Android crypto key theft vulnerability affects 86% of devices (opens in new tab)

(arstechnica.com)

37 pointsTitanbase11y ago11 comments

11 comments

One of the first comments there with the partial ARM opcode map shows why this vulnerability is "theoretical" - you can overflow the buffer, but the bytes written to the buffer are restricted so much (values will always be between 43 and 126) that it would be nearly impossible to write useful exploit code.

The details are here:

http://securityintelligence.com/android-keystore-stack-buffe...

nutate11y ago

"nearly impossible to write useful exploit code" sounds like a worthy challenge to some people I know.

MBCook11y ago

The sad thing is how many of these devices, despite being only a year or two old, may only get patched much later or never.

I find it interesting that Google is forcing the ability to update [1] Android watches, cars, and TV boxes by limiting OEM customization. I guess the carrot approach hasn't been working well enough to convince OEMs.

[1] http://arstechnica.com/gadgets/2014/06/android-wear-auto-and...

andrewfong11y ago

Especially glad they're forcing the issue with cars. Imagine if a bug or security vulnerability in Maps led to an accident ("Now turn left NO TURN RIGHT TURN RIGHT NOW").

Functionally, since Google Auto probably doesn't touch the car's own computer system, it's probably no worse than a vulnerability in your phone. But the PR from "Google Auto bug causes accident" sounds so much more terrible than "smartphone bug causes accident".

taspeotis11y ago

> Imagine if a bug or security vulnerability in Maps led to an accident ("Now turn left NO TURN RIGHT TURN RIGHT NOW").

I'd like to think that people are smart enough not to do exactly what their GPS tells them to do without questioning it but I'd be wrong [1].

[1] http://www.smh.com.au/travel/travel-planning/travel-news/tak...

1 more reply

lloeki11y ago

Android Auto in cars is just a dumb screencast, like iOS CarPlay.

2 more replies

BuildTheRobots11y ago

They're attempting the carrot again with the AndoidOne platform they announced at Google I/O. Supported hardware blocks for OEMs but with google keeping the software updated, so there's reason to be hopeful going forward.

On the flip side I have a Nexus4 "GooglePhone" and the latest update basically crippled it (mobile data wise), so maybe it's not all roses o_0

zaroth11y ago

It would have been interesting if CA legislature had focused on forcing companies to provide security patches for some number of years instead of the 'kill switch' issue.

Maybe the EU will take this up as a part of the baseline warranty requirements they push. You don't have to ship a perfect device, but you do have to provide support for security critical patches for a certain time frame. It seems beyond reckless, certainly unethical, borderline negligent, to ship a smartphone and then just leave it exposed as known vulnerabilities pile up.

Once we're talking about phones with a certain level of sophistication, I think 3 years of auto-pushed security updates is not too much to ask! To me, it's a minimum requirement of any device I would buy, but the average consumer has no idea how vulnerable their device actually becomes over time.

j / k navigate · click thread line to collapse