New Cache Attack Can Monitor Keystrokes On Android Phones (onthewire.io)

← Back to Stories (view on slashdot.org)

New Cache Attack Can Monitor Keystrokes On Android Phones (onthewire.io)

Posted by EditorDavid on Saturday August 13, 2016 @04:34AM from the another-Android-exploit dept.

Trailrunner7 quotes a report from OnTheWire: : Researchers from an Austrian university have developed techniques that allow them to perform cache attacks on non-rooted Android phones that can monitor the keystrokes, screen taps, and even observe code execution inside the ARM processor's TrustZone secure execution environment. The attacks the team developed are complex and rely on a number of individual building blocks. The techniques are similar to some used against Intel x86 processor-based systems, but the team from Graz University of Technology in Austria shows that they can be used on ARM-based systems, such as Android phones, as well.

"Based on our techniques, we demonstrate covert channels that outperform state-of-the-art covert channels on Android by several orders of magnitude. Moreover, we present attacks to monitor tap and swipe events as well as keystrokes, and even derive the lengths of words entered on the touchscreen," the researchers wrote in their paper, which was presented at the USENIX Security Symposium this week.
It's a proof-of-concept attack. But interestingly, another recently-discovered Android vulnerability also required the user to install a malicious app -- and then allowed attackers to take full control of the device.

13 of 36 comments (clear)

Min score:

Reason:

Sort:

Another Day, Another Android Vulnerability by macs4all · 2016-08-13 04:43 · Score: 4, Interesting

Actually, according to TFS, actually TWO separate Vulnerabilities.

Kinda reminds me of the "heyday" of Windows Exploits.

And of course, the worst thing is that most Android devices in the wild will never see a patch for any of them...
1. Re:Another Day, Another Android Vulnerability by swillden · 2016-08-13 06:01 · Score: 4, Informative
  
  Actually, according to TFS, actually TWO separate Vulnerabilities.
  More precisely, one vulnerability (the quadrooter bug which can be patched, and is being patched on Nexus devices), and one whole class of vulnerabilities which no one knows how to fix, and which affect all ARM-based devices, including iOS devices. It should also be noted that x86-based devices are even more vulnerable than ARM-based devices; big parts of the paper are about how aspects of ARM that make cache timing attacks tougher can be mitigated, but they're easier on x86.
  iOS devices do actually have a security advantage with respect to the cache timing attacks, though. It isn't that Apple knows how to defeat them, so patching is irrelevant, it's that in order to mount a cache timing attack you have to understand the system code in great detail, and that's easier with open source software than with closed source software. That's the reason these researchers targeted Android. Targeting iOS could be done, but it would be a lot more work to reverse engineer the binaries (or, for serious attackers, to steal the source code). Of course, there's a disadvantage there as well; Android's diversity means that an attacker has to do work for each specific model he wants to attack. iOS is a monoculture.
  This has an implication for my work. I've been trying to find ways to get the source code of TrustZone components opened up (It is fully open on the Nexus 9 and the Pixel C, and will be on more devices which use Google's "Trusty" TrustZone OS). But... until we find better defenses against cache timing attacks there's actually some security benefit to keeping the code closed. Not much, of course. Security by obscurity isn't, and it's likely more than offset by the ability for bugs to persist longer in closed code. But there's at least an argument for keeping it closed, which is going to make my work harder.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
2. Re:Another Day, Another Android Vulnerability by swillden · 2016-08-13 06:04 · Score: 1
  
  It is fully open on the Nexus 9 and the Pixel C
  Actually, I misspoke. This isn't true. The TrustZone code on those devices is closely related to code which has been published in AOSP, but it's not identical and there is at least one major component that hasn't been published at all.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
3. Re:Another Day, Another Android Vulnerability by swillden · 2016-08-13 07:35 · Score: 2
  
  if I did get an Android device, that I'm forever going to be vulnerable with no vendor support
  Just make sure you get one from a vendor who commits to support it.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
4. Re:Another Day, Another Android Vulnerability by swillden · 2016-08-13 07:38 · Score: 4, Informative
  
  which no one knows how to fix, and which affect all ARM-based devices, including iOS devices. How do you know that?
  I know that because I read the research paper, and the vulnerability derives from the fundamental architecture of CPU caches used in modern devices. ARM was thought perhaps to be safe because of some characteristics of the caching architecture which makes it more difficult than on x86... but this paper shows that not to be true.
  
  Apparently you don't know that, unlike your typical Android OEM, Apple holds one of only a few "Architecture" licenses from ARM, and thus can, and DOES, actually DESIGNS THEIR OWN ARM CORES FROM THE GROUND UP.
  Doesn't matter, unless they've invented an entirely new approach to caching.
  
  So, unless you actually have PROOF of this working on an iOS device, you shouldn't just lump them in with all the Android devices, just because they share (mist of) a common instruction set.
  It's got nothing to do with instruction sets. You should read the paper.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
5. Re:Another Day, Another Android Vulnerability by phayes · 2016-08-13 08:27 · Score: 1
  
  Does that even exist? Even vendors such as Motorola & Samsung have promised support and then abandoned it for some phones and the less said about HTC & others like Huawei the better.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
6. Re:Another Day, Another Android Vulnerability by swillden · 2016-08-13 08:43 · Score: 2
  
  Does that even exist?
  At a minimum, there's Nexus.
  
  Even vendors such as Motorola & Samsung have promised support and then abandoned it for some phones
  Samsung has committed to monthly security updates on some models: http://security.samsungmobile....
  However, I note the waffling about carriers and regions, and the fact that it doesn't specify how long they'll keep delivering updates.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
7. Re:Another Day, Another Android Vulnerability by swillden · 2016-08-13 08:46 · Score: 1
  
  the less said about HTC & others like Huawei the better
  Oops, hit send too soon. It appears that Huawei is actually doing a pretty good job: http://www.digit.in/mobile-pho.... 77% doesn't sound great, but it actually is pretty good when you consider there's a fair fraction of Android users who refuse to accept updates, and when you consider that Huawei is almost certainly only patching recent models. So, if you have a fairly recent Huawei device and accept the updates when they come, you should be good.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
8. Re:Another Day, Another Android Vulnerability by swillden · 2016-08-13 10:20 · Score: 1
  
  Valid points, though in many cases not allowing code to load the libraries would require moving functionality into separate processes and accessing it via RPC, or loading extra copies. Either would have a pretty significant performance hit in some cases. Still, it's worth looking into.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
9. Re:Another Day, Another Android Vulnerability by Tesen · 2016-08-13 11:49 · Score: 1
  
  That's ok. I only surf porn from my android phone and leave all my ECommerce interaction to my Windows XP machine unpatched sitting in my DMZ.
10. Re:Another Day, Another Android Vulnerability by swillden · 2016-08-13 15:05 · Score: 1
  
  Absolutely. http://bits-please.blogspot.co...
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Damn by JustAnotherOldGuy · 2016-08-13 07:08 · Score: 1

It's amazing to me that there are so many ways to nail a phone with malware or spy on it or do something malicious to it or with it.
You'd have thought that eventually they'd run out of new vulnerabilities to find, but damn, it's just like a never-ending shitstorm of exploit after exploit after exploit that never seems to stop.
Yes, these are complex devices with a large attack surface (obviously, lol) but still, it's incredible that new exploits or holes or flaws are found almost every single day.

--
Just cruising through this digital world at 33 1/3 rpm...
Of course by Impy+the+Impiuos+Imp · 2016-08-13 12:53 · Score: 1

and then allowed attackers to take full control of the device.
Who's playing my Pokemon Go?!?

--
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.