About a week ago, we learned that most people on the Internet were open to attack thanks to a Transmission Control Protocol (TCP) implementation flaw in Linux. Zhiyun Qian, an assistant professor of computer science at the University of California at Riverside, warned that it doesn’t take a tech genius to exploit the Linux flaw. “It can be done easily by anyone in the world,” he said. The researchers presented their paper (pdf) at the USENIX Security Symposium.
Now researchers at Lookout have warned that eight out of 10 Android devices are open to spying since they are also vulnerable to that same bug. There may be more severe Android vulnerabilities out there, but it’s not rocket science to exploit this one. Lookout researcher Andrew Blaich told Threatpost that the “attack is practical and within reach of hackers.”
Lookout said the Linux TCP flaw that allows anyone to hijack internet traffic also affects “nearly 80% of Android, or around 1.4 billion devices.”
The mobile security vendor added:
The vulnerability allows an attacker to remotely spy on people who are using unencrypted traffic or degrade encrypted connections. While a man in the middle attack is not required here, the attacker still needs to know a source and destination IP address to successfully execute the attack.
We can estimate then that all Android versions running the Linux Kernel 3.6 (approximately Android 4.4 KitKat) to the latest are vulnerable to this attack or 79.9% of the Android ecosystem.
The flaw has been around since 2012 and version 3.6 of the Linux kernel. Linux has patched CVE-2016-5696, but Lookout did not see the kernel patched in the latest developer preview of Android Nougat. Currently, Lookout is unaware of any proof-of-concept attacks exploiting the vulnerability and expects Android to close the hole in the next Android monthly patch.
A Google spokesperson pointed out to Ars Technica that the bug is not Android specific, but within the Linux kernel. Nevertheless, engineers are “taking appropriate action.”
Once it is patched, who knows how long it will take to trickle out to users via their mobile carriers? It would be nice to think no PoC attacks will be spotted in the wild before all Androids are patched; nice and reality are not always compatible.
CISOs were advised to be aware that if they are running an enterprise mobility program, then “a number of Android devices are potentially vulnerable to a serious spying attack.” Lookout encouraged enterprises “to check if any of the traffic to their services (e.g., email) is using unencrypted communications. If so, targeted attacks would be able to access and manipulate unencrypted sensitive information, including any corporate emails, documents, or other files.”
The best bet for Android users to protect themselves is to use a VPN. At the very least, if you don’t want to be spied upon, Lookout said to encrypt your communications such as by making sure websites and apps use HTTPS with TLS.