KeyStore Vulnerability Affects 86% of Android Devices

jones_supa (887896) writes "IBM security researchers have published an advisory about an Android vulnerability that may allow attackers to obtain highly sensitive credentials, such as cryptographic keys for some banking services and virtual private networks, and PINs or patterns used to unlock vulnerable devices. It is estimated that the flaw affects 86 percent of Android devices. Android KeyStore has a little bug where the encode_key() routine that is called by encode_key_for_uid() can overflow the filename text buffer, because bounds checking is absent. The advisory says that Google has patched only version 4.4 of Android. There are several technical hurdles an attacker must overcome to successfully perform a stack overflow on Android, as these systems are fortified with modern NX and ASLR protections. The vulnerability is still considered to be serious, as it resides in one of the most sensitive resources of the operating system."

Serious?

[stevez67]

Because the word scares people? Has it been exploited in the wild? And good luck updating all the Android devices.

Re:Serious?

[houstonbofh]

And good luck updating all the Android devices.

Especially sense most of them are abandoned shortly after release and can NEVER be upgraded.

Re:Serious?

[TheGratefulNet]

the once flagship N1 that I own (and still use since it still mostly works) has been abandoned long ago and I hate google for it.

this is yet another reason not to trust them. I don't care about new features, but porting security fixes should be a must-do for them, given how HUGE that company is. they have endless pockets and can easily afford to keep just a few guys (at least) busy keeping the old google flagship models updated.

they don't. and they suck for it.

Re:Serious?

[Rick+Zeman]

And good luck updating all the Android devices.

Especially sense most of them are abandoned shortly after release and can NEVER be upgraded.

If you'd added "by the carrier" that'd be more accurate.

Re:Serious?

[TheGratefulNet]

no, by google, the code OWNER, for much of the code base.

old 2.x android which still works for audio phone and email and simple web (which is 99% of what many users want, actually). but has no security patches from google since the last OTA update was at least 3 yrs ago, maybe more.

google abandons things. it may not be pleasant for fanboys to admit, but its a fact and its part of why I have so much anger toward google. they are not serious. not by my definition. 5 yr old hardware that needs security SHOULD get security updates. even 10 yrs. again, this is the money and power and brain-rich google we're talking about. they do NOT get a pass on being bad about backporting security. a 10 or 100 man company, sure. but google gets no free pass on abandoning their own phones (my case, the N1). total complete abandonment. even the gmail app BY google refuses to work properly on the N1, now. it does not auto poll and show newmail indications. you have to manually poll. a google app on a google phone that is broken. this is why I hate them.

Re:Serious?

The word "sense"?

Re:Serious?

[Intron]

One difference between enterprise software companies and consumer software is that over 50% of the enterprise revenue is for support. Virtually none for consumer software because people are unwilling to pay for it and the product lifetime is short.

Re:Serious?

[ArcadeMan]

yeah, "sense"... it seems Slashdot deletes <em> tags.

Re:Serious?

I wouldn't say people are not willing to pay for it, since no company will guarantee any support anyway, no matter how much the phone, or pratically any electronic device, costs. The commercial stuff for companies is just that. Over inflated prices to get as much money from other companies and they aren't intended for consumers anyway, so the level of support is irrelevant, and from what i've seen, it's pretty shitty anyway.

Re:Serious?

[Rick+Zeman]

Buy an iPhone then.

Re:Serious?

My first iPad was purchased in 2010. I don't think there's been a security update since 2012. I'm not sure Google are alone in 'abandoning things'.

Re:Serious?

A lot of services send OS updates automatically so most people don't have to worry about doing it theirselves.

Re:Serious?

Makes since.

Re: Serious?

You have not upgraded for free yet? Lol

Re:Serious?

Yeah, it can. Unless you cite something you're just a troll.

Re:Serious?

[cant_get_a_good_nick]

as others have said, i'd call bs until i heard a model associated with this. Did you buy it new? off Ebay?
my wife's iPhone 4 is close to 4 years old, can run iOS7 (though never get ios8) and gets security updates.

Apple sees value in the software ecosystem. They want everyone on the latest OS so you can buy more apps from the Apple store. Google wants to sell you ads. The difference in perspective is why I lean iOS,

Re:Serious?

[Albanach]

That was a new $700+ iPad, from the Apple Store in the summer of 2010 about five months after launch.

Wikipedia reports: Operating system iOS 5.1.1 (build 9B206) Released May 7, 2012; 2 years ago

No longer supported; third party operating systems available

So it was abandoned by Apple 28 months after launch. The hardware is still functional. It even still holds its charge. But there's no security updates whatsoever.

Re:Serious?

[tepples]

An iPod touch 4 purchased new the day before the iPod touch 5 came out cannot run iOS 7, which came out less than a year after the iPod touch 5.

Re:Serious?

[Bing+Tsher+E]

I bought an iPod Touch 4 in that time period. About two years ago now. Unsupported on iOS 7. Big mistake on my part. I guess I should have stood in line outside the Apple store instead of just going to WalMart and buying what was considered the current Apple iPod Touch.

Re:Serious?

[rabtech]

That was a new $700+ iPad, from the Apple Store in the summer of 2010 about five months after launch.

That's certainly a nerd sort of pedantically correct, but the scope and scale matter a lot. Apple is far, far better about updating old devices. Anyone who tries to argue that they are equivalent to Google on this front is just being an asshole.

Yes, there are a few models that did not get more than two years of OS updates due to hardware limitations (or business reasons if you want to think that) and the iPad you mention is one of those.

If we compare to Android, the majority of all Android devices have *never* seen a software update. A supermajority (if not 90%+) don't get updates a year past their original introduction (meaning people buy them brand new and *never* get a single update).

By contrast, when Apple's famous "goto fail" bug was discovered, they issued a patch for my test device, a four year old iPod Touch 4th generation running the end-of-life iOS 6. The patch was released immediately, at the same time as the patch for the latest hardware.

Tell me... what 4 year old Android devices are getting any OS updates whatsoever?

Honestly... how is this even slightly controversial?

Apple controls their own hardware and software, and they release a limited number of models. Their support burden to release updates for older devices is minimal. They also have the benefit of requiring complete open access from the carriers and have stuck to their guns, forcing carriers to cave in. (I remember the days before Apple, when carriers struck features from devices at their whim, and the only "app" store was the horrible carrier's app store). That's also part of the reason you will never see this on Android - having let the cat out of the bag, they absolutely will not allow anyone else to usurp their control again.

By contrast, Android is developed by one company, has firmware developed by an SoC company, then gets modified for hardware by another, then certified by thousands of individual carriers. If anyone in that chain decides it's too much work, doesn't care, or just drags their feet then you don't get updates.

P.S. Expect carriers (at least in the US) to start injecting boot loader verification into the baseband ROM, then refuse to let your device on the network if it has been rooted. They are fighting tooth and nail to not be a commodity dumb pipe and will try anything. Many of their most profitable customers are iOS users, so they basically can't avoid doing as Apple says (ask NTT DoCoMo or Verizon how resisting Apple's demands worked out). Samsung has no such leverage - one Android phone is, to a rough order of magnitude, as good as another, so when the carriers demand locking and verification you can bet Samsung will comply.

Re:Serious?

CynogenMod and xda devs disagree with you.

Re:Serious?

[jrumney]

People like to beat up Android for ongoing support of devices, but Google is no different than Apple and other companies in this respect. The Nexus One was contemporary with the iPhone 3G, which was only supported up to iOS 4.2.1, released in June 2010, on the same day that sales of the iPhone 3G were discontinued. Nexus One was supported until Android 2.3.7, which was released around a year after sales were discontinued.

Re: Serious?

Even better, Apple released a security update in March of this year for the iPhone 3GS released in June 2009.

Re:Serious?

[thechink]

Actually Apple is generally much better that Google in this regard. While you can find a few Apple devices that got relatively short support (especially early models), typically most devices now get about 4 years of updates. The iPhone 4, released in 2010, still getting updates though that will stop when Apple releases iOS8 in September. The iPad 2 released in 2011, still getting updates and will get iOS 8.

Re:Serious?

[Albanach]

Sounds like you want to compare the cheapest android devices with the most expensive apple ones. The more expensive android devices are much more likely to keep getting updates. And if they're a Google branded device, even when official updates end there's a community to support it. That's why a four year old Nexus One can run Android 4.4 today.

Re:Serious?

[mlw4428]

Third party firmwares patch this. However it's the carriers and manufacturers who lock down bootloaders, void warranties, and refuse to allow a more open environment that refuse to make additional changes or updates. I've got a Note 2, it was updated by Samsung nearly a month before Verizon could come out with the update and that was delayed quite a bit from when Google released 4.4.2.

You can blame Google all you want, but it's an Open Source OS and patches can be backported by anyone. Sadly the only people interested in doing that have no power over the carriers and device manufacturers.

Re:Serious?

Agreed. I'm not sure what the world's sad devotion to Android is and this is a prime reason. Maybe because Google and the carriers have replicated the stupidity and difficulty of Windows flaws in a new OS and the Geekdom just LOVES things to be difficult. Everyone gets electronically raped with Android except maybe 300,000 geeks in the world smart enough to manage their phones properly.

Re:Serious?

[Meski]

"In other news, Microsoft drop support for XP"

Re:Serious?

[i.kazmi]

In your opinion, how long is it reasonable for a software developer to provide patches for software?

I do agree that the updates situation in Android-land is/was pretty ugly (it seems to be improving) but expecting patches for a 4 and a half year old product that was obsolete around 2.5 to 3 years ago? If any software developer were to start doing that, they'd have to build the cost into the price of the product (no, it would not be negligible). I personally think upgrading products for 18 months post release (24 months for more recent devices since the hardware spec is not undergoing as many drastic changes) is reasonable and acceptable, you clearly have different expectations so I am curious as to what is reasonable/acceptable as far as you're concerned. Are you one of those people who think the software developer should provide upgrades/patches perpetually (because they have money) or is there any time frame after which the products can be obsoleted?

Re:Serious?

[jrumney]

They are getting 4 years of updates, because Apple is keeping them on the shelf for 3 1/2 years. iPhone 4 got iOS 7, because it was still on the shelves when it was announced (though taken off the shelves on the day it was released). The original iPad, which came out 3 months earlier with much the same level of hardware, did not even get iOS 6, because it was withdrawn from sale as soon as the iPad 2 came out.

The main difference here is the rate of release of new phones. Apple likes to keep 3 models of iPhones in the market for budget, midrange and high-end, and until the iPhone 5c, the midrange and budget categories were both covered by old models. Google tends to keep just one model in the market. Both companies continue to support minor releases on their most recently obsoleted hardware, but generally not major releases. Other companies selling Android phones do tend to abandon their low end models on release, but the high end ones are generally just as well supported as Apple and Google, with a little lag in release dates which is improving as Google tackles the issues which cause porting delays.

Re:Serious?

[exomondo]

as others have said, i'd call bs until i heard a model associated with this. Did you buy it new? off Ebay?

Why? What possible model - other than the 1st generation - could it have been?

Re:Serious?

[the_digitalmouse]

Makes since.

or makes cents!

Re:Serious?

[L4t3r4lu5]

The purpose of the Nexus line of devices is twofold:

1) You get the stock Android experience, not some third-party vendor bastardisation with bundled crapware
2) You can root and flash them in moments, there is no locking in place to prevent it

Making use of 2) above will allow you to run Android 4.4.3 on your Nexus One

Yes, it's sucky that Google abandon their devices like all other hardware manufacturers, but Google isn't a hardware company. Google produce Android so they can use it as an advertising and user profiling platform. The hardware is just a delivery mechanism.

Finally

Something new that's compatible with most people's version of Android.

No bounds checking?

[BasilBrush]

No bounds checking? In a security module of Android? Duh! What sort of idiots do they have coding this thing?

Re:No bounds checking?

[Nyder]

No bounds checking? In a security module of Android? Duh! What sort of idiots do they have coding this thing?

Can't we put bounding checks into the compiler?

Re:No bounds checking?

No bounds checking? In a security module of Android? Duh! What sort of idiots do they have coding this thing?

Agile idiots. It passed the test suite written by other agilistas, so no QA needs to be performed. Just ship it. Put bounds checking into the backlog. If someone can come up with a good user story like "86% of all devices we've shipped are vulnerable" maybe we'll fix it in the next sprint.

Re:No bounds checking?

[ArcadeMan]

Android: our security knows no bounds!

Re:No bounds checking?

[Intron]

Yes. It is trivial to make data structures that do bounds checking automatically. I remember this being on by default in Pascal in the 80's. Those who prefer speed over security won long ago. Why slow down a processor that can only do 1 billion instructions per second with an extra test and branch?

Re:No bounds checking?

[epyT-R]

This is the same company that wants you to trust the programming that goes into their autonomous cars.

Re:No bounds checking?

[sexconker]

No bounds checking? In a security module of Android? Duh! What sort of idiots do they have coding this thing?

Agile idiots. It passed the test suite written by other agilistas, so no QA needs to be performed. Just ship it. Put bounds checking into the backlog. If someone can come up with a good user story like "86% of all devices we've shipped are vulnerable" maybe we'll fix it in the next sprint.

It's not just agile. Anyone dumb enough to label how they do their job with some shitty buzzword is going to be dumb enough to blindly stick to that ill-defined structure, despite it having little to do with getting the job done.

Re: No bounds checking?

Branching is horribly slow and not getting faster in step with raw computational instructions. And that is despite the large portion of silicon devoted to optimising branching execution. So not having mandatory bounds checking in the language is actually pretty important these days. Otherwise your computer would feel as slow as a machine that is three to five years older.

Re:No bounds checking?

[swillden]

See my post below: http://mobile.slashdot.org/com...

Re:No bounds checking?

[swillden]

See my post below: http://mobile.slashdot.org/com...

Re:No bounds checking?

[Ash-Fox]

Are you sure it's not Waterfall idiots? They don't seem to release regularly at all. Proper waterfall processes are prone to the pesticide paradox when it comes to QA because everything is meant to be planned out in advanced.

Re: No bounds checking?

[Ash-Fox]

Why don't my Delphi applications feel any slower than my C++ applications?

Fanboy much?

Android KeyStore has a little bug where the encode_key() routine that is called by encode_key_for_uid() can overflow the filename text buffer, because bounds checking is absent. The advisory says that Google has patched only version 4.4 of Android. There are several technical hurdles an attacker must overcome to successfully perform a stack overflow on Android, as these systems are fortified with modern NX and ASLR protections. The vulnerability is still considered to be serious, as it resides in one of the most sensitive resources of the operating system.

Whoever wrote that doesn't know what "a little bug" means. Sounds like a major security bug to me.

Re:Fanboy much?

[jones_supa]

I wrote it. Thanks for the feedback.

FUD?

By "affects" do you mean "puts Android users at risk"? Not that you shouldn't be careful, but everyone is going to be nuked by a bug.

Google has patched only version 4.4

[NotInHere]

I can understand if Google wants to force vendors to update to the most recent android. However, from a vendor perspective, what's so hard about backporting this patch to, say, android 4.3 and below? Is there a contract with Google forbidding this? Do they get money from NSA?

Re:Google has patched only version 4.4

> what's so hard about backporting this patch to, say, android 4.3 and below?

It isn't part of their business model. There are tens of millions of android devices that have simply been abandoned because the business model is to sell moar phones and money spent on improving phones that have already been sold not only does not sell moar phones, it gives people less reason to buy moar phones.

Re:Google has patched only version 4.4

"Sorry, we are not at liberty to discuss that."

Re:Google has patched only version 4.4

[JoeRandomHacker]

I can understand if Google wants to force vendors to update to the most recent android. However, from a vendor perspective, what's so hard about backporting this patch to, say, android 4.3 and below? Is there a contract with Google forbidding this? Do they get money from NSA?

Backporting it probably isn't difficult, but getting all the vendors and carriers to patch, build, validate, and deploy their custom Android builds for all the various devices they have supported over the last few years is.

Re:Google has patched only version 4.4

Backporting it probably isn't difficult, but getting all the vendors and carriers to patch, build, validate, and deploy their custom Android builds for all the various devices they have supported over the last few years is.

Google knew the problem early enough to have designed their Market app to allow for a system 8 times its old size. Forcing in a binary for a 30 line kernel patch is not be a [technological] problem.

Here is a little secret. Despite their "we don't fix old stuff" stand, they don't keep their hands out of my phone with updates to things I DO NOT WANT UPDATED. I reset my phone to factory once or twice a year when I'm fed up with the puny 256MB ram design where even apps you aren't using count against your text, call and running program quota. Anyway, they keep bloating this 2.2 phone with HUGE versions of Google Play and Frameworks (altogether about 25MB in a phone where the Market app was like 3). That cannot be stopped except by rooting and aggressively freezing the apps.

The lack of control over my device is not as grating as when I use iOS devices at work, but I am seriously dragging my feet over upgrading.

Re:Google has patched only version 4.4

[Rob+Simpson]

Yeah, they don't have any problem pushing out new versions of Google Play that hide when an update adds permission for full internet access. But a patch to improve security? Hahaha, no.

Re:Google has patched only version 4.4

[StankeyoSmith]

Why?
Because good luck forcing the update on carriers.

Re:Google has patched only version 4.4

[Bing+Tsher+E]

You just described Apple's business model, too. Thank goodness neither Google nor Apple have a business methods patent on that. Although Apple could claim prior art going back to about 1984 on it.

Re:Google has patched only version 4.4

[AmiMoJo]

Google's business model is to drive people to Google's services. That's why most of those services get back-ported to older versions of the OS. It makes more sense to back-port than to expect people to replace expensive hardware more often than every few years.

Re:Google has patched only version 4.4

Apple's model is to sell phones through user satisfaction. Apple supports upgrading their devices' software for several years.

No bounds checking?

[plopez]

A rookie mistake. Tools to trap this have been around for ages. And do not give the "but they were optimizing" excuse. The only thing a security module should be optimized for is security. Once again, a rookie mistake.

Buffer Overflow

[StankeyoSmith]

Im amazed that after all the years and years of buffer overflow caused vulnerabilities that we are still repeating history time and time and time and time again.

I think it's more like 10%, not 86%

[swillden]

I don't think old devices are vulnerable, and while 4.3 devices are vulnerable, most of them have an additional countermeasure in place that should protect against any actual disclosure of private keys.

In older devices, it looks like prior to changing keystore to use the Binder API the bounds checking was done at a higher level in the call stack, so the code isn't actually vulnerable. When keystore's API was changed to be Binder-based, that checking was lost, enabling the bug. Looking at the git log, the Binder keystore API was merged in November 2012 which I believe means that only 4.3 devices are vulnerable. It appears the bug was identified and fixed before 4.4 was released.

But most 4.3 devices, at least from major vendors, have hardware-backed key storage. All Nexus devices do. They're vulnerable to the bug, but the private keys are completely inaccessible to the Android userspace and kernel, so there's no way the key material can be leaked. To see if your device has hardware-backed key storage go to Settings -> Security and scroll down to "Credential Storage". If it says "Storage type Hardware-backed", then keystore private keys are not accessible to the Android OS userspace or kernel, so there's no way they could leak.

One caveat: Until 4.4 (I think), only RSA keys could be managed by secure hardware. So DSA and ECDSA private keys in 4.3 device keystores could leak via this vulnerability. In the future we should have support for all sorts of keys in secure hardware (https://android-review.googlesource.com/#/c/97651/ -- yes, I'm the author of that CL), as well as a mechanism for checking the hardware vs software storage question on individual keys.

I'm not trying to say this wasn't a pretty serious error on Google's part. Even with the bounds check higher in the call stack, it should have been done in keystore as well. Security-sensitive code like this should take a belt-and-suspenders approach, not depending on validation done at other layers, specifically because stuff at other layers changes. Actually, I know the guy who wrote it and that is the way he thinks, too, so I'm somewhat surprised he wrote this bug.

(Note: I recently joined the Android security team, and it looks like I may be the maintainer of keystore. I am taking the lead on hardware-backed key storage. However, I should mention that I'm not speaking in an official capacity, just someone who knows the code a bit and took a few minutes to look through the git logs.)

Re:I think it's more like 10%, not 86%

My GS3 says "Storage type Software only" and is still running 4.3. I'm hoping T-Mobile pushes KitKat soon. I'd run CM, but I don't want to lose wifi calling.

Patching 4.4 is good enough for government work

A new smartphone should be purchased every year anyway.

We are talking about Google quality software

Google has no SQA at all. They have said so many times. Software is released UNTESTED as soon as the developer (who are usually nothing more than a resent graduate with little to no experience in real life) say it is ready.

The end result is that Android is the new Windows ME.

Re:Sorry, but you are 100% wrong

This has nothing to do with google, they don't have control of patching existing phones (well, not until the most recent point release of android).
Even if they did backport the fix, the phone venders wouldn't do shit.

Re:Sorry, but you are 100% wrong

You hit the nail on the head. Don't forget everything that's exposed to any developer for Android. They know what you looked at, where you are, who you're near, what you texted, when you're appointments are, what you searched on and the fact the user wears rubber underpants.