Traffic hijacking Linux flaw affects 80 percent of Android devices -- including Nougat
Android has had something of a rough time of things lately with the discovery of the Quadrooter vulnerability and the revelation that a flaw in version 3.6 of the Linux kernel also affects Google's mobile operating system.
Security firm Lookout estimates that 80 percent of Android devices (around 1.4 billion devices) are affected. While initial reports suggested that devices up to Android 4.4 KitKat are at risk, further testing shows that the problem still exists all the way up to Android 7.0 Nougat.
The vulnerability makes it possible to intercept TCP traffic, giving hackers the opportunity to spy on people or even weaken encrypted connections. There is also the potential for injecting malicious code which could be used to gain remote control of a device. In a statement to Ars Technica, a Google spokesperson pointed out that the vulnerability is specific to Linux, not Android, but that the company is "taking the appropriate actions".
While there are a huge number of smartphones and tablets at risk, Lookout says that the flaw is difficult to exploit, somewhat mitigating the risks:
The vulnerability allows an attacker to remotely spy on people who are using unencrypted traffic or degrade encrypted connections. While a man in the middle attack is not required here, the attacker still needs to know a source and destination IP address to successfully execute the attack.
We can estimate then that all Android versions running the Linux Kernel 3.6 (approximately Android 4.4 KitKat) to the latest are vulnerable to this attack or 79.9 percent of the Android ecosystem.
The vulnerability has been assigned CVE-2016-5696, which is a medium severity. The exploitability is hard, but the risk is there especially for targeted attacks.
We found the patch for the Linux kernel was authored on July 11, 2016. However, checking the latest developer preview of Android Nougat, it does not look like the Kernel is patched against this flaw. This is most likely because the patch was not available prior to the most recent Android update.
Until a patch is published, the company has a few pieces of advice for Android users to follow in order to stay safe:
In order to patch this vulnerability Android devices need to have their Linux kernel updated. Fortunately, there are a few remedies a user can do until the patch is released:
- Encrypt your communications to prevent them from being spied on. This means ensuring the websites you browse to and the apps you use are employing HTTPS with TLS. You can also use a VPN if you want to add an extra step of precaution.
- If you have a rooted Android device you can make this attack harder by using the sysctl tool and changing the value for net.ipv4.tcp_challenge_ack_limit to something very large, e.g. net.ipv4.tcp_challenge_ack_limit = 999999999
- We are not aware of PoCs exploiting this new vulnerability and anticipate Google will patch in the next Android monthly patch. In the meantime, we will continue to monitor for exploits.