“ICMP Redirect” MITM network attack

[RALPHtech]

Can we bypassing HSTS by using this MITM technique?

The attack works on latest versions of iOS including iOS 8.1.1 and On most Android devices.

Source: https://blog.zimperium.com/doubledirect-zimperium-discovers-full-duplex-icmp-redirect-attacks-in-the-wild/

[cooper]

Did you read the page you linked? Specifically, this line:

Since the attack is happening on the IPs that the user access – it does not necessarily mean that the attacker had visibility to encrypted traffic that some of the above services are enforcing.

which they helpfully put in bold in the original text, suggesting it might be relevant to take note of.

Bottom line is that via the attack an MITM situation is achieved whereby both sides of a connection knowingly send their data through you, thinking you're the other party. The data being sent is the same data that you would otherwise be able to trap using wireshark once an MITM situation is achieved. Which is going to be encrypted data in all of those sites once the browser used has visited those sites at least one time before (due to HSTS), and quite possibly, depending on the browser used, even without the browser having visited those sites before.

HSTS prevents a browser from accessing a site via unencrypted means for a certain timeframe, typically a few months, which is re-affirmed (the end-time for the timeframe is pushed back) each time the site is accessed. The best way to remove HSTS is to get the host to tell the client, over its encrypted connection, that the HSTS timeframe is 1, meaning it will time out almost immediately. Only then will you be able to convince the client to create an insecure connection with the server. But this requires you break SSL first, which, last time I checked, is still kinda hard.

[RALPHtech]

Thanks Coop