New Cache Attack Can Monitor Keystrokes On Android Phones (onthewire.io)

← Back to Stories (view on slashdot.org)

New Cache Attack Can Monitor Keystrokes On Android Phones (onthewire.io)

Posted by EditorDavid on Saturday August 13, 2016 @04:34AM from the another-Android-exploit dept.

Trailrunner7 quotes a report from OnTheWire: : Researchers from an Austrian university have developed techniques that allow them to perform cache attacks on non-rooted Android phones that can monitor the keystrokes, screen taps, and even observe code execution inside the ARM processor's TrustZone secure execution environment. The attacks the team developed are complex and rely on a number of individual building blocks. The techniques are similar to some used against Intel x86 processor-based systems, but the team from Graz University of Technology in Austria shows that they can be used on ARM-based systems, such as Android phones, as well.

"Based on our techniques, we demonstrate covert channels that outperform state-of-the-art covert channels on Android by several orders of magnitude. Moreover, we present attacks to monitor tap and swipe events as well as keystrokes, and even derive the lengths of words entered on the touchscreen," the researchers wrote in their paper, which was presented at the USENIX Security Symposium this week.
It's a proof-of-concept attack. But interestingly, another recently-discovered Android vulnerability also required the user to install a malicious app -- and then allowed attackers to take full control of the device.

36 comments

Min score:

Reason:

Sort:

Another Day, Another Android Vulnerability by macs4all · 2016-08-13 04:43 · Score: 4, Interesting

Actually, according to TFS, actually TWO separate Vulnerabilities.

Kinda reminds me of the "heyday" of Windows Exploits.

And of course, the worst thing is that most Android devices in the wild will never see a patch for any of them...
1. Re: Another Day, Another Android Vulnerability by Anonymous Coward · 2016-08-13 05:17 · Score: 0, Troll
  
  The kind of retard that would download a pirated app full of malware instead of paying $1 for the original.
  In the end most Android users are retards by definition. Because you have to be a real retard to accept usage of an OS that was designed with built-in spyware in it.
2. Re: Another Day, Another Android Vulnerability by Anonymous Coward · 2016-08-13 05:35 · Score: 0
  
  Local root exploits, yawn
3. Re:Another Day, Another Android Vulnerability by swillden · 2016-08-13 06:01 · Score: 4, Informative
  
  Actually, according to TFS, actually TWO separate Vulnerabilities.
  More precisely, one vulnerability (the quadrooter bug which can be patched, and is being patched on Nexus devices), and one whole class of vulnerabilities which no one knows how to fix, and which affect all ARM-based devices, including iOS devices. It should also be noted that x86-based devices are even more vulnerable than ARM-based devices; big parts of the paper are about how aspects of ARM that make cache timing attacks tougher can be mitigated, but they're easier on x86.
  iOS devices do actually have a security advantage with respect to the cache timing attacks, though. It isn't that Apple knows how to defeat them, so patching is irrelevant, it's that in order to mount a cache timing attack you have to understand the system code in great detail, and that's easier with open source software than with closed source software. That's the reason these researchers targeted Android. Targeting iOS could be done, but it would be a lot more work to reverse engineer the binaries (or, for serious attackers, to steal the source code). Of course, there's a disadvantage there as well; Android's diversity means that an attacker has to do work for each specific model he wants to attack. iOS is a monoculture.
  This has an implication for my work. I've been trying to find ways to get the source code of TrustZone components opened up (It is fully open on the Nexus 9 and the Pixel C, and will be on more devices which use Google's "Trusty" TrustZone OS). But... until we find better defenses against cache timing attacks there's actually some security benefit to keeping the code closed. Not much, of course. Security by obscurity isn't, and it's likely more than offset by the ability for bugs to persist longer in closed code. But there's at least an argument for keeping it closed, which is going to make my work harder.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
4. Re:Another Day, Another Android Vulnerability by swillden · 2016-08-13 06:04 · Score: 1
  
  It is fully open on the Nexus 9 and the Pixel C
  Actually, I misspoke. This isn't true. The TrustZone code on those devices is closely related to code which has been published in AOSP, but it's not identical and there is at least one major component that hasn't been published at all.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
5. Re:Another Day, Another Android Vulnerability by macs4all · 2016-08-13 06:33 · Score: 0
  
  which no one knows how to fix, and which affect all ARM-based devices, including iOS devices.
  How do you know that?
  
  Apparently you don't know that, unlike your typical Android OEM, Apple holds one of only a few "Architecture" licenses from ARM, and thus can, and DOES, actually DESIGNS THEIR OWN ARM CORES FROM THE GROUND UP.
  
  So, unless you actually have PROOF of this working on an iOS device, you shouldn't just lump them in with all the Android devices, just because they share (mist of) a common instruction set.
6. Re:Another Day, Another Android Vulnerability by Anonymous Coward · 2016-08-13 06:41 · Score: 0
  
  For me sitting out here with an iOS device, not entirely thrilled with Apple, looking at possibly making the leap to Android...
  I have this perception from seeing many articles, that if I did get an Android device, that I'm forever going to be vulnerable with no vendor support. So Android has one advantage in that via diversity one attack won't necessarily run on another device, but it sounds like thanks to phone carriers in part, you're lucky if you even get a single update for your device during it's life span. Despite that Android phones and tablets are all over the place and a lot of IT folks trust it. Would you say this perception is overblown?
  Where as iOS's advantage is that you can expect support and patches for several years or through the useful lifespan of the device. The advantage of breaking iOS would be that everyone is now vulnerable on the platform. I guess you pick your poison. There's a lot of things I just won't use my phone for anyways.
7. Re:Another Day, Another Android Vulnerability by Anonymous Coward · 2016-08-13 07:10 · Score: 0
  
  Hell, Windows was and is more secure than Android has ever been.
  That's only because both of the people who bought Windows phones stopped using them.
8. Re:Another Day, Another Android Vulnerability by swillden · 2016-08-13 07:35 · Score: 2
  
  if I did get an Android device, that I'm forever going to be vulnerable with no vendor support
  Just make sure you get one from a vendor who commits to support it.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
9. Re:Another Day, Another Android Vulnerability by swillden · 2016-08-13 07:38 · Score: 4, Informative
  
  which no one knows how to fix, and which affect all ARM-based devices, including iOS devices. How do you know that?
  I know that because I read the research paper, and the vulnerability derives from the fundamental architecture of CPU caches used in modern devices. ARM was thought perhaps to be safe because of some characteristics of the caching architecture which makes it more difficult than on x86... but this paper shows that not to be true.
  
  Apparently you don't know that, unlike your typical Android OEM, Apple holds one of only a few "Architecture" licenses from ARM, and thus can, and DOES, actually DESIGNS THEIR OWN ARM CORES FROM THE GROUND UP.
  Doesn't matter, unless they've invented an entirely new approach to caching.
  
  So, unless you actually have PROOF of this working on an iOS device, you shouldn't just lump them in with all the Android devices, just because they share (mist of) a common instruction set.
  It's got nothing to do with instruction sets. You should read the paper.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
10. Re:Another Day, Another Android Vulnerability by phayes · 2016-08-13 08:27 · Score: 1
  
  Does that even exist? Even vendors such as Motorola & Samsung have promised support and then abandoned it for some phones and the less said about HTC & others like Huawei the better.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
11. Re:Another Day, Another Android Vulnerability by swillden · 2016-08-13 08:43 · Score: 2
  
  Does that even exist?
  At a minimum, there's Nexus.
  
  Even vendors such as Motorola & Samsung have promised support and then abandoned it for some phones
  Samsung has committed to monthly security updates on some models: http://security.samsungmobile....
  However, I note the waffling about carriers and regions, and the fact that it doesn't specify how long they'll keep delivering updates.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
12. Re:Another Day, Another Android Vulnerability by swillden · 2016-08-13 08:46 · Score: 1
  
  the less said about HTC & others like Huawei the better
  Oops, hit send too soon. It appears that Huawei is actually doing a pretty good job: http://www.digit.in/mobile-pho.... 77% doesn't sound great, but it actually is pretty good when you consider there's a fair fraction of Android users who refuse to accept updates, and when you consider that Huawei is almost certainly only patching recent models. So, if you have a fairly recent Huawei device and accept the updates when they come, you should be good.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
13. Re:Another Day, Another Android Vulnerability by Anonymous Coward · 2016-08-13 09:52 · Score: 0
  
  It's a bit of an overstatement to say that nobody knows how to fix these. The attack works because if two processes read the same data (or code), then the fact that process 1 pulled pages into the CPU cache, means that those pages are faster to access by process 2. The biggest reason this is a big problem on Android is that it's too easy for processes that have no business doing anything directly with virtual keystrokes and word-entry (for example) to load the related libraries into their address space just the same. Just being stricter on which code and data a process can load would shrink the attack surface enormously; beyond that giving untrusted processes a separate copy of read-only data could also help, although it would ‘waste’ memory.
14. Re:Another Day, Another Android Vulnerability by swillden · 2016-08-13 10:20 · Score: 1
  
  Valid points, though in many cases not allowing code to load the libraries would require moving functionality into separate processes and accessing it via RPC, or loading extra copies. Either would have a pretty significant performance hit in some cases. Still, it's worth looking into.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
15. Re:Another Day, Another Android Vulnerability by Anonymous Coward · 2016-08-13 11:21 · Score: 0
  
  Nexus 6 phones get monthly security updates.
16. Re:Another Day, Another Android Vulnerability by Tesen · 2016-08-13 11:49 · Score: 1
  
  That's ok. I only surf porn from my android phone and leave all my ECommerce interaction to my Windows XP machine unpatched sitting in my DMZ.
17. Re:Another Day, Another Android Vulnerability by Anonymous Coward · 2016-08-13 14:52 · Score: 0
  
  "...it's that in order to mount a cache timing attack you have to understand the system code in great detail, and that's easier with open source software than with closed source software."
  A guy I knew who worked in the RE business told me that analysing binaries slows you down, but it doesn't slow down a skilled reverse engineer anywhere nearly as much as people expect. A state level (or large crime family level) attacker will certainly have _more_ than enough cash to hire many skilled reverse engineers.
  As you say, closed source software is security by obscurity... and all _sorts_ of good security researchers do really good work tearing apart closed-source software.
18. Re:Another Day, Another Android Vulnerability by swillden · 2016-08-13 15:05 · Score: 1
  
  Absolutely. http://bits-please.blogspot.co...
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
19. Re:Another Day, Another Android Vulnerability by Anonymous Coward · 2016-08-14 03:29 · Score: 0
  
  it's that in order to mount a cache timing attack you have to understand the system code in great detail, and that's easier with open source software than with closed source software.
  Not really, the processor doesn't care about the source code, it just executes instructions. So just the binary code and a good debugger (preferrably hardware assisted), and a good execution profiler will get you a long way.
uma puta magra nojenta como qualquer gorda by Anonymous Coward · 2016-08-13 05:14 · Score: 0

marketing companies in Brazil are loving it. I miss using swift because of those bluetooth suckers from Reweb. :/
Ah! E ai dar tua bundinha pra ver se passa essa sua mania esnobe de exibir que todo mundo te come. tu deveria sair desse estado, porque as gurias daqui não são cocota maconheira filha de rato.
1. Re: uma puta magra nojenta como qualquer gorda by Anonymous Coward · 2016-08-13 05:52 · Score: 0
  
  El taco bueno de la blah
In other news... by Anonymous Coward · 2016-08-13 05:36 · Score: 0

The sky is falling, and it fucking hot and humid.
1. Re: In other news... by Anonymous Coward · 2016-08-13 05:46 · Score: 0
  
  Every summer everyone bitches if the temperatures are above 50 degrees. Every winter they bitch if they are under 50 degrees. Like the fucking seasons mean something.
2. Re: In other news... by Anonymous Coward · 2016-08-13 06:03 · Score: 0
  
  Yes, fuck winter, spring, summer, and fall!
  Fucking temperatures!
3. Re: In other news... by Anonymous Coward · 2016-08-13 06:55 · Score: 0
  
  I'm voting for whichever presidential candidate wants to ban temperatures.
Re: My by Anonymous Coward · 2016-08-13 05:42 · Score: 0

What it is nigga
Damn by JustAnotherOldGuy · 2016-08-13 07:08 · Score: 1

It's amazing to me that there are so many ways to nail a phone with malware or spy on it or do something malicious to it or with it.
You'd have thought that eventually they'd run out of new vulnerabilities to find, but damn, it's just like a never-ending shitstorm of exploit after exploit after exploit that never seems to stop.
Yes, these are complex devices with a large attack surface (obviously, lol) but still, it's incredible that new exploits or holes or flaws are found almost every single day.

--
Just cruising through this digital world at 33 1/3 rpm...
Oh look another android exploit by X86BSD · 2016-08-13 08:27 · Score: 0

It's at least once a week now it seems. Why would anyone want such insecure phone. This is just getting insane. Wave you're Google hardon all you like but the facts are this is a horrible platform for security.
Come on, it's 2016 by Anonymous Coward · 2016-08-13 10:10 · Score: 0

It's bad enough having to deal with Microsoft's ineptitude on a daily basis, and now we have to look over our shoulder when using our phones? What decade is this? I thought we were past all this crap. Having to install third-party security utilities and/or waiting around for OTA updates is pathetic.
Of course by Impy+the+Impiuos+Imp · 2016-08-13 12:53 · Score: 1

and then allowed attackers to take full control of the device.
Who's playing my Pokemon Go?!?

--
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.