Researchers at the University of Michgan are warning [PDF file] of a vulnerability affecting the networks of AT&T and at least 47 other carriers that can allow an attacker to inject malicious content into traffic passing between smartphone users and trusted Web sites.
"The attack, which doesn't require an adversary to have any man-in-the-middle capability over the network, can be used to lace unencrypted Facebook and Twitter pages with code that causes victims to take unintended actions, such as post messages or follow new users," writes Ars Technica's Dan Goodin. "It can also be used to direct people to fraudulent banking websites and to inject fraudulent messages into chat sessions in some Windows Live Messenger apps. Ironically, the vulnerability is introduced by a class of firewalls cellular carriers use. While intended to make the networks safer, these firewall middleboxes allow hackers to infer TCP sequence numbers of data packets appended to each data packet, a disclosure that can be used to tamper with Internet connections."
"The vulnerability, 'off-path TCP sequence number inference,' can allow hijacking of Web pages users are trying to visit," writes The Register's Richard Chirgwin. "The researchers say that some types of stateful firewalls, designed to drop packets without valid TCP sequence numbers, can be attacked by an insider that’s able to guess TCP sequence numbers of other users, and use this as the basis of a redirection."
"Attacks were tested on 150 unnamed carriers worldwide -- 48 of which were found to be using the vulnerable firewall -- with a selection of Android-powered smartphones from HTC, Motorola, and Samsung," writes Cult of Mac's Killian Bell. "However, Zhiyun Qian, one of the coauthors of the paper, told [Ars Technica] that 'there’s no reason to believe iOS devices from Apple can’t be hijacked as well.'"