10 Percent of Android Devices Vulnerable to Bug

Security researchers at IBM are warning Android users about a vulnerability in the Google-powered mobile operating system that is cropping up on devices that run version 4.3.

Big Blue is calling it the KeyStore Stack Buffer Overflow. The company first came across the issue nine months ago. The good news is Android KitKat users are immune, but the bug does affect the 10.3 percent of Android devices running version 4.3 of the operating system.

EUAs always, we adhered to our responsible disclosure policy and privately reported this issue to the Android Security Team; the result is a patch that is now available in KitKat,EU IBMEUs Roee Hay wrote in an alert. EUConsidering AndroidEUs fragmented nature and the fact that this was a code-execution vulnerability, we decided to wait a bit with the public disclosure.EU

Good News, Bad News

As IBM describes it, in recent Android versions credentials like RSA private keys can be hardware-backed. Essentially, Big Blue explained, that means the keystore keys only serve as identifiers for the real keys the hardware backs up. Despite the hardware support, some credentials -- such as VPN PPTP credentials -- are still stored on-disk with encryption.

Theoretically, a malicious application could exploit the vulnerability. The good news is a working exploit needs to overcome a combination of obstacles to succeed, such as data execution prevention, address space layout randomization, stack canaries, and encoding, according to IBM.

The bad news is if the exploit is successful it can leak the deviceEUs lock credentials, leak decrypted master keys, data and hardware-backed key identifiers from the memory or from the disk for an offline attack, and interact with the hardware-backed storage and perform operations on the victimEUs behalf.

What This Really Means

We turned to Craig Young, security researcher for Tripwire, to get his take on the flaw. He told us the Android...

Comments are closed.