IBM researchers have discovered a vulnerability in Android phones that could allow hackers to obtain sensitive details about the owner, including PINs, unlock patterns and cryptographic keys.
Sitting in the Android KeyStore, where cryptographic keys are stored on the Android operating system, the vulnerability can let attackers execute a code that would leak keys and passwords.
The report, from IBM’s applciation security team, said that the security hole is only patched in Android 4.4 KitKat, which leaves 86% of Android devices vulnerable.
Roee Hay, lead of the application security research team at IBM, said in the report: "Nine months ago, my team came across a classic stack-based buffer overflow in the Android KeyStore service.
"As always, we adhered to our responsible disclosure policy and privately reported this issue to the Android Security Team; the result is a patch that is now available in KitKat."
An Android security expert in the computer science department of Rice University in Texas emailed ARS Technica and said: "Generally speaking this is how apps are going to store their authentication credentials, so if you can compromise the KeyStore, you can log in as the phone’s user to any service where they’ve got a corresponding app, or, at least, an app that remembers who you are and lets you log back in without typing a password.
"This means that most banking apps, which force you to type your password every time, are probably safe against this particular attack. The amount of damage you can do then, has a lot to do with which apps this lets the attacker compromise. If the attacker can compromise your Twitter account, then yeah, they can spew spam in your name. Not very exciting. If the attacker can get anywhere near your money, then it gets more interesting."
