By Robert Lawson, Tech Times | July 1, 7:06 PM
The vulnerability was discovered in September 2013 and the Android security team quickly assembled to provide a patch to KitKat 4.4. However, sources report the remaining devices haven't yet gotten a fix for the problem, exposing the vulnerability to potential hacking of information and cryptographic keys.
Data reports indicate less than 14 percent of Android OS users actually have the patch 4.4 KitKat. About a third of them are running on 4.1.x. The vulnerability doesn't appear to have been exploited yet.
The vulnerability involves KeyStore, a digital storage record of cryptographic key information and other sensitive data, reports confirm. The term security researchers use to define this particular flaw is a stack-based buffer overflow. It basically means cyber bandits can execute code to hijack phone lock credentials, then access personal or important data on the device.
Hackers with malicious intent would still need to have some very code-savvy skills. They would need to break through Android's software protective layers first. That includes coding and data-executing prevention built into the system. Address space layout randomization is another form of protection.
Of course, that doesn't at all make it impossible. As we have seen time and again, just because it hasn't been accomplished doesn't mean that someone won't be able to. The vulnerability, in fact, went unnoticed until IBM researchers pointed it out.
KeyStore is probably one of the most data-sensitive areas of the Android platform, making this particular threat troubling to many, reports suggest. A computer science professor at Rice University explained apps corresponding to the KeyStore and using predefined codes and patterns are at risk, especially if they are those that don't require typing a password each time. The good news, he said, was most banking apps and sites require you to enter and verify information each time, so they are less likely to be hacked in this way.
The vulnerability could possibly be used to act as the identity of the device owner and make transactions or digitally sign fraudulently through use of the obtained data.
0 comments: