Researchers find Linux vulnerability that lets 'anyone in the world' hijack web traffic

Security researchers at the University of California, Riverside, have uncovered a major Linux vulnerability that enables hackers to hijack Internet traffic which, if exploited, can be used to intercept communications, launch targeted attacks, and lower Tor's anonymity. The vulnerability impacts iterations of the open-source kernel released in the past four years.

The security researchers believe that this security issue "affects a wide range of devices and hosts" - the open-source kernel is well known for powering a significant number of servers and being at the heart of Android, the most popular mobile operating system today. The vulnerability was introduced in a TCP specification that is found in Linux versions starting with 3.6, which was released in September 2012.

TCP, which stands for Transmission Control Protocol, is used to send data from one host to another, being identified using unique sequence numbers. There are nearly four billion possible sequence numbers, which makes it "essentially impossible" for a hacker to identify the exact one that is associated with a particular communication, like an email message.

However, the security researchers have discovered "a subtle flaw (in the form of 'side channels') in the Linux software that enables attackers to infer the TCP sequence numbers associated with a particular connection with no more information than the IP address of the communicating parties".

The most interesting thing about this vulnerability is that it allows virtually anyone to hijack the traffic between two Linux-powered devices, as long as it is not encrypted. Encrypted communications, on the other hand, can only be killed remotely - while still a major concern, the threat is lower.

"The unique aspect of the attack we demonstrated is the very low requirement to be able to carry it out. Essentially, it can be done easily by anyone in the world where an attack machine is in a network that allows IP spoofing. The only piece of information that is needed is the pair of IP addresses (for victim client and server), which is fairly easy to obtain", says Zhiyun Qian, one of the security researchers behind the discovery.

When it comes to Tor, the security researchers say that a hacker could degrade its privacy by "forcing the connections to route through certain relays", where they likely can inspect the traffic and possibly determine where it originates from.

"The attack is fast and reliable, often taking less than a minute and showing a success rate of about 90 per cent", says the report describing the vulnerability. The security researchers have posted a video which shows how an attack might be carried out.

The latest version of Linux contains the necessary patches for this vulnerability, with a temporary fix being offered until it can be installed on affected devices.

Qian recommends raising the "challenge ACK limit" to a very high value, like "999999999", to "make it practically impossible to exploit the side channel".

Photo credit: / Shutterstock