New Cache Attack Can Monitor Keystrokes On Android Phones (onthewire.io) 36
Trailrunner7 quotes a report from OnTheWire:
: Researchers from an Austrian university have developed techniques that allow them to perform cache attacks on non-rooted Android phones that can monitor the keystrokes, screen taps, and even observe code execution inside the ARM processor's TrustZone secure execution environment. The attacks the team developed are complex and rely on a number of individual building blocks. The techniques are similar to some used against Intel x86 processor-based systems, but the team from Graz University of Technology in Austria shows that they can be used on ARM-based systems, such as Android phones, as well.
"Based on our techniques, we demonstrate covert channels that outperform state-of-the-art covert channels on Android by several orders of magnitude. Moreover, we present attacks to monitor tap and swipe events as well as keystrokes, and even derive the lengths of words entered on the touchscreen," the researchers wrote in their paper, which was presented at the USENIX Security Symposium this week.
It's a proof-of-concept attack. But interestingly, another recently-discovered Android vulnerability also required the user to install a malicious app -- and then allowed attackers to take full control of the device.
"Based on our techniques, we demonstrate covert channels that outperform state-of-the-art covert channels on Android by several orders of magnitude. Moreover, we present attacks to monitor tap and swipe events as well as keystrokes, and even derive the lengths of words entered on the touchscreen," the researchers wrote in their paper, which was presented at the USENIX Security Symposium this week.
It's a proof-of-concept attack. But interestingly, another recently-discovered Android vulnerability also required the user to install a malicious app -- and then allowed attackers to take full control of the device.
Another Day, Another Android Vulnerability (Score:5, Interesting)
Kinda reminds me of the "heyday" of Windows Exploits.
And of course, the worst thing is that most Android devices in the wild will never see a patch for any of them...
Re:Another Day, Another Android Vulnerability (Score:5, Informative)
Actually, according to TFS, actually TWO separate Vulnerabilities.
More precisely, one vulnerability (the quadrooter bug which can be patched, and is being patched on Nexus devices), and one whole class of vulnerabilities which no one knows how to fix, and which affect all ARM-based devices, including iOS devices. It should also be noted that x86-based devices are even more vulnerable than ARM-based devices; big parts of the paper are about how aspects of ARM that make cache timing attacks tougher can be mitigated, but they're easier on x86.
iOS devices do actually have a security advantage with respect to the cache timing attacks, though. It isn't that Apple knows how to defeat them, so patching is irrelevant, it's that in order to mount a cache timing attack you have to understand the system code in great detail, and that's easier with open source software than with closed source software. That's the reason these researchers targeted Android. Targeting iOS could be done, but it would be a lot more work to reverse engineer the binaries (or, for serious attackers, to steal the source code). Of course, there's a disadvantage there as well; Android's diversity means that an attacker has to do work for each specific model he wants to attack. iOS is a monoculture.
This has an implication for my work. I've been trying to find ways to get the source code of TrustZone components opened up (It is fully open on the Nexus 9 and the Pixel C, and will be on more devices which use Google's "Trusty" TrustZone OS). But... until we find better defenses against cache timing attacks there's actually some security benefit to keeping the code closed. Not much, of course. Security by obscurity isn't, and it's likely more than offset by the ability for bugs to persist longer in closed code. But there's at least an argument for keeping it closed, which is going to make my work harder.
Re: (Score:2)
It is fully open on the Nexus 9 and the Pixel C
Actually, I misspoke. This isn't true. The TrustZone code on those devices is closely related to code which has been published in AOSP, but it's not identical and there is at least one major component that hasn't been published at all.
Re: (Score:1)
How do you know that?
Apparently you don't know that, unlike your typical Android OEM, Apple holds one of only a few "Architecture" licenses from ARM, and thus can, and DOES, actually DESIGNS THEIR OWN ARM CORES FROM THE GROUND UP.
So, unless you actually have PROOF of this working on an iOS device, you shouldn't just lump them in with all the Android devices, just because they share (mist of) a common instructio
Re:Another Day, Another Android Vulnerability (Score:5, Informative)
which no one knows how to fix, and which affect all ARM-based devices, including iOS devices. How do you know that?
I know that because I read the research paper, and the vulnerability derives from the fundamental architecture of CPU caches used in modern devices. ARM was thought perhaps to be safe because of some characteristics of the caching architecture which makes it more difficult than on x86... but this paper shows that not to be true.
Apparently you don't know that, unlike your typical Android OEM, Apple holds one of only a few "Architecture" licenses from ARM, and thus can, and DOES, actually DESIGNS THEIR OWN ARM CORES FROM THE GROUND UP.
Doesn't matter, unless they've invented an entirely new approach to caching.
So, unless you actually have PROOF of this working on an iOS device, you shouldn't just lump them in with all the Android devices, just because they share (mist of) a common instruction set.
It's got nothing to do with instruction sets. You should read the paper.
Re: (Score:3)
if I did get an Android device, that I'm forever going to be vulnerable with no vendor support
Just make sure you get one from a vendor who commits to support it.
Re: (Score:2)
Does that even exist? Even vendors such as Motorola & Samsung have promised support and then abandoned it for some phones and the less said about HTC & others like Huawei the better.
Re: (Score:3)
Does that even exist?
At a minimum, there's Nexus.
Even vendors such as Motorola & Samsung have promised support and then abandoned it for some phones
Samsung has committed to monthly security updates on some models: http://security.samsungmobile.... [samsungmobile.com]
However, I note the waffling about carriers and regions, and the fact that it doesn't specify how long they'll keep delivering updates.
Re: (Score:2)
the less said about HTC & others like Huawei the better
Oops, hit send too soon. It appears that Huawei is actually doing a pretty good job: http://www.digit.in/mobile-pho... [digit.in]. 77% doesn't sound great, but it actually is pretty good when you consider there's a fair fraction of Android users who refuse to accept updates, and when you consider that Huawei is almost certainly only patching recent models. So, if you have a fairly recent Huawei device and accept the updates when they come, you should be good.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That's ok. I only surf porn from my android phone and leave all my ECommerce interaction to my Windows XP machine unpatched sitting in my DMZ.
Damn (Score:2)
It's amazing to me that there are so many ways to nail a phone with malware or spy on it or do something malicious to it or with it.
You'd have thought that eventually they'd run out of new vulnerabilities to find, but damn, it's just like a never-ending shitstorm of exploit after exploit after exploit that never seems to stop.
Yes, these are complex devices with a large attack surface (obviously, lol) but still, it's incredible that new exploits or holes or flaws are found almost every single day.
Of course (Score:2)
and then allowed attackers to take full control of the device.
Who's playing my Pokemon Go?!?