News & Information for Technology Purchasers NewsFactor Sites:     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
Home Enterprise I.T. Cloud Computing Applications Hardware More Topics...
Mobile Phones
24/7/365 Network Uptime!
Average Rating:
Rate this article:  
10 Percent of Android Devices Vulnerable to Bug
10 Percent of Android Devices Vulnerable to Bug

By Jennifer LeClaire
June 30, 2014 2:12PM

    Bookmark and Share
The Android KeyStore vulnerability found by IBM highlights several risks in the Android ecosystem and the mobile device market. One risk highlighted by IBM's discovery is that a high percentage of Android devices will remain vulnerable due to fragmentation in the Android device market that prevents some users from getting the latest Android versions.

Security researchers at IBM are warning Android users about a vulnerability in the Google-powered mobile operating system that is cropping up on devices that run version 4.3.

Big Blue is calling it the KeyStore Stack Buffer Overflow. The company first came across the issue nine months ago. The good news is Android KitKat users are immune, but the bug does affect the 10.3 percent of Android devices running version 4.3 of the operating system.

“As always, we adhered to our responsible disclosure policy and privately reported this issue to the Android Security Team; the result is a patch that is now available in KitKat,” IBM’s Roee Hay wrote in an alert. “Considering Android’s fragmented nature and the fact that this was a code-execution vulnerability, we decided to wait a bit with the public disclosure.”

Good News, Bad News

As IBM describes it, in recent Android versions credentials like RSA private keys can be hardware-backed. Essentially, Big Blue explained, that means the keystore keys only serve as identifiers for the real keys the hardware backs up. Despite the hardware support, some credentials -- such as VPN PPTP credentials -- are still stored on-disk with encryption.

Theoretically, a malicious application could exploit the vulnerability. The good news is a working exploit needs to overcome a combination of obstacles to succeed, such as data execution prevention, address space layout randomization, stack canaries, and encoding, according to IBM.

The bad news is if the exploit is successful it can leak the device’s lock credentials, leak decrypted master keys, data and hardware-backed key identifiers from the memory or from the disk for an offline attack, and interact with the hardware-backed storage and perform operations on the victim’s behalf.

What This Really Means

We turned to Craig Young, security researcher for Tripwire, to get his take on the flaw. He told us the Android KeyStore vulnerability identified by IBM highlights several risks within both the Android ecosystem specifically as well as the mobile device market as a whole.

“Mobile devices such as smartphones and tablets maintain authentication material for a wide variety of services including personal e-mail and corporate VPNs. This is a consequence of the convenience users have come to expect from their mobile devices,” Young said. “Nobody wants to enter a password every time they check e-mail or post a tweet from their smartphone, so instead the device must maintain authentication tokens designed to prove ownership of an account.”

Once a device has been compromised, Young said, it is generally not difficult for an attacker with administrative privileges to steal the authentication tokens that are presented to online services in lieu of a password. Young demonstrated at last year's DEF CON 21 conference how stealing the right token from an Android device can have devastating consequences.

According to Young, a high percentage of Android devices will remain vulnerable indefinitely due to fragmentation within the Android device market that prevents some consumers from receiving the latest Android versions.

“This is one of the key advantages of sticking with a device which offers guaranteed updates, such as the Google Nexus line of phones and tablets,” Young said. “On the positive note, the behavior and patterns involved with exploiting this vulnerability should be trivial for anti-virus tools to detect and users who do not stray from Google's curated Play Store are unlikely to find themselves victim of an attack leveraging this exploit.”

Tell Us What You Think



Posted: 2014-07-09 @ 4:38am PT
Informative post, thanks. These days many bugs seem to creep in by way of apps too and users must be doubly sure before downloading anything new.

Mobile Pundits:

Posted: 2014-07-01 @ 12:14am PT
I am amazed that in this day and age we are still getting pawned by buffer overflow attacks. I have recently read an article about Cross platform Android application development vulnerabilities on Ars that describes a real-world problem. It's always some obscure research lab that has invented some implausible situation.


Posted: 2014-06-30 @ 4:29pm PT
Well written and I agree. is the market and technology leader in Software-as-a-Service. Its award-winning CRM solution helps 82,400 customers worldwide manage and share business information over the Internet. Experience CRM success. Click here for a FREE 30-day trial.

 Mobile Phones
1.   Nokia X Phones Had Identity Crisis
2.   Microsoft Axes Android Phones
3.   Sapphire Screen Reported on iPhone 6
4.   Is Apple Dumping iPhones on eBay?
5.   BlackBerry's Hip To Be Square

Nokia X Phones Had Identity Crisis
'Gateway' devices didn't resonate.
Average Rating:
Take My Coffee, But Leave My Phone
We're addicted to phones, study finds.
Average Rating:
IBM Uncovers Android Security Flaw
Ten percent of devices at risk.
Average Rating:
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
34 European Banks Hit by Android-Skirting Malware
Criminals have been finding gaping holes in Android-based two-factor authentication systems that banks around the world are using. The result: 34 banks in four European countries have been hit.
New Web Tracking Technologies Defeat Privacy Protections
Recently developed Web tracking tools are able to circumvent even the best privacy defenses, according to a new study by researchers at Princeton and the University of Leuven in Belgium.
Juniper DDoS Solution Aims at High-IQ Networks
In the face of more complex attacks, Juniper Networks is boosting its DDoS Secure solution to help companies mitigate the threats with more effective security intelligence throughout the network fabric.

Enterprise Hardware Spotlight
Contrary to Report, Lenovo's Staying in Small Windows Tablets
Device maker Lenovo has clarified a report that indicated it is getting out of the small Windows tablet business -- as in the ThinkPad 8 and the 8-inch Miix 2. But the firm said it is not exiting that market.
Seagate Unveils Networked Drives for Small Businesses
Seagate is out with five new networked attached storage products aimed at small businesses. The drives are for companies with up to 50 workers, and range in capacity from two to 20 terabytes.
Another Day, Another Internet of Things Consortium Is Born
In the emerging Internet of Things, zillions of devices will be talking to each other. Samsung, Intel and Dell just formed a consortium to ensure each thing can understand what others are saying.

NewsFactor Network
Home/Top News | Enterprise I.T. | Cloud Computing | Applications | Hardware | Mobile Tech | Big Data | Communications
World Wide Web | Network Security | Data Storage | Small Business | Microsoft/Windows | Apple/Mac | Linux/Open Source | Personal Tech
Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.