A recently disclosed Linux kernel vulnerability caused by a TCP feature affects nearly 80 percent of Android devices, according to mobile security firm Lookout.
The flaw, identified as CVE-2016-5696, is related to a specification designed to prevent off-path TCP spoofing attacks. The specification (RFC 5961) has been implemented in the Linux kernel since 2012 (version 3.6), but not in Windows, Mac OS X or FreeBSD-based operating systems.
Researchers from the University of California, Riverside and the U.S. Army Research Laboratory discovered that a vulnerability in this feature can be exploited by a blind, off-path attacker to intercept TCP connections between two machines on the Internet simply by knowing their IP addresses.
The attacker can track users’ activity, terminate the intercepted connection, and inject arbitrary data. In the case of HTTPS-protected communications, an attacker can only terminate the connection. It’s also worth pointing out that the attack only works against websites that have long-lived TCP connections, such as video, ad, news and chat services.
Experts from Lookout have analyzed the vulnerability and determined that in addition to Linux systems, it also exposes Android devices to attacks. The flaw impacts Android 4.4 KitKat and later, which, according to statistics from Statista, account for nearly 80 percent of Android installations, or roughly 1.4 billion devices.
The vulnerability was patched in the Linux kernel in July with the release of version 4.7. However, even the latest Android releases, including the developer preview of the upcoming Android Nougat, still use a vulnerable version of the Linux kernel.
“If you’re running an enterprise mobility program, a number of Android devices are potentially vulnerable to a serious spying attack. CISOs should be aware that this new vulnerability affects their Linux environments, Linux-based server connections (e.g., to popular websites), in addition to Android devices,” Lookout explained.
Until the Linux kernel is updated in Android, users can protect themselves against spying attempts by ensuring that the websites they visit use HTTPS. On rooted devices, users can leverage the sysctl tool to assign a high value to net.ipv4. tcp_challenge_ack_limit (e.g. net.ipv4.tcp_challenge_ack_limit = 999999999).
Lookout says there is no evidence that a proof-of-concept (PoC) exploit exists for the vulnerability and the company expects Google to address it with the next Android security updates.
Related: Linux Kernel Flaw Puts Millions of Devices at Risk
Related: Google to Boost Linux Kernel Defenses in Android 7.0

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
Latest News
- VMware Plugs Critical Flaws in Network Monitoring Product
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
- US, Israel Provide Guidance on Securing Remote Access Software
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- Microsoft Will Pay $20M to Settle US Charges of Illegally Collecting Children’s Data
