A Linux TCP vulnerability that allows attackers to inject malicious code into unencrypted data streams allegedly affects devices running Android kernel version 4.7 and prior.
While the vulnerability has been patched on Linux, Google has yet to release a patch. Even the latest developer preview of Android Nougat is not safe from the exploit, although there are no reports of it being used in the wild.
Rated as “Medium” under CVE-2016-5696, the vulnerability could allow an attacker to inject malicious traffic by guessing TCP sequence numbers. Knowing the source IP and the destination IP, a successful attack requires time to intercept enough traffic to guess the TCP sequence numbers.
“In a nutshell, the vulnerability allows a blind off-path attacker to infer if any two arbitrary hosts on the Internet are communicating using a TCP connection,” reads the research paper. “Further, if the connection is present, such an off-path attacker can also infer the TCP sequence numbers in use, from both sides of the connection; this in turn allows the attacker to cause connection termination and perform data injection attacks.”
Researchers also found that a successful attack could take 40 to 60 seconds, with a success rate of 88% to 97 percent. The proof-of-concept also involved disrupting the privacy guaranteed by the Tor anonymity network by triggering a denial-of-service that could force victims’ traffic to exit on certain exit nodes.
“In general, we believe that a DoS attack against Tor connections can have a devastating impact on both the availability of the service as a whole and the privacy guarantees that it can provide,” according to the research. “The default policy in Tor is that if a connection is down between two relay nodes, say a middle relay and an exit relay, the middle relay will pick a different exit relay to establish the next connection. If an attacker can dictate which connections are down (via reset attacks), then the attacker can potentially force the use of certain exit relays.”
With a potential 1.4 billion Android devices vulnerable to this type of attack, users are strongly encouraged to either only visit websites that use SSL/TLS to encrypt data, or use a VPN. Since even secure websites could use ads delivered over unencrypted connections, the VPN option would mitigate any such risks.