Researchers reveal how Linux and Android systems can be compromised from anywhere

Researchers at the University of California, Riverside have found a weakness in the Transmission Control Protocol (TCP) of all Linux operating systems since late 2012. This vulnerability allows attacker to access users’ internet communications completely remotely.

This kind of weakness could be used to conduct attacks that track users’ online activity, terminate their communications, take over a conversation between hosts or degrade the privacy guarantee by anonymity networks such as Tor.

A security threat identified by researchers at UC Riverside could be used to launch targeted attacks. (Image via UCR)
A security threat identified by researchers at UC Riverside could be used to launch targeted attacks. (Image via UCR)

Typically, most users don’t interact directly with the Linux operating system. Instead the software runs behind-the-scenes on internet servers, android phones and other devices. To transfer information from one source to another, Linux and other operating systems use the Transmission Control Protocol (TCP) to package and send data, as well as the Internet Protocol (IP) to ensure the information gets to the correct place.

So, for example, when two people send e-mails, TCP assembles their message into data packets which can be identified by unique sequence numbers. Those data packets are transmitted, received, and reassembled into the original message. Those TCP sequence numbers are useful to attackers, but with almost 4 billion possible sequences, it’s almost impossible to identify the sequence number associated with any particular communication by chance.

Instead, the UCR researchers, led by computer science graduate student Yue Cao, didn’t rely on that chance. Cao and the team discovered a subtle flaw (in the form of ‘side channels’) in the Linux software that allows attackers to infer the TCP sequence numbers associated with a particular connection with no more information than the IP address of the communicating parties.

What this means is that if you have any two arbitrary machines on the Internet, a remote blind attacker — without being able to eavesdrop on the communication— can track users’ online activity, terminate their connections, and inject false material into their communications.

While encrypted connections like HTTPS are immune to data injection, they are still subject to being forcefully terminated by the attacker. The weakness would allow attackers to degrade the privacy of anonymity networks, such as Tor, by forcing the connections to route through certain relays.

The researchers found the attack to be fast and reliable, often taking less than a minute and showing a success rate of about 90%.

Here is a video showing how the attacks work.

According to the team, unlike with traditional cyber attacks, users could become victims without even doing anything wrong, like downloading malware or clicking on a link in a phishing email.

“The unique aspect of the attack we demonstrated is the very low requirement to be able to carry it out. Essentially, it can be done easily by anyone in the world where an attack machine is in a network that allows IP spoofing. The only piece of information that is needed is the pair of IP addresses (for victim client and server), which is fairly easy to obtain,” said Zhiyun Qian, an assistant professor of computer science at UCR.

Qian said the researchers have alerted Linux about the vulnerability, which has resulted in patches applied to the latest Linux version. Until then, Qian recommends the following temporary patch that can be applied to both client and server hosts. It simply raises the “challenge ACK limit” to an extremely large value to make it practically impossible to exploit the side channel.

This can be done on Ubuntu, for instance, as follows:

1. Open /etc/sysctl.conf, append a command “/net.ipv4/tcp_challenge_ack_limit = 999999999”.

2. Use “sysctl -p” to update the configuration.

Story via University of California, Riverside.

Comments are closed, but trackbacks and pingbacks are open.