PINDROP BLOG

Big Chunk of Android Devices Vulnerable to TCP Hijacking Bug

The TCP hijacking vulnerability in Linux disclosed last week also affects about 80 percent of Android phones in use right now, researchers said.

The bug in question lies in the Linux kernel and has been there since version 3.6 of the kernel. It allows an attacker to hijack a TCP session by inferring the TCP sequence numbers for the packets flowing between two given hosts. The vulnerability affects an untold number of Linux devices, including servers, embedded devices, and other machines.

The Android operating system is based on Linux and researchers at Lookout Mobile Security say that about 79.9 percent of Android phones are vulnerable to this attack, based on the version of the Linux kernel present in various versions of the OS. Phones running versions of Android since about 4.4 are vulnerable, the researchers said.

“We found the patch for the Linux kernel was authored on July 11, 2016. However, checking the latest developer preview of Android Nougat, it does not look like the Kernel is patched against this flaw. This is most likely because the patch was not available prior to the most recent Android update,” Andrew Blaich of Lookout said in a post.

“If you’re running an enterprise mobility program, a number of Android devices are potentially vulnerable to a serious spying attack. CISOs should be aware that this new vulnerability affects their Linux environments, Linux-based server connections (e.g., to popular websites), in addition to Android devices. Enterprises are encouraged to check if any of the traffic to their services (e.g., email) is using unencrypted communications. If so, targeted attacks would be able to access and manipulate unencrypted sensitive information, including any corporate emails, documents, or other files.”

Exploiting this vulnerability is not a simple task, but it’s doable if the attacker knows the IP addresses of both the sender and receiver for a given connection. An adversary who can exploit the bug would be able to intercept unencrypted sessions and terminate encrypted ones.

“The unique aspect of the attack we demonstrated is the very low requirement to be able to carry it out. Essentially, it can be done easily by anyone in the world where an attack machine is in a network that allows IP spoofing. The only piece of information that is needed is the pair of IP addresses (for victim client and server), which is fairly easy to obtain,” Zhiyun Qian, an assistant professor of computer science at the University of California Riverside who helped discover the vulnerability, said.

Webinar: TACKLING THE 113% FRAUD INCREASE IN CALL CENTERS