Lookout recently discovered a serious exploit in TCP reported this week also impacts nearly 80% of Android, or around 1.4 billion devices, based on an install base reported by Statista. The vulnerability lets attackers obtain unencrypted traffic and degrade encrypted traffic to spy on victims.The issue should be concerning to Android users as attackers are able to execute this spying without traditional “man-in-the-middle” attacks through which they must compromise the network in order to intercept the traffic.
Researchers from University of California, Riverside and the U.S. Army Research Laboratory recently revealed a vulnerability in TCP at the USENIX Security 2016 conference, specifically pertaining to Linux systems. The vulnerability allows an attacker to remotely spy on people who are using unencrypted traffic or degrade encrypted connections. While a man in the middle attack is not required here, the attacker still needs to know a source and destination IP address to successfully execute the attack.
The vulnerability has been assigned CVE-2016-5696, which is a medium severity. The exploitability is hard, but the risk is there especially for targeted attacks.
We found the patch for the Linux kernel was authored on July 11, 2016. However, checking the latest developer preview of Android Nougat, it does not look like the Kernel is patched against this flaw. This is most likely because the patch was not available prior to the most recent Android update.
What this means
If you’re running an enterprise mobility program, a number of Android devices are potentially vulnerable to a serious spying attack. CISOs should be aware that this new vulnerability affects their Linux environments, Linux-based server connections (e.g., to popular websites), in addition to Android devices. Enterprises are encouraged to check if any of the traffic to their services (e.g., email) is using unencrypted communications. If so, targeted attacks would be able to access and manipulate unencrypted sensitive information, including any corporate emails, documents, or other files.
In order to patch this vulnerability Android devices need to have their Linux kernel updated. Fortunately, there are a few remedies a user can do until the patch is released:
If you are more technically inclined, you can check if your device is vulnerable by running from an adb shell the following command: sysctl net.ipv4.tcp_challenge_ack_limit if the number reported is less than 1,000 (1,000 is the new number in the patch) your Android device most likely does not contain the necessary patch.
September 19, 2023
Google released a patch for a new zero-day vulnerability in Chrome tracked as CVE-2023-4863, which CISA also listed in their database.
September 18, 2023
September 20, 2023