June 27, 2016

Linux Flaw Allows Anyone to Hijack Internet Traffic

Man using computer with computer code displayed on the screen.

Lookout recently discovered a serious exploit in TCP reported this week also impacts nearly 80% of Android, or around 1.4 billion devices, based on an install base reported by Statista. The vulnerability lets attackers obtain unencrypted traffic and degrade encrypted traffic to spy on victims.The issue should be concerning to Android users as attackers are able to execute this spying without traditional “man-in-the-middle” attacks through which they must compromise the network in order to intercept the traffic.

Researchers from University of California, Riverside and the U.S. Army Research Laboratory recently revealed a vulnerability in TCP at the USENIX Security 2016 conference, specifically pertaining to Linux systems. The vulnerability allows an attacker to remotely spy on people who are using unencrypted traffic or degrade encrypted connections. While a man in the middle attack is not required here, the attacker still needs to know a source and destination IP address to successfully execute the attack.

We can estimate then that all Android versions running the Linux Kernel 3.6 (approximately Android 4.4 KitKat) to the latest are vulnerable to this attack or 79.9% of the Android ecosystem.

The vulnerability has been assigned CVE-2016-5696, which is a medium severity. The exploitability is hard, but the risk is there especially for targeted attacks.

We found the patch for the Linux kernel was authored on July 11, 2016. However, checking the latest developer preview of Android Nougat, it does not look like the Kernel is patched against this flaw. This is most likely because the patch was not available prior to the most recent Android update.

What this means

If you’re running an enterprise mobility program, a number of Android devices are potentially vulnerable to a serious spying attack. CISOs should be aware that this new vulnerability affects their Linux environments, Linux-based server connections (e.g., to popular websites), in addition to Android devices. Enterprises are encouraged to check if any of the traffic to their services (e.g., email) is using unencrypted communications. If so, targeted attacks would be able to access and manipulate unencrypted sensitive information, including any corporate emails, documents, or other files.

What can you do?

In order to patch this vulnerability Android devices need to have their Linux kernel updated.  Fortunately, there are a few remedies a user can do until the patch is released:

  • Encrypt your communications to prevent them from being spied on. This means ensuring the websites you browse to and the apps you use are employing HTTPS with TLS. You can also use a VPN if you want to add an extra step of precaution.
  • If you have a rooted Android device you can make this attack harder by using the sysctl tool and changing the value for net.ipv4.tcp_challenge_ack_limit to something very large, e.g. net.ipv4.tcp_challenge_ack_limit = 999999999
  • We are not aware of PoCs exploiting this new vulnerability and anticipate Google will patch in the next Android monthly patch. In the meantime, we will continue to monitor for exploits.

If you are more technically inclined, you can check if your device is vulnerable by running from an adb shell the following command: sysctl net.ipv4.tcp_challenge_ack_limit if the number reported is less than 1,000 (1,000 is the new number in the patch) your Android device most likely does not contain the necessary patch.

Authors

Andrew Blaich

Head of Device Intelligence

Andrew Blaich is Head of Device Intelligence at Lookout where he is focused on mobile threat hunting and vulnerability research. Prior to Lookout, Andrew was the Lead Security Analyst at Bluebox Security. He holds a Ph.D. in computer science, and engineering from the University of Notre Dame in enterprise security and wireless networking. In the past Andrew has worked at both Samsung and Qualcomm Research. Andrew is a regular presenter at security conferences including BlackHat, RSA, Kaspersky SAS, SecTor, SANS DFIR, Interop, and ACSC. In his free time he loves to run and hack on IoT.

Platform(s) Affected
Android
Threat Type
Vulnerability
Entry Type
Threat Summary
Platform(s) Affected
Android
Vulnerability
Threat Summary

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell