Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

‘DoubleDirect’ MitM attack affects iOS, Android and OS X users


For at least six months, a security firm has seen a specific type of man-in-the-middle (MitM) attack, dubbed “DoubleDirect,” being leveraged, which puts iOS, Android and OS X users at risk.

San Francisco-based Zimperium detailed the threat in a Thursday blog post, revealing that, like other MitM attacks, DoubleDirect could allow a saboteur to intercept sensitive data, like credentials, or deliver malware to vulnerable devices, by way of redirecting victim's traffic to attacker-operated devices. But in a twist, DoubleDirect makes use of ICMP redirect packets “to alter the routing tables on the victim host, causing traffic to flow via an arbitrary network path for a particular IP,” the blog post explained.

“Once redirected, the attacker can compromise the mobile device by chaining the attack with an additional Client Side vulnerability (e.g.: browser vulnerability), and in turn, provide an attack with access to the corporate network,” Zimperium warned.

The attack works on the latest versions of iOS, including version 8.1.1, on most Android devices the firm tested, including Nexus 5 and Lollipop, and on OS X Yosemite, the blog revealed. In its post, the firm showed users how to manually disable ICMP Redirect on their Macs to remediate the issue.

Still, Patrick Murray, vice president of products at Zimperium, told in a Friday interview that the same security measures can't easily be done on Android and iOS devices, as users need more permissions to disable acceptance of ICMP redirect packets.

“The other way to handle this is for all the website properties to employ full HTTPs,” Murray said. “[By doing this] it would be hard for you to do anything with the [attack]," he explained

Zimperium observed the MitM attacks for about six to eight months, he added.

In the blog post, the company identified 31 countries, including the U.S., the U.K. and Canada, were attacks were occurring in-the-wild. During the campaign, traffic from Google, Facebook, Twitter, Hotmail,, and Naver (a Korean internet company) was detected as being redirected using the technique.

The firm noted on its website that the new attack technique is a “full-duplex derivative of a known ICMP Redirect attack” that has been disclosed for many years.

“Zimperium is releasing this information at this time to increase awareness as some operating system vendors have yet to implement protection at this point from ICMP Redirect attacks as there are attacks in-the-wild,” the post said.

In prepared email commentary, Chris Messer, vice president of technology at Coretelligent, a cloud and IT services firm in Mass., said that DoubleDirect has the “potential to be an extremely serious attack technique – especially as increasing numbers of people conduct sensitive transactions from their smartphones and tablets.”

“Attackers are desperate to collect personally identifiable information (PII) and credit card information, which many banking, shopping, transportation and other popular apps require and store,” Messer wrote, advising organizations to employ a “robust mobile device management program” for monitoring such threats.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.