back to article DoubleDirect hackers snaffle fandroid and iPhone-strokers' secrets

Hackers are running “Man-in-the-Middle” attacks (MitM) against smartphones using a new attack technique, security researchers warn. The so-called DoubleDirect technique enables an attacker to redirect a victim’s traffic to the attacker’s device. Once redirected, the attacker can steal credentials and deliver malicious payloads …

  1. Khaptain Silver badge

    Ping me - don't ping me.

    >on devices running either iOS or Android. Mac OSX users are also potentially vulnerable but Windows and Linux users would appear to be immune because their operating systems don't accept ICMP redirection packets that carry malicious traffic

    Genuine question. : What is the requirement for this subset of OSes iOS, Android and OSx, to use ICPM Redirection but where Windows and Linux don't ? Is this based on various Ping timeouts being used to determine the shortest paths ?

    Also does this mean that all Windows platforms are safe from this attack or only the desktop variety..

    Interesting attack vector though.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ping me - don't ping me.

      If you want your phone to act like a hotspot/usb modem it needs to be enabled.

      1. Khaptain Silver badge

        Re: Ping me - don't ping me.

        I would imagine then that the protocol is therefore only active during hotspot/usb modem functionning or does it have to be on all of the time.

        Obviously if it is only on during hotspot/usb modem the attack vector is very much reduced.

  2. Anonymous Coward
    Anonymous Coward

    One question

    "and in turn, provide an attacker with access to the corporate network."

    How?

  3. DryBones

    Hmm.

    Windows and Linux users would appear to be immune because their operating systems don't accept ICMP redirection packets that carry malicious traffic."

    I think the important question that should be asked here is "How can they tell?" Do they not accept redirections and thus not comply with the standard, or do they have a central place they connect and get such updates from. If so you just have to redirect that first! Reminds me of The Invention of Lying.

  4. Sebby

    Oh FFS!

    Every host and every router should have ICMP redirect and IP source routes turned OFF. We don't need the bloody things in 2014. Can't say I'm surprised to find that they work in iOS/OS X though--there was me, hoping it wasn't so. Ah well, at least Apple might fix it.

    Who those not aware, ICMP redirects let a router inform a host that a better route exists for a packet, and IP source routing allows the sender of a packet to specify the route along which it would like a packet being routed to take. Both have been used in stupid DoS, amplification, spoofing and MITM attacks and aren't worth the benefit they provide. For ICMP redirects, as illustrated, the attack is fairly trivial, even for a passive attacker, because you only need send the message (Linux can operate in a "Secure" manner where it will verify the source address, though apparently not in Android).

    So yeah, just turn the bloody things off!

  5. Anonymous Coward
    Anonymous Coward

    Your phone, unless you're tethering, has one interface up and a default gateway supplied by DHCP. Why does it need ICMP redirects at all? What is it meant to do work them?

  6. Anonymous Coward
    Anonymous Coward

    Android vulnerable but not Linux?

    Did Linux recently patch against this attack and Android hasn't caught up, or has Linux been fixed for a long time and Android was changed in a way that opened it up?

    Hopefully this isn't an attack that's a real issue, because as always Android will be vulnerable for years as many devices don't receive updates so they'll be vulnerable forever.

    1. wdmot

      Re: Android vulnerable but not Linux?

      From the Zimperium article, "iOS, Android and Mac OS X usually accepts ICMP redirect packets by default", i.e. on most systems they're enabled by default. And "Most of GNU/Linux and Windows desktop operating system do not accept ICMP redirect packets", i.e. they're turned off by default, but the support is there.

      Actually, I think most linux distributions by default use "secure" ICMP redirect -- they only accept ICMP redirect packets that redirect to a gateway already in their routing table. I don't know why most android flavors don't have this setting too.

  7. Shamino

    ICMP redirect

    I too fail to understand why ICMP redirect is ever used these days.

    If you go back and read the old RFCs, you will see that the system of ICMP router advertisements and redirect was the first attempt at self-configuring hosts. On bootup, a host would broadcast a request for the best router for reaching a host and would get back (via router advertisement) a gateway address. It would cache this. If the network changes such that the best gateway has changed, then the original gateway would send a redirect message to inform the host, which changes its cache.

    It made a lot of sense for a network where there are a lot of different gateway routers and no centralized server for distributing this information.

    But the reality today, for most users, is that for any given site, there is exactly one preferred gateway router. Its address is either hard-coded or it is pushed into the host from a DHCP server. If it should change, the hard-coded host is expected to change its configuration and the DHCP host is expected to receive an update from the DHCP server. At no time does ICMP redirect even come into play.

    In this day and age, I think it would be perfectly reasonable for all hosts to have ICMP redirection disabled by default. DHCP is more than sufficient for all but the most unusual networks.

  8. Anonymous Coward
    Anonymous Coward

    Relics from the past

    This attack is ancient, one of a million lose ends in the old RFCs that allowed MitM attacks. Since there is talk of finally tightening SSL we should lay this to rest, along side source routed packets and the ping of death. If you want to follow an ICMP redirect it should only be allowed to a previously trusted host. (like the ones entered as alternates in your IP settings, or from the DHCP server).

    Best to disable it entirely for public networks, though you still have a brace of other worries. (ARP, DNS, DHCP, Firesheep, all more than 5 years old, some more than 25...)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like