Security researchers at IBM are warning Android users about a vulnerability in the Google-powered
operating system that is cropping up on devices that run version 4.3.
Big Blue is calling it the KeyStore Stack Buffer Overflow. The company first came across the issue nine months ago. The good news is Android KitKat users are immune, but the bug does affect the 10.3 percent of Android devices running version 4.3 of the operating system.
“As always, we adhered to our responsible disclosure policy and privately reported this issue to the Android Security Team; the result is a patch that is now available in KitKat,” IBM’s Roee Hay wrote in an alert. “Considering Android’s fragmented nature and the fact that this was a code-execution vulnerability, we decided to wait a bit with the public disclosure.”
Good News, Bad News
As IBM describes it, in recent Android versions credentials like RSA private keys can be hardware-backed. Essentially, Big Blue explained, that means the keystore keys only serve as identifiers for the real keys the hardware backs up. Despite the hardware support, some credentials -- such as VPN PPTP credentials -- are still stored on-disk with encryption.
Theoretically, a malicious application could exploit the vulnerability. The good news is a working exploit needs to overcome a combination of obstacles to succeed, such as execution prevention, address space layout randomization, stack canaries, and encoding, according to IBM.
The bad news is if the exploit is successful it can leak the device’s lock credentials, leak decrypted master keys, data and hardware-backed key identifiers from the memory or from the disk for an offline attack, and interact with the hardware-backed and perform operations on the victim’s behalf.
What This Really Means
We turned to Craig Young, researcher for Tripwire, to get his take on the flaw. He told us the Android KeyStore vulnerability identified by IBM highlights several risks within both the Android ecosystem specifically as well as the mobile device market as a whole.
“Mobile devices such as smartphones and tablets maintain authentication material for a wide variety of services including personal e-mail and corporate VPNs. This is a consequence of the convenience users have come to expect from their mobile devices,” Young said. “Nobody wants to enter a password every time they check e-mail or post a tweet from their smartphone, so instead the device must maintain authentication tokens designed to prove ownership of an account.”
Once a device has been compromised, Young said, it is generally not difficult for an attacker with administrative privileges to steal the authentication tokens that are presented to online services in lieu of a password. Young demonstrated at last year's DEF CON 21 conference how stealing the right token from an Android device can have devastating consequences.
According to Young, a high percentage of Android devices will remain vulnerable indefinitely due to fragmentation within the Android device market that prevents some consumers from receiving the latest Android versions.
“This is one of the key advantages of sticking with a device which offers guaranteed updates, such as the Google Nexus line of phones and tablets,” Young said. “On the positive note, the behavior and patterns involved with exploiting this vulnerability should be trivial for anti-virus tools to detect and users who do not stray from Google's curated Play Store are unlikely to find themselves victim of an attack leveraging this exploit.”
Posted: 2014-07-09 @ 4:38am PT
Informative post, thanks. These days many bugs seem to creep in by way of apps too and users must be doubly sure before downloading anything new.
Posted: 2014-07-01 @ 12:14am PT
I am amazed that in this day and age we are still getting pawned by buffer overflow attacks. I have recently read an article about Cross platform Android application development vulnerabilities on Ars that describes a real-world problem. It's always some obscure research lab that has invented some implausible situation.
Posted: 2014-06-30 @ 4:29pm PT
Well written and I agree.