Firewall technology is supposed to boost internet security but a new study has discovered that it helps hackers break into social networking sites like Facebook and Twitter.
A study by Z. Morley Mao, a Computer Science associate professor at the University of Michigan, and doctoral student Zhiyun Qian discovered that firewall middleboxes enable "offpath TCP (transmission control protocol) sequence number inference" attack.
"It (firewall middleboxes) allows an off-path (i.e., not man-inthe-middle) attacker to hijack a TCP connection and inject malicious content, effectively granting the attacker write-only permission on the connection. For instance, with the help of unprivileged malware, we demonstrate that a successful attack can hijack an HTTP session and return a phishing Facebook login page issued by a browser. With the same mechanisms, it is also possible to inject malicious Javascript to post tweets or follow other people on behalf of the victim," says the study.
The study revealed that there are security holes in "the randomization of TCP initial sequence numbers (ISN) which can guard against off-path spoofing attacks attempting to inject packets with a forged source address."
"ISN randomization prevents sequence numbers from being predicted, thus arbitrarily injected packets are likely to have invalid sequence numbers which are simply discarded at the receiver. Firewall vendors soon realized that they can in fact perform sequence number checking at network-based firewalls and actively drop invalid packets even before they can reach end-hosts, a functionality advertised in products from major firewall vendors. This feature is believed to enhance security due to the early discard of injected packets and the resulting reduced wasted network and host resources. Ironically, we discover that the very same feature in fact allows an attacker to determine the valid sequence number by probing and checking which sequence numbers are valid using side-channels as feedback. We name this attack "TCP sequence number inference attack"," Says the study.
The researchers found out firewall middleboxes to be very popular in cellular networks - at least 31.5% of the 149 measured networks. They discovered through their study that firewalls could help the attackers instead of protecting against attacks.