Researchers have discovered a serious security vulnerability in the Transmission Control Protocol (TCP) used by Linux since late 2012 that allows attackers to compromise users' internet communications remotely.
According to a research study published by researchers from the University of California, Riverside, the flaw could potentially be used by threat actors to "launch targeted attacks that track users' online activity, forcibly terminate a communication, hijack a conversation between hosts or degrade the privacy guarantee by anonymity networks such as Tor."
Although most internet users do not use Linux directly, the software does run on internet servers, Android phones and various other devices behind-the-scenes.
TCP is used by Linux and other operating systems together with Internet Protocol (IP) to transfer information from one place to another by packaging and sending data across to its rightful destination. When you hit the send button to shoot an email to a friend, for example, TCP assembles your message into a series of data packers that are then transmitted over, received and then reassembled again to show the original message.
However, researchers have found a subtle but critical flaw (CVE-2016-5696) that uses "side channels" in all Linux kernel versions 3.6 and beyond that allows a malicious attacker to infer a connection's TCP sequence numbers using just the IP addresses of the two parties. A attacker can then remotely eavesdrop on the users' communication, track their online activity, inject malicious material into the communication or even terminate the connection altogether.
Despite being immune to data injection, encrypted connections such as HTTPS can also be forcefully shut down by an attacker as well. Anonymity networks such as Tor can be compromised as well by pushing a connection to route through certain delays.
"The unique aspect of the attack we demonstrated is the very low requirement to be able to carry it out," said project adviser and assistant professor of computer science at UCR Zhiyun Qian in a statement. "Essentially, it can be done easily by anyone in the world where an attack machine is in a network that allows IP spoofing. The only piece of information that is needed is the pair of IP addresses (for victim client and server), which is fairly easy to obtain."
The researchers posted a short YouTube video demonstrating how the attacks work as well:
They also noted that the attack, which has about 90% success rate, is quick, reliable and often takes less than a minute to carry out.
"We emphasize that the attack can be carried out by a purely off-path attacker without running malicious code on the communicating client or server," the researchers wrote in an accompanying paper titled, 'Off-Path TCP Exploits: Global Rate Limit Considered Dangerous.' "This can have serious implications on the security and privacy of the Internet at large."
Linux has already been informed about the vulnerability and the latest version of Linux has been patched, researchers said.
For client and server hosts, Qian recommends increasing the "challenge ACK limit" to a very high value as a temporary patch, essentially making it impossible for an attacker to compromise the side channel.