Linux TCP vulnerability still in Android Nougat

Lookout Security is relaying some new discussion of a vulnerability in the Linux 3.6 and later kernels. An estimated 80 percent of the Android user base (going all the way to KitKat) or 1.4 billion devices are under the gun of this off-path exploit.

In other words, this is not Quadrooter.

In a joint presentation at the USENIX Security Symposium, researchers at the Univerity of California, Riverside, and the United States Army Research Labratory were concerned about something called the Global Rate Limit.

As the center of the Internet Protocol, TCP isn’t really meant to be security-focused. Researchers found that hackers could essentially infer an unencrypted TCP connection between two points, determine the protocol sequence numbers and, thus, terminate the connection and/or inject data. It’s a difficult hack with an easy fix — easy in that it has existed since July 11 and is waiting to be applied to Android.

In a blog post, Lookout stated that it has not found that fix applied in the fifth developer preview of Android Nougat, release only a week after the fix.

So, what does this mean for you, a consumer as part of the massive consumer machine? Likely, it means that if black hats are able to cast a wide net on sites and their users, you’ll see more JavaScript ads pop up on your screen, You may also receive an automatic logout prompt and may be asked to re-enter credentials, only to have them siphoned. But as the hack takes about a minute to diagnose and manipulate a single connection, this scenario may not happen fast and if patched, probably not at all — Google stated that it is on the case, but it is treating the situation as the United States’s CERT does, a moderate priority.

Remember that Android isn’t the only Linux-based operating system around, but with its reach, this vulnerability will be most impactful here.

Source: USENIX, Lookout Security
Via: Ars Technica

Discuss This Post

Read More

Share This Post

Watch the Latest Pocketnow Videos

About The Author
Jules Wang
Jules Wang is News Editor for Pocketnow and one of the hosts of the Pocketnow Weekly Podcast. He came onto the team in 2014 as an intern editing and producing videos and the podcast while he was studying journalism at Emerson College. He graduated the year after and entered into his current position at Pocketnow, full-time.