santiago silver - Fotolia

Man-in-the-mobile attack: Can DoubleDirect be mitigated?

Man-in-the-middle attacks are now targeting smartphones in man-in-the-mobile attacks. Expert Nick Lewis explains how to defend against the threat.

There's a new man-in-the-middle attack technique called "DoubleDirect," which targets smartphones. What is the best way to prevent or avoid this kind of technique, as well as other "man-in-the-mobile" attacks?

Modern networks operate with a significant amount of trust that devices connecting to them will not behave maliciously. The basic tenet of not trusting commands from untrusted and unauthenticated sources was not widely understood when TCP/IP was designed in the 1970's. Trust in the network has caused many issues and is one of the reasons hackers from the L0pht told Congress in 1998 they could take down the Internet in less than 30 minutes. There was speculation the vulnerability they were hinting at was in the Border Gateway Patrol, and current research identifies vulnerabilities in BGP that could do what the hackers warned about.

Zimperium Mobile Security Labs announced a vulnerability called DoubleDirect in ICMP redirect functionality. ICMP redirects are used for legitimate purposes by routers on local networks to let hosts know if there is a better route to the Internet than the default gateway, or if there is a different gateway that should be used.

In the DoubleDirect attack, a hacker hijacks DNS connections with IMCP redirects and then does an ICMP redirect on all of the hosts on the network connected to the DNS server. In the ICMP redirect, the attacker tells victim systems there is a better route to use and intercepts all traffic from the victim system to perform a man-in-the-middle or man-in-the-mobile attack.

While the best way to prevent ICMP redirects is to change networks to not allow changes from untrusted or unauthenticated sources, this is an impractical fix. Rather, enterprises should monitor networks for ICMP redirects with an intrusion detection system and investigate any ICMP redirect packets with sources other than approved routers. Alternately, the network could block any sources of ICMP redirect packets other than from approved routers.

Endpoints should have ICMP redirect functionality enabled by default (like Windows and Linux do) to prevent this attack. Otherwise, a host-based intrusion prevention system that blocks ICMP redirects can be used.

Next Steps

Mobile security must extend beyond malware. Learn more here

This was last published in June 2015

Dig Deeper on Mobile security threats and prevention