Eight out of 10 Android devices are affected by a critical Linux vulnerability disclosed last week that allows attackers to identify hosts communicating over the Transmission Control Protocol (TCP) and either terminate connections or attack traffic.
The flaw has been present in the TCP implementation in Linux systems since 2012 (version 3.6 of the kernel), and according to researchers at mobile security company Lookout, 80 percent of Android devices—going back to KitKat—run the same version of the kernel.
The issue was publicly disclosed last week during the USENIX Security Symposium where researchers from the University of California Riverside and the U.S. Army Research Laboratory presented a paper entitled “Off-Path TCP Exploits: Global Rate Limit Considered Dangerous.”
While an attacker would need to be able to identify both ends of a TCP connection before initiating an attack, successful exploits would not need that attacker to be in a man-in-the-middle position on the network, the researchers said.
Lookout security researcher Andrew Blaich said that some other Android vulnerabilities such as Stagefright, Quadrooter or other kernel and driver flaws that are being patched on a monthly may be more severe, but this attack is practical and within reach of hackers.
“This is about information disclosure and an attacker being able to infer where you’re going, what you’re viewing and having the ability to inject code,” Blaich said, adding that chaining this vulnerability with a WebKit or browser-related bug could allow for remote code execution. “All you need is one of those and this is where this bug gets interesting.”
A patch has been pushed to the Linux kernel, but Lookout said that as of Friday, the latest developer preview of Android Nougat still remains vulnerable, and the Android Open Source Project has yet to receive the patch as well. Android updates are released monthly to carriers and handset makers, and over-the-air security updates for Nexus devices are sent by Google the first of every month.
The Cal-Riverside and Army researchers said last week the problem is linked to the introduction of challenge ACK responses and the imposition of a global rate limit on TCP control packets.
“At a very high level, the vulnerability allows an attacker to create contention on a shared resource, i.e., the global rate limit counter on the target system by sending spoofed packets. The attacker can then subsequently observe the effect on the counter changes, measurable through probing packets,” the researchers wrote. “Through extensive experimentation, we demonstrate that the attack is extremely effective and reliable. Given any two arbitrary hosts, it takes only 10 seconds to successfully infer whether they are communicating. If there is a connection, subsequently, it takes also only tens of seconds to infer the TCP sequence numbers used on the connection.”
Blaich cautioned that in some instances where connections must be long-lived such as video conferencing or large file-sharing, attackers could take advantage of those scenarios to exploit this bug.
Lookout recommends that until a patch is ready, Android users should rely on encrypted communications, in particular, deploy a VPN. For rooted Android devices, Lookout recommends using the sysctl tool to change the value for net.ipv4.tcp_challenge_ack_limit a large value such as 999999999. Blaich said he expects a patch to be ready for the next monthly Android update, which is set for Sept. 1.
