Crypto key vulnerability could affect 86% of Android devices

Mobile & tablets

by Ben Sullivan| 30 June 2014

Google only patched Android 4.4 KitKat, all other versions at risk says IBM.

IBM researchers have discovered a vulnerability in Android phones that could allow hackers to obtain sensitive details about the owner, including PINs, unlock patterns and cryptographic keys.

Sitting in the Android KeyStore, where cryptographic keys are stored on the Android operating system, the vulnerability can let attackers execute a code that would leak keys and passwords.

The report, from IBM's applciation security team, said that the security hole is only patched in Android 4.4 KitKat, which leaves 86% of Android devices vulnerable.

Roee Hay, lead of the application security research team at IBM, said in the report: "Nine months ago, my team came across a classic stack-based buffer overflow in the Android KeyStore service.

"As always, we adhered to our responsible disclosure policy and privately reported this issue to the Android Security Team; the result is a patch that is now available in KitKat."

An Android security expert in the computer science department of Rice University in Texas emailed ARS Technica and said: "Generally speaking this is how apps are going to store their authentication credentials, so if you can compromise the KeyStore, you can log in as the phone's user to any service where they've got a corresponding app, or, at least, an app that remembers who you are and lets you log back in without typing a password.

"This means that most banking apps, which force you to type your password every time, are probably safe against this particular attack. The amount of damage you can do then, has a lot to do with which apps this lets the attacker compromise. If the attacker can compromise your Twitter account, then yeah, they can spew spam in your name. Not very exciting. If the attacker can get anywhere near your money, then it gets more interesting."

Comments
Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

754 people like this.
0 people follow this.

Mobile & tablets Intelligence

Buy the latest industry research online today!
See more

Suppliers Directory

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.