Hackers are running “Man-in-the-Middle” attacks (MitM) against smartphones using a new attack technique, security researchers warn.
The so-called DoubleDirect technique enables an attacker to redirect a victim’s traffic to the attacker’s device. Once redirected, the attacker can steal credentials and deliver malicious payloads to the victim’s mobile device that can not only quickly infect the device, but also spread throughout a corporate network," according to mobile security firm Zimperium.
Zimperium has detected the DoubleDirect technique in the wild in attacks against the customers of web giants including Google, Facebook, Live.com and Twitter, across 31 countries.
Hackers are also using DoubleDirect technique to gain access to victims’ devices, essentially to steal usernames, emails, and passwords.
DoubleDirect creates a means to run man-in-the-middle attacks targeting smartphone and tablets users on devices running either iOS or Android. Mac OSX users are also potentially vulnerable but Windows and Linux users would appear to be immune because their operating systems don't accept ICMP redirection packets that carry malicious traffic. A blog post by Zimperium (extract below) explains the mechanism of the attack in greater depth.
DoubleDirect uses ICMP Redirect packets to modify routing tables of a host. This is legitimately used by routers to notify the hosts on the network that a better route is available for a particular destination. However, an attacker can also use ICMP Redirect packets to alter the routing tables on the victim host, causing the traffic to flow via an arbitrary network path for a particular IP.
As a result, the attacker can launch a MitM attack, redirecting the victim’s traffic to his device. Once redirected, the attacker can compromise the mobile device by chaining the attack with additional Client Side vulnerability (e.g: browser vulnerability), and in turn, provide an attacker with access to the corporate network.
Zimperium has produced a proof of concept tool designed to illustrate the risk, without doing anything unpleasant.
Independent security expert Ken Munro, a partner at Pen Test Partners, noted that the attack offered a "handy alternative to ARP poisoning" for hackers.
ARP spoofing is a hacking technique that involves sending faked (or spoofed) Address Resolution Protocol (ARP) messages onto a Local Area Network. The tactic is geared toward mis-associating an attacker's MAC address with the IP address of the default gateway, so that any traffic meant for that IP address to be sent to the attacker instead. ®