Linux TCP data snooping flaw haunts 1.4bn Android devices

A recently discovered bug in the implementation of a transmission control protocol (TCP) feature that left servers vulnerable to silent data interception may affect up to 1.4 billion Google Android devices as well.

Security vendor Lookout estimates that around 80 percent of Android devices are vulnerable to the attack, which is due to a flaw in the way the RFC 5961 standard is implemented in the Linux kernel.

Android 4.4 KitKat uses the vulnerable Linux version 3.6 kernel, and Lookout researcher Andrew Blaich pointed to figures from metrics company Statista, which say around 1.4 billion devices are affected.

Linux kernel developers patched the flaw in July this year, but Blaich noted that the remedy hasn't yet been applied to the latest developer preview of Android Nougat, the forthcoming version 7.0 of Google's mobile operating system.

While the flaw is hard to exploit, there is a risk of it being used in targeted attacks.

Mitigating against the flaw for unpatched Android devices includes encrypting communications, and using virtual private networks (VPNs) as an added precaution, Blaich said.

Blaich suggested that technically adept users enable the Android Debug Bridge (ADB) and check the net.ipv4.tcp_challenge_ack_limit sysctl variable via the command line to assess if their devices are vulnerable.

If the sysctl returns a value below 1,000, the Linux kernel in Android has not been patched against the protocol flaw.

Increasing net.ipv4.tcp_challenge_ack_limit to a large value such as 999999999 also makes the attack harder to execute.