Linux TCP data snooping flaw haunts 1.4bn Android devices

Oh no not again. Another flaw. This time it’s not directly Android’s though, it’s the kernel it uses. In other words, this is not Quadrooter.

Eight out of 10 Android devices are affected by a critical Linux vulnerability disclosed last week that allows attackers to identify hosts communicating over the Transmission Control Protocol (TCP) and either terminate connections or attack traffic.

The flaw has been present in the TCP implementation in Linux systems since 2012 (version 3.6 of the kernel), and according to researchers at mobile security company Lookout, 80 percent of Android devices—going back to KitKat—run the same version of the kernel.

ALSO READ : This canadian claims his Nexus 6P exploded

The issue was publicly disclosed last week during the USENIX Security Symposium where researchers from the University of California Riverside and the U.S. Army Research Laboratory presented a paper entitled “Off-Path TCP Exploits: Global Rate Limit Considered Dangerous.” While an attacker would need to be able to identify both ends of a TCP connection before initiating an attack, successful exploits would not need that attacker to be in a man-in-the-middle position on the network, the researchers said.

Lookout security researcher Andrew Blaich said that some other Android vulnerabilities such as Stagefright, Quadrooter or other kernel and driver flaws that are being patched on a monthly may be more severe, but this attack is practical and within reach of hackers. “This is about information disclosure and an attacker being able to infer where you’re going, what you’re viewing and having the ability to inject code,” Blaich said, adding that chaining this vulnerability with a WebKit or browser-related bug could allow for remote code execution.

“All you need is one of those and this is where this bug gets interesting.” A patch has been pushed to the Linux kernel, but Lookout said that as of Friday, the latest developer preview of Android Nougat still remains vulnerable, and the Android Open Source Project has yet to receive the patch as well. Android updates are released monthly to carriers and handset makers, and over-the-air security updates for Nexus devices are sent by Google the first of every month.

The Cal-Riverside and Army researchers said last week the problem is linked to the introduction of challenge ACK responses and the imposition of a global rate limit on TCP control packets. “At a very high level, the vulnerability allows an attacker to create contention on a shared resource, i.e., the global rate limit counter on the target system by sending spoofed packets. The attacker can then subsequently observe the effect on the counter changes, measurable through probing packets,” the researchers wrote. “Through extensive experimentation, we demonstrate that the attack is extremely effective and reliable.

Given any two arbitrary hosts, it takes only 10 seconds to successfully infer whether they are communicating. If there is a connection, subsequently, it takes also only tens of seconds to infer the TCP sequence numbers used on the connection.” Blaich cautioned that in some instances where connections must be long-lived such as video conferencing or large file-sharing, attackers could take advantage of those scenarios to exploit this bug.

Lookout recommends that until a patch is ready, Android users should rely on encrypted communications, in particular, deploy a VPN. For rooted Android devices, Lookout recommends using the sysctl tool to change the value for net.ipv4.tcp_challenge_ack_limit a large value such as 999999999. Blaich said he expects a patch to be ready for the next monthly Android update, which is set for Sept. 1.

Putting it simply

The vulnerability makes it possible for anyone with an Internet connection to determine whether any two parties are communicating over a long-lived transport control protocol connection, such as those that serve Web mail, news feeds, or direct messages. In the event the connections aren’t encrypted, attackers can then inject malicious code or content into the traffic. Even when the connection is encrypted, the attacker may still be able to determine a channel exists and terminate it. The vulnerability is classified as CVE-2016-5696.

A Google representative said company engineers are already aware of the vulnerability and are “taking the appropriate actions.” As noted in this post, the representative pointed out the flaw resides within vulnerable versions of the Linux kernel and it’s not Android specific. The representative went on to say that the Android security team rates the risk “moderate,” as opposed to “high” or “critical” for many of the vulnerabilities it patches. Maintainers of the Linux kernel have already patched CVE-2016-5696. It wouldn’t be surprising if that fix is incorporated into a new Android release in the next month or so.

Source: USENIX, Lookout Security

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s