| Researchers August 15, 2016

August 15, 2016

Linux flaw that allows anyone to hijack Internet traffic also affects 80% of Android devices

By Andrew Blaich

Lookout recently discovered a serious exploit in TCP reported this week also impacts nearly 80% of Android, or around 1.4 billion devices, based on an install base reported by Statista. The vulnerability lets attackers obtain unencrypted traffic and degrade encrypted traffic to spy on victims.
The issue should be concerning to Android users as attackers are able to execute this spying without traditional “man-in-the-middle” attacks through which they must compromise the network in order to intercept the traffic.
Researchers from University of California, Riverside and the U.S. Army Research Laboratory recently revealed a vulnerability in TCP at the USENIX Security 2016 conference, specifically pertaining to Linux systems. The vulnerability allows an attacker to remotely spy on people who are using unencrypted traffic or degrade encrypted connections. While a man in the middle attack is not required here, the attacker still needs to know a source and destination IP address to successfully execute the attack.
We can estimate then that all Android versions running the Linux Kernel 3.6 (approximately Android 4.4 KitKat) to the latest are vulnerable to this attack or 79.9% of the Android ecosystem.
The vulnerability has been assigned CVE-2016-5696, which is a medium severity. The exploitability is hard, but the risk is there especially for targeted attacks.
We found the patch for the Linux kernel was authored on July 11, 2016. However, checking the latest developer preview of Android Nougat, it does not look like the Kernel is patched against this flaw. This is most likely because the patch was not available prior to the most recent Android update.
What this means
If you’re running an enterprise mobility program, a number of Android devices are potentially vulnerable to a serious spying attack. CISOs should be aware that this new vulnerability affects their Linux environments, Linux-based server connections (e.g., to popular websites), in addition to Android devices. Enterprises are encouraged to check if any of the traffic to their services (e.g., email) is using unencrypted communications. If so, targeted attacks would be able to access and manipulate unencrypted sensitive information, including any corporate emails, documents, or other files.
What can you do?
In order to patch this vulnerability Android devices need to have their Linux kernel updated.  Fortunately, there are a few remedies a user can do until the patch is released:
  • Encrypt your communications to prevent them from being spied on. This means ensuring the websites you browse to and the apps you use are employing HTTPS with TLS. You can also use a VPN if you want to add an extra step of precaution.
  • If you have a rooted Android device you can make this attack harder by using the sysctl tool and changing the value for net.ipv4.tcp_challenge_ack_limit to something very large, e.g. net.ipv4.tcp_challenge_ack_limit = 999999999
  • We are not aware of PoCs exploiting this new vulnerability and anticipate Google will patch in the next Android monthly patch. In the meantime, we will continue to monitor for exploits.
If you are more technically inclined, you can check if your device is vulnerable by running from an adb shell the following command: sysctl net.ipv4.tcp_challenge_ack_limit if the number reported is less than 1,000 (1,000 is the new number in the patch) your Android device most likely does not contain the necessary patch.


Andrew Blaich,
Manager - Vulnerability Research

Leave a comment



Jeff & Cindy Barnes says:

August 29, 2016 at 6:20 am

What can one do to encrypt the connection to the tower as I had it explained that any encryption there is just a hardcoded device serial number for a key that once broken is the same as an unencrypted tower connection?

Antonio Scartezzini says:

August 16, 2016 at 6:21 pm

There isn´t even a public released device with the 3.6 kernel, 4.4 shipped with devices based on 3.4 and 5.0 shipped with devices based on 3.10