A bug in the Android KeyStore left an estimated 86 per cent of Android phones vulnerable to major security breaches, according to an advisory IBM researchers published last week. The security flaw is what the researchers call a “classic stack-based buffer overflow”, and it could allow attackers to execute code to steal phone lock credentials, and then all sorts of sensitive data on the phone, including banking information.
KeyStore is like the janitor’s closet for Android; it’s where all cryptographic keys and other sensitive information lives. So it’s a bad place for a vulnerability.
The researchers discovered the problem nine months ago, but waited until the Android Security Team came up with a patch for Android KitKat, which is now available. That still leaves Android users without KitKat (estimated to be 86.4 per cent of Android’s userbase) open to this kind of attack.
Nobody (as far as we know) actually exploited the vulnerability. To actually carry out an attack, would-be malicious hackers would have to overcome Android’s software protections, including coding and data executing prevention. But just because it hasn’t been done yet doesn’t mean it can’t be done.
You can read the full report from the researchers below.
[Ars Technica via IBM]
Picture: JD Hancock