Android crypto key vulnerability affects only 10 percent handsets: report

Jun 30, 2014 by Nancy Owano weblog

IBM researchers have called attention to a serious Android crypto key theft vulnerability but the vulnerability affects only version 4.3, which runs on about 10.3 percent of handsets, reports Dan Goodin in Ars Technica, in a June 30 update of his report. IBM researchers had shed light on the vulnerability, which may allow attackers to steal credentials, including cryptographic keys for banking services and virtual private networks, and PINs or patterns to unlock vulnerable devices. Pau Oliva, senior mobile security engineer at viaForensics, said in Ars Technica that a malicious user exploiting this vulnerability would be able to do RSA key generation, signing, and verification on behalf of the smartphone owner. The bug resides in Android KeyStore, said Goodin. This is the sensitive region of the operating system dedicated to storing cryptographic keys and similar credentials, according to the security advisory posted by Roee Hay, who leads the application security research team at IBM.

The IBM report detailed the impact that an exploit could have. "Successfully exploiting this leads to a malicious code execution under the keystore process." Such code can leak the device's lock credentials, leak decrypted master keys, data and hardware-backed key identifiers from the memory. leak encrypted master keys, data and hardware-backed key identifiers from the disk for an offline attack, interact with the hardware-backed storage, and perform crypto-operations such as arbitrary data signing on behalf of the user. Android 4.4, however, is not vulnerable; Android has patched KitKat. On June 23 the discovery by IBM was publicly disclosed, after they had reported the vulnerability in September last year to the Android Security Team. In response the Android team acknowledged the vulnerability and in November last year the fix was confirmed.

In Hay's June 30 update, he thanked the Android Security Team and he explained why the IBM team waited before making the in June this year.

"Nine months ago, my team came across a classic stack-based buffer overflow in the Android KeyStore service. As always, we adhered to our responsible disclosure policy and privately reported this issue to the Android Security Team; the result is a patch that is now available in KitKat. Considering Android's fragmented nature and the fact that this was a code-execution vulnerability, we decided to wait a bit with the public disclosure."

A list of what's new for developers in Android 4.4 KitKat includes a section on enhancements. According to the site, among the enhancements are improved cryptographic algorithms. "Android has improved its security further by adding support for two more cryptographic algorithms. Elliptic Curve Digital Signature Algorithm (ECDSA) support has been added to the keystore provider improving security of digital signing, applicable to scenarios such as signing of an application or a data connection. The Scrypt key derivation function is implemented to protect the used for full-disk encryption."

Explore further: Heartbleed-like Cupid poses opportunity for wireless attack

More information: arstechnica.com/security/2014/… fects-86-of-devices/

add to favorites email to friend print save as pdf

Related Stories

Researchers ID 'smishing' vulnerability in Android

Nov 05, 2012

(Phys.org)—Mobile security researchers have identified a new vulnerability in popular Android platforms, including Gingerbread, Ice Cream Sandwich and Jelly Bean. The vulnerability has been confirmed by ...

Heartbleed bug find triggers OpenSSL security advisory

Apr 08, 2014

A flaw called Heartbleed in OpenSSL, which is a software library used for the protection and security of millions of websites, was uncovered by Neel Mehta of Google Security, who first reported it to the ...

QR code security vulnerability found with Google Glass

Jul 18, 2013

Engineers at Lookout Mobile Security have discovered a previously unknown security vulnerability with Google's project Glass wearable headset. Marc Rogers reports on the company's web site that engineers found that when pictures were taken of pri ...

Recommended for you

Chinese smartphone makers win as market swells

6 hours ago

Chinese smartphone makers racked up big gains as the global market for Internet-linked handsets grew to record levels in the second quarter, International Data Corp said Tuesday.

Full appeals court upholds labels on meat packages

6 hours ago

(AP)—A federal appeals court has upheld new government rules that require labels on packaged steaks, ribs and other cuts of meat to say where the animals were born, raised and slaughtered.

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

Yelmurc
5 / 5 (1) Jun 30, 2014
Well since there is a billion android devices in use then it only effects 100 million people. Only doesn't feel like the proper word here.