Credentials theft hole found in Android devices

Researchers have found a serious bug in Google's Android mobile device operating system which can be exploited to leak digital keys protecting devices, financial services and virtual private networks (VPNs).

The security hole in the Keystore credentials storage service was discovered by IBM researchers nine months ago but the publication of the flaw was delayed due to what the team says is "Android's fragmented nature and the fact that this was a code-execution vulnerability."

Although Google has over the years worked to strengthen the Keystore to make it more secure, the researchers nevertheless found what they term a "classic stack-based buffer overflow" programming mistake in the code.

Buffers are temporary data storage areas for applications. Unless ring-fenced with bounds checks, attackers can exploit these and send more data than the buffer can fit, to overflow it.

The data in question can be executable code that could run in the system security context, causing either a compromise or a crash.

A comment in the source code for Android confirms that the Keystore credential storage does not have boundary checks on its buffers, "to keep things simple".

1 /* KeyStore is a secured storage for key-value pairs. In this implementation,
2 * each file stores one key-value pair. Keys are encoded in file names, and
3 * values are encrypted with checksums. The encryption key is protected by a
4 * user-defined password. To keep things simple, buffers are always larger than
5 * the maximum space we needed, so boundary checks on buffers are omitted. */

Exploiting the Keystore buffer overflow requires attackers to trick users into installing a malicious app which in turn would need to be coded to get around further security measures in Android of varying difficulty. At this stage, it is not known if there are exploits in the wild for the Keystore vulnerability.

Google has patched the Keystore flaw in Android "Kit Kat" version 4.4 and above, it remains an issue in version 4.3.

Google has not yet commented on the issue, or said if there will be a patch for older versions of Android as well.

Update: IBM’s security systems division has contacted iTnews after Google’s Android Security Team alerted the company to the fact that the Keystore vulnerability only affects version 4.3 of the mobile operating system, not all variants preciding it, as previously described by IBM and repeated by iTnews.

This means 10 percent of Android’s installed user base is affected by the vulnerability, and not 86 percent as IBM previously reported.