View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Crypto key vulnerability could affect 86% of Android devices

Google only patched Android 4.4 KitKat, all other versions at risk says IBM.

By Ben Sullivan

IBM researchers have discovered a vulnerability in Android phones that could allow hackers to obtain sensitive details about the owner, including PINs, unlock patterns and cryptographic keys.

Sitting in the Android KeyStore, where cryptographic keys are stored on the Android operating system, the vulnerability can let attackers execute a code that would leak keys and passwords.

The report, from IBM’s applciation security team, said that the security hole is only patched in Android 4.4 KitKat, which leaves 86% of Android devices vulnerable.

Roee Hay, lead of the application security research team at IBM, said in the report: "Nine months ago, my team came across a classic stack-based buffer overflow in the Android KeyStore service.

"As always, we adhered to our responsible disclosure policy and privately reported this issue to the Android Security Team; the result is a patch that is now available in KitKat."

An Android security expert in the computer science department of Rice University in Texas emailed ARS Technica and said: "Generally speaking this is how apps are going to store their authentication credentials, so if you can compromise the KeyStore, you can log in as the phone’s user to any service where they’ve got a corresponding app, or, at least, an app that remembers who you are and lets you log back in without typing a password.

"This means that most banking apps, which force you to type your password every time, are probably safe against this particular attack. The amount of damage you can do then, has a lot to do with which apps this lets the attacker compromise. If the attacker can compromise your Twitter account, then yeah, they can spew spam in your name. Not very exciting. If the attacker can get anywhere near your money, then it gets more interesting."

Content from our partners
AI is transforming efficiencies and unlocking value for distributors
Collaboration along the entire F&B supply chain can optimise and enhance business
Inside ransomware's hidden costs

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.