Android Vulnerable to Serious TCP Flaw in LinuxAdvice for Android Users: Employ a VPN Until Manufacturers Patch
About 1.4 billion Android devices are vulnerable to an attack that could allow a remote user to inject malicious code into an unencrypted traffic stream. Google is aware of the problem, and a related patch is being prepared.
The flaw, CVE-2016-5696, exists in versions 4.7 and prior of the Linux kernel and was patched in July. But the issue also affects Android, which is based on Linux, and it's not the first time this has happened (see Zero-Day Flaw Found in Linux). In particular, Android versions 4.4 and newer have the new flaw, although it does not yet appear to have been exploited by in-the-wild attacks.
The flaw first appeared about four years ago, when a mechanism for managing Transmission Control Protocol - a fundamental protocol that regulates data packets between computers - was added to the Linux kernel. The feature, called "challenge ACK," was designed to more robustly secure TCP connections - one computer would prompt another with a number that only it would know, allowing a connection to resume. It was intended to prevent a kind of spoofing attack that could lead to an attacker injecting packets.
But an attack against the challenge ACK was described earlier this month in a research paper presented at the Usenix Security Symposium in Austin, Texas. The paper demonstrated how if two hosts are using TCP, it's possible - with enough time and the right kind of consistent connection - to guess the TCP sequence numbers and then inject malicious traffic into the stream.
"As long as you can figure out the source IP and destination IP, you can conduct this kind of attack anywhere in the world," says Andrew Blaich, a staff research engineer with Lookout Mobile Security, in a blog post analyzing the flaw.
No Malicious Links Required
Typically, attackers who want to spy on users need to execute a man-in-the-middle attack, Blaich says. In general, this requires an attacker to have access to the same network as the victim in order to meddle with traffic streams. The new attack, however, is more powerful - no network compromise is required, and the attack also doesn't rely on tricking a victim into downloading malware or clicking on a malicious link.
But there is some good news: The attack doesn't work against encrypted traffic streams, so until Android gets patched - and various manufacturers and carriers apply and release the patch to users and subscribers - the flaw can be mitigated by using a VPN.
The flaw might have been mitigated if more websites used SSL/TLS, which encrypts connections. But many sites today are still not fully encrypted. Moreover, websites that have SSL enabled still deliver ads over unencrypted connections, and that traffic could be tampered with.
The attack's success depends on how long someone can observe a TCP connection. Long-lived TCP connections - such as when a person is streaming a video - offer a greater chance of success than short-term connections, Blaich says. "It's not as easy as sending a text message containing a link to video file," he says.
Flaw Could Undermine Tor Privacy
Attacks that exploit the TCP flaw are fairly fast and reliable, according to the researchers' paper. They found that it takes, on average, between 40 seconds to one minute to execute an attack, with a success rate ranging between 88 to 97 percent.
They also tested the attack against Tor, the anonymity network that routes encrypted traffic throughout relays around the world to provide greater privacy for web browsing. Their conclusion was that a denial-of-service attack could be conducted, which might force a user's traffic to rely on certain exit relay machines, according to the paper, thus undermining the anonymity offered by Tor.
Waiting for Patches
Many Android device manufacturers, as well as cellular carriers, are getting better at patching Android devices, but some are better than others (see Four Android Flaws Leave 900M Devices at Risk). A year ago, Google committed to patch its own Nexus devices every month for devices that it still supports. Manufacturers including Samsung and LG have also pledged to issue regular patches. Their moves have come after criticism that Android devices were patched too slowly or, in some cases, not at all.
One year after Google's announcement, however, mobile device manufacturers, such as Samsung, are keeping up, but the same cannot be said of every manufacturer or carrier that releases a customized version of Android, or the millions of devices that are no longer supported.
"There's obviously a large batch of phones that never get updated," Blaich says.