A recently disclosed Linux kernel vulnerability caused by a TCP feature affects nearly 80 percent of Android devices, according to mobile security firm Lookout.
The flaw, identified as CVE-2016-5696, is related to a specification designed to prevent off-path TCP spoofing attacks. The specification (RFC 5961) has been implemented in the Linux kernel since 2012 (version 3.6), but not in Windows, Mac OS X or FreeBSD-based operating systems.
Researchers from the University of California, Riverside and the U.S. Army Research Laboratory discovered that a vulnerability in this feature can be exploited by a blind, off-path attacker to intercept TCP connections between two machines on the Internet simply by knowing their IP addresses.
The attacker can track users’ activity, terminate the intercepted connection, and inject arbitrary data. In the case of HTTPS-protected communications, an attacker can only terminate the connection. It’s also worth pointing out that the attack only works against websites that have long-lived TCP connections, such as video, ad, news and chat services.
Experts from Lookout have analyzed the vulnerability and determined that in addition to Linux systems, it also exposes Android devices to attacks. The flaw impacts Android 4.4 KitKat and later, which, according to statistics from Statista, account for nearly 80 percent of Android installations, or roughly 1.4 billion devices.
The vulnerability was patched in the Linux kernel in July with the release of version 4.7. However, even the latest Android releases, including the developer preview of the upcoming Android Nougat, still use a vulnerable version of the Linux kernel.
“If you’re running an enterprise mobility program, a number of Android devices are potentially vulnerable to a serious spying attack. CISOs should be aware that this new vulnerability affects their Linux environments, Linux-based server connections (e.g., to popular websites), in addition to Android devices,” Lookout explained.
Until the Linux kernel is updated in Android, users can protect themselves against spying attempts by ensuring that the websites they visit use HTTPS. On rooted devices, users can leverage the sysctl tool to assign a high value to net.ipv4. tcp_challenge_ack_limit (e.g. net.ipv4.tcp_challenge_ack_limit = 999999999).
Lookout says there is no evidence that a proof-of-concept (PoC) exploit exists for the vulnerability and the company expects Google to address it with the next Android security updates.