New Cache Attack Can Monitor Keystrokes On Android Phones

Trailrunner7 quotes a report from OnTheWire: : Researchers from an Austrian university have developed techniques that allow them to perform cache attacks on non-rooted Android phones that can monitor the keystrokes, screen taps, and even observe code execution inside the ARM processor's TrustZone secure execution environment. The attacks the team developed are complex and rely on a number of individual building blocks. The techniques are similar to some used against Intel x86 processor-based systems, but the team from Graz University of Technology in Austria shows that they can be used on ARM-based systems, such as Android phones, as well.

"Based on our techniques, we demonstrate covert channels that outperform state-of-the-art covert channels on Android by several orders of magnitude. Moreover, we present attacks to monitor tap and swipe events as well as keystrokes, and even derive the lengths of words entered on the touchscreen," the researchers wrote in their paper, which was presented at the USENIX Security Symposium this week.
It's a proof-of-concept attack. But interestingly, another recently-discovered Android vulnerability also required the user to install a malicious app -- and then allowed attackers to take full control of the device.

Another Day, Another Android Vulnerability

[macs4all]

Actually, according to TFS, actually TWO separate Vulnerabilities.

Kinda reminds me of the "heyday" of Windows Exploits.

And of course, the worst thing is that most Android devices in the wild will never see a patch for any of them...

Re:Another Day, Another Android Vulnerability

[swillden]

Actually, according to TFS, actually TWO separate Vulnerabilities.

More precisely, one vulnerability (the quadrooter bug which can be patched, and is being patched on Nexus devices), and one whole class of vulnerabilities which no one knows how to fix, and which affect all ARM-based devices, including iOS devices. It should also be noted that x86-based devices are even more vulnerable than ARM-based devices; big parts of the paper are about how aspects of ARM that make cache timing attacks tougher can be mitigated, but they're easier on x86.

iOS devices do actually have a security advantage with respect to the cache timing attacks, though. It isn't that Apple knows how to defeat them, so patching is irrelevant, it's that in order to mount a cache timing attack you have to understand the system code in great detail, and that's easier with open source software than with closed source software. That's the reason these researchers targeted Android. Targeting iOS could be done, but it would be a lot more work to reverse engineer the binaries (or, for serious attackers, to steal the source code). Of course, there's a disadvantage there as well; Android's diversity means that an attacker has to do work for each specific model he wants to attack. iOS is a monoculture.

This has an implication for my work. I've been trying to find ways to get the source code of TrustZone components opened up (It is fully open on the Nexus 9 and the Pixel C, and will be on more devices which use Google's "Trusty" TrustZone OS). But... until we find better defenses against cache timing attacks there's actually some security benefit to keeping the code closed. Not much, of course. Security by obscurity isn't, and it's likely more than offset by the ability for bugs to persist longer in closed code. But there's at least an argument for keeping it closed, which is going to make my work harder.

Re:Another Day, Another Android Vulnerability

[swillden]

which no one knows how to fix, and which affect all ARM-based devices, including iOS devices. How do you know that?

I know that because I read the research paper, and the vulnerability derives from the fundamental architecture of CPU caches used in modern devices. ARM was thought perhaps to be safe because of some characteristics of the caching architecture which makes it more difficult than on x86... but this paper shows that not to be true.

Apparently you don't know that, unlike your typical Android OEM, Apple holds one of only a few "Architecture" licenses from ARM, and thus can, and DOES, actually DESIGNS THEIR OWN ARM CORES FROM THE GROUND UP.

Doesn't matter, unless they've invented an entirely new approach to caching.

So, unless you actually have PROOF of this working on an iOS device, you shouldn't just lump them in with all the Android devices, just because they share (mist of) a common instruction set.

It's got nothing to do with instruction sets. You should read the paper.