101015275_DoubleDirect_Chandrak Trivedi 1

DOUBLEDIRECT – MAN-IN-THE-MIDDLE ATTACK (MITM) IN MOBILE DEVICES

101015275_DoubleDirect_Chandrak Trivedi 2

INTRODUCTION• Dangerous type of MitM attack technique.• Explioted against Android, iPhone and Mac users around the world.

Windows and Linux are not affected.• It was used to redirect victim’s traffic from websites domains.• Once done, attackers can steal victims’ valuable personal data, such as

email IDs, login credentials and banking information.• The traffic from various popular websites, including Google, Facebook,

Twitter, Hotmail, Live.com, Naver.com (Korean) and others had redirected.• The attacks have been tracked to more than 30 countries around the globe,

including the US, Canada, the UK, Germany, Spain, China, India, Australia, and Mexico, among many others.

101015275_DoubleDirect_Chandrak Trivedi 3

TECHNOLOGY USED• Routers – IP routes.• HTTP and ICMP packets -

ICMP Redirect Functionality. ICMP packets are a legitimate form of communication between

routers and hosts that lets the network host know that a better route to a certain destination (Google, Facebook, etc.) is available.

• ICMP Redirect - ICMP redirects are used for legitimate purposes by routers on local

networks to let hosts know if there is a better route to the Internet than the default gateway, or if there is a different gateway that should be used.

• Often used as an alternative to an ARP poisoning attack technique.• ICMP Redirect with publicly available tools like Ettercap.

4

ANALYSIS

101015275_DoubleDirect_Chandrak Trivedi

Internet

ICMP Redirect

Service Provider Network

User Device

Attacker Route

DoubleDirect - MitM

101015275_DoubleDirect_Chandrak Trivedi 5

CONCLUSION• Some operating system vendors have yet to implement protection at this

point for ICMP Redirect attacks.

Countermeasures:

• While the best way to prevent ICMP redirects is to change networks to not allow changes from untrusted or unauthenticated sources, this is an impractical fix.

• Vendors should monitor networks for ICMP redirects with an intrusion detection system.

• All Mac and Android Users can disable ICMP redirect manually.• For Android users, Download

zIPS – Zimperium Mobile IPS – protection against advanced host and network mobile attacks, including DoubleDirect. zANTI2 – Mobile Diagnostics to perform DoubleDirect

• For Apple Users, Apple Fixed a Nasty MitM Vulnerability in the Latest watchOS

• Most of GNU/Linux and Windows operating system do not accept ICMP redirect packets.

101015275_DoubleDirect_Chandrak Trivedi 6

Mobile Device are the Second best source for Attackers, so be aware and keep Mobile device as secure as your Personal computer.

THANK YOU