewalls that allowed the researchers to deduce the TCP sequence numbers needed to hijack end-user connections. Using an Android app the researchers released, Ars was able to identify AT&T as the US carrier referred to in the paper. Company representatives issued a statement that read, "The report does not provide enough detail for us to confirm a conclusion but we plan to take a look at the issues it raises."

Playing outside of the sandbox

Qian and fellow co-author Professor Z. Morley Mao have devised a buffet of possible attacks depending on which required elements are satisfied in a given exploit scenario. They labeled the most potent of the attacks on-site TCP hijacking. It relies on a lightweight piece of malware that must first be installed on a victim's phone that has Internet access as its sole privilege. With help from the malicious app, the attacker queries firewalls AT&T and other carriers use to drop all data packets that contain sequence numbers out of a range considered to be valid for a current connection. By testing which packets are permitted to go through and which ones are blocked, attackers can quickly deduce an acceptable number and append it to the malicious data to camouflage its fraudulent source.

"What that means is that we're able to completely hijack the connection, so that the original server, say the Facebook server, will be completely cut off from the communication, and we can inject whatever malicious content we want," Qian told Ars. While Android apps are contained in a security sandbox that prevents them from accessing code and data used by other apps, he said the circuitous route taken by the lightweight malware effectively breaks out of this barrier, allowing the attackers to tamper with the phone's Web browser and other protected apps.

Another variant of the attack relies on intermediate routers that help funnel data through a carrier network. The monotonically incrementing 16-bit headers known as IPIDs act as side channels for inferring how many packets a target system has sent. By examining the values in the headers before and after sending spoofed probing packets, attackers can deduce sequence numbers by inferring if they successfully passed through the firewall.

Still another variation of the attack doesn't rely on any malware at all. An off-site TCP injection/hijacking exploit, for instance, relies on a technique known as URL phishing, which lures a user to a malicious intermediate webpage before sending him to what appears to be a legitimate target website. When certain conditions are met, the attack can replace the content of the site with arbitrary traffic, or if the user is logged in to the targeted site, can inject JavaScript into the pages that steals authentication cookies or performs actions on behalf of the victim.

The required ingredient

The required ingredient in all the attacks is a firewall on the carrier network that keeps track of sequence numbers for connections the end user has made with other address on the Internet. Firewalls that drop sequence numbers are manufactured by a variety of companies, including Cisco Systems, Juniper, and Check Point.

"They all build on top of the sequence number inference," Qian said of the attacks. "Without the sequence number, all of these attacks would not be possible, so you can think of sequence number inference as a building block for all of these attacks."

TCP sequence numbers were designed to help computers to reassemble packets that arrive out-of-sequence into their proper order. As researchers devised attacks in the late 1990s that used sequence numbers to hijack connections, the scheme was revised to give the numbers pseudo-random characteristics so they'd be hard for attackers to predict. Qian and Mao said they are the first known researchers to devise a TCP sequence number inference attack using the state kept on middleboxes.

Qian said online services can go a long way towards repelling the attacks by encrypting sessions using the secure sockets layer (SSL) or transport layer security (TLS) protocols, since almost all of the exploits he and Mao devised work against pages and apps that transmit content in plaintext. But even when Web traffic is encrypted, sequence number inference can be used to mount denial-of-service attacks. Of course, the attacks could be more effectively prevented if carriers removed sequence number-checking functions from the firewalls they use. Qian said he's not sure that move is feasible because the carriers rely on the features to conserve resources by summarily dropping arbitrarily packets that enter their networks.

'In my opinion, they should be turned off," Qian said of the sequence number checks. "However, the carriers may have their own reasons not to."

Updated to add AT&T comment.