This article is more than 1 year old
Four in five Android devices inherit Linux snooping flaw
TCP exploit lets hackers get at your plaintext web traffic
A previously identified Linux flaw, which allows anyone to hijack internet traffic, also affects 80 per cent of Android devices.
The original vulnerability, which was reported this spring, involves a critical exploit in TCP that lets hackers obtain unencrypted traffic and degrade encrypted traffic to spy on victims.
The security flaw, which was presented by security researchers from the University of California, Riverside and the United States Army Research Laboratory, at the Usenix security conference earlier this month, creates a mechanism for hackers to spy on supposedly secure communications without running more traditional man-in-the-middle attacks.
The researchers explained:
The vulnerability allows a blind off-path attacker to infer if any two arbitrary hosts on the Internet are communicating using a TCP connection. Further, if the connection is present, such an off-path attacker can also infer the TCP sequence numbers in use, from both sides of the connection; this in turn allows the attacker to cause connection termination and perform data injection attacks.
We illustrate how the attack can be leveraged to disrupt or degrade the privacy guarantees of an anonymity network such as Tor, and perform web connection hijacking.
The side channel vulnerability (CVE-2016-5696) was introduced in a recent TCP specification, which has been “faithfully implemented in Linux kernel version 3.6 (from 2012) and beyond”, creating a security issue in the process.
Android’s code base is based on Linux, so it has inherited this flaw.
Security researchers at mobile security firm Lookout warn that “all Android versions running the Linux Kernel 3.6 (approximately Android 4.4 KitKat) to the latest are vulnerable to this attack or 79.9 per cent of the Android ecosystem”.
The flaw is difficult to exploit but nonetheless poses a risk, especially when it comes to targeted attacks.
Lookout has more detail on the vulnerability, and potential defences, in a blog post here. ®