Firewalls as hacking aids
The attack described in the 15 page paper is not trivial. To inject data packets, the attacker needs to know the TCP sequence number for the last TCP packet sent by the client. This can be up to four bytes in length. The researchers discovered, however, that the firewalls used by mobile phone providers inadvertently give them a huge hand in finding this information.
The firewalls in question check the sequence number of all incoming TCP packets and only forward those packets which have a sequence number within the range currently being used by the client. All other packets are blocked. According to the researchers, it is, however, relatively easy to determine the range currently being used by the client. An attacker can then simply try out all the sequence numbers within this block.
Guessing TCP sequence numbers is an old issue. In the past, sequence numbers always incremented from a predictable value, making them easy to guess. Some time ago, this was changed so that the initial number is now selected at random. The 4.3 billion possible numbers mean that it is almost impossible to guess the correct sequence number quickly enough to be able to make use of it. But the firewall behaviour discovered by the researchers massively narrows down the range of possible numbers.
One of the attack scenarios described by the researchers involves modifying the network traffic in situ on the smartphone using a special app. On visiting Facebook, for example, the smartphone's browser could be made to display a phishing page. This would not normally be possible, as the app wouldn't know the sequence numbers for the browser connection and would not be able to eavesdrop on network traffic without root privileges.
To demonstrate this scenario, the researchers developed an app. If the attacker knew the IP addresses of the victim and web server and the ports used, this attack could also, in theory, be carried out remotely. The attacker would also have to watch for the critical time point, as, before the attacker can send the crafted packets, the victim needs to have sent an HTTP request.
The researchers told Ars Technica that, of the 150 network operators tested, around one-third use a firewall which enables sequence numbers to be divined using this technique. The attack should also work on other networks which use the right kind of firewall.
In principle, assuming there's no encryption, this technique can also be used on connections involving other network-capable devices such as PCs. Reading data packets directly is not usually possible.