News & Information for Technology Purchasers NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
Home Enterprise I.T. Cloud Computing Applications Hardware More Topics...
GET RECOGNIZED
Let an ISACA® certification elevate your career.
Register today and save
You are here: Home / Mobile Tech / IBM Uncovers Android Security Flaw
DDoS Protection Powered By Verisign
10 Percent of Android Devices Vulnerable to Bug
10 Percent of Android Devices Vulnerable to Bug
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
JUNE
30
2014


Security researchers at IBM are warning Android users about a vulnerability in the Google-powered mobile operating system that is cropping up on devices that run version 4.3.

Big Blue is calling it the KeyStore Stack Buffer Overflow. The company first came across the issue nine months ago. The good news is Android KitKat users are immune, but the bug does affect the 10.3 percent of Android devices running version 4.3 of the operating system.

“As always, we adhered to our responsible disclosure policy and privately reported this issue to the Android Security Team; the result is a patch that is now available in KitKat,” IBM’s Roee Hay wrote in an alert. “Considering Android’s fragmented nature and the fact that this was a code-execution vulnerability, we decided to wait a bit with the public disclosure.”

Good News, Bad News

As IBM describes it, in recent Android versions credentials like RSA private keys can be hardware-backed. Essentially, Big Blue explained, that means the keystore keys only serve as identifiers for the real keys the hardware backs up. Despite the hardware support, some credentials -- such as VPN PPTP credentials -- are still stored on-disk with encryption.

Theoretically, a malicious application could exploit the vulnerability. The good news is a working exploit needs to overcome a combination of obstacles to succeed, such as data execution prevention, address space layout randomization, stack canaries, and encoding, according to IBM.

The bad news is if the exploit is successful it can leak the device’s lock credentials, leak decrypted master keys, data and hardware-backed key identifiers from the memory or from the disk for an offline attack, and interact with the hardware-backed storage and perform operations on the victim’s behalf.

What This Really Means

We turned to Craig Young, security researcher for Tripwire, to get his take on the flaw. He told us the Android KeyStore vulnerability identified by IBM highlights several risks within both the Android ecosystem specifically as well as the mobile device market as a whole.

“Mobile devices such as smartphones and tablets maintain authentication material for a wide variety of services including personal e-mail and corporate VPNs. This is a consequence of the convenience users have come to expect from their mobile devices,” Young said. “Nobody wants to enter a password every time they check e-mail or post a tweet from their smartphone, so instead the device must maintain authentication tokens designed to prove ownership of an account.”

Once a device has been compromised, Young said, it is generally not difficult for an attacker with administrative privileges to steal the authentication tokens that are presented to online services in lieu of a password. Young demonstrated at last year's DEF CON 21 conference how stealing the right token from an Android device can have devastating consequences.

According to Young, a high percentage of Android devices will remain vulnerable indefinitely due to fragmentation within the Android device market that prevents some consumers from receiving the latest Android versions.

“This is one of the key advantages of sticking with a device which offers guaranteed updates, such as the Google Nexus line of phones and tablets,” Young said. “On the positive note, the behavior and patterns involved with exploiting this vulnerability should be trivial for anti-virus tools to detect and users who do not stray from Google's curated Play Store are unlikely to find themselves victim of an attack leveraging this exploit.”

Tell Us What You Think
Comment:

Name:

Priyanka:

Posted: 2014-07-09 @ 4:38am PT
Informative post, thanks. These days many bugs seem to creep in by way of apps too and users must be doubly sure before downloading anything new.

Mobile Pundits:

Posted: 2014-07-01 @ 12:14am PT
I am amazed that in this day and age we are still getting pawned by buffer overflow attacks. I have recently read an article about Cross platform Android application development vulnerabilities on Ars that describes a real-world problem. It's always some obscure research lab that has invented some implausible situation.

Michelle:

Posted: 2014-06-30 @ 4:29pm PT
Well written and I agree.

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY BE OF INTEREST
Salesforce.com is the market and technology leader in Software-as-a-Service. Its award-winning CRM solution helps 82,400 customers worldwide manage and share business information over the Internet. Experience CRM success. Click here for a FREE 30-day trial.
MORE IN MOBILE TECH
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Dairy Queen Latest Retailer To Report Hack
Dairy Queen is known for its hot fries and sweet treats, but it just made cyber history as the latest victim of a hack attack. The fast food chain said that customer data at some stores may be at risk.
 
Lessons from the JPMorgan Chase Cyberattack
JPMorgan Chase is investigating a likely cyberattack. The banking giant is cooperating with law enforcement, including the FBI, to understand what data hackers may have obtained.
 
Who Is the Hacker Group Lizard Squad?
Are they dangerous or just obnoxious? That’s what many are wondering about the hacker group Lizard Squad, which tweeted out a bomb threat that grounded a flight with a Sony exec aboard.
 

Enterprise Hardware Spotlight
HP Previews ProLiant Gen9 Data Center Servers
Because traditional data center and server architectures are “constraints” on businesses, HP is releasing new servers aimed at faster, simpler and more cost-effective delivery of computing services.
 
Apple Set To Release Largest iPad Ever
Tech giant Apple seems to have adopted the mantra “go big or go home.” The company is planning to introduce its largest iPad ever: a 12.9-inch behemoth that will dwarf its largest existing models.
 
Alert: HP Recalls 5 Million Notebook AC Power Cords
HP is recalling about 5.6 million notebook computer AC power cords in the U.S. and another 446,700 in Canada because of possible overheating, which can pose a fire and burn hazard.
 

Mobile Technology Spotlight
Samsung Maps Its Way with Nokia's 'Here' App for Galaxy Phones
Korean electronics giant Samsung has opted to license Here, Nokia’s mapping app -- formerly know as Nokia Maps -- for its Tizen-powered smart devices and Samsung Gear S wearable.
 
iPhone 6 May Do NFC-Based Mobile Payments
Apple's latest version of the iPhone may have a mobile wallet to pay for purchases with a tap of the phone. The iPhone 6 reportedly is equipped with near-field communication (NFC) technology.
 
Apple Loses Bid To Block Sales of 9 Samsung Phones
A federal judge has rejected Apple's attempt to block the sale of several older Samsung smartphones that copied features in the iPhone, saying Apple hadn't proven the intellectual theft hurt sales.
 

Navigation
NewsFactor Network
Home/Top News | Enterprise I.T. | Cloud Computing | Applications | Hardware | Mobile Tech | Big Data | Communications
World Wide Web | Network Security | Data Storage | CRM Systems | Microsoft/Windows | Apple/Mac | Linux/Open Source | Personal Tech
Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.