Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Android Google Handhelds

New Cache Attack Can Monitor Keystrokes On Android Phones (onthewire.io) 36

Trailrunner7 quotes a report from OnTheWire: : Researchers from an Austrian university have developed techniques that allow them to perform cache attacks on non-rooted Android phones that can monitor the keystrokes, screen taps, and even observe code execution inside the ARM processor's TrustZone secure execution environment. The attacks the team developed are complex and rely on a number of individual building blocks. The techniques are similar to some used against Intel x86 processor-based systems, but the team from Graz University of Technology in Austria shows that they can be used on ARM-based systems, such as Android phones, as well.

"Based on our techniques, we demonstrate covert channels that outperform state-of-the-art covert channels on Android by several orders of magnitude. Moreover, we present attacks to monitor tap and swipe events as well as keystrokes, and even derive the lengths of words entered on the touchscreen," the researchers wrote in their paper, which was presented at the USENIX Security Symposium this week.

It's a proof-of-concept attack. But interestingly, another recently-discovered Android vulnerability also required the user to install a malicious app -- and then allowed attackers to take full control of the device.
This discussion has been archived. No new comments can be posted.

New Cache Attack Can Monitor Keystrokes On Android Phones

Comments Filter:
  • by macs4all ( 973270 ) on Saturday August 13, 2016 @11:43AM (#52696373)
    Actually, according to TFS, actually TWO separate Vulnerabilities.

    Kinda reminds me of the "heyday" of Windows Exploits.

    And of course, the worst thing is that most Android devices in the wild will never see a patch for any of them...
    • by swillden ( 191260 ) <shawn-ds@willden.org> on Saturday August 13, 2016 @01:01PM (#52696643) Homepage Journal

      Actually, according to TFS, actually TWO separate Vulnerabilities.

      More precisely, one vulnerability (the quadrooter bug which can be patched, and is being patched on Nexus devices), and one whole class of vulnerabilities which no one knows how to fix, and which affect all ARM-based devices, including iOS devices. It should also be noted that x86-based devices are even more vulnerable than ARM-based devices; big parts of the paper are about how aspects of ARM that make cache timing attacks tougher can be mitigated, but they're easier on x86.

      iOS devices do actually have a security advantage with respect to the cache timing attacks, though. It isn't that Apple knows how to defeat them, so patching is irrelevant, it's that in order to mount a cache timing attack you have to understand the system code in great detail, and that's easier with open source software than with closed source software. That's the reason these researchers targeted Android. Targeting iOS could be done, but it would be a lot more work to reverse engineer the binaries (or, for serious attackers, to steal the source code). Of course, there's a disadvantage there as well; Android's diversity means that an attacker has to do work for each specific model he wants to attack. iOS is a monoculture.

      This has an implication for my work. I've been trying to find ways to get the source code of TrustZone components opened up (It is fully open on the Nexus 9 and the Pixel C, and will be on more devices which use Google's "Trusty" TrustZone OS). But... until we find better defenses against cache timing attacks there's actually some security benefit to keeping the code closed. Not much, of course. Security by obscurity isn't, and it's likely more than offset by the ability for bugs to persist longer in closed code. But there's at least an argument for keeping it closed, which is going to make my work harder.

      • It is fully open on the Nexus 9 and the Pixel C

        Actually, I misspoke. This isn't true. The TrustZone code on those devices is closely related to code which has been published in AOSP, but it's not identical and there is at least one major component that hasn't been published at all.

      • which no one knows how to fix, and which affect all ARM-based devices, including iOS devices.

        How do you know that?

        Apparently you don't know that, unlike your typical Android OEM, Apple holds one of only a few "Architecture" licenses from ARM, and thus can, and DOES, actually DESIGNS THEIR OWN ARM CORES FROM THE GROUND UP.

        So, unless you actually have PROOF of this working on an iOS device, you shouldn't just lump them in with all the Android devices, just because they share (mist of) a common instructio

        • by swillden ( 191260 ) <shawn-ds@willden.org> on Saturday August 13, 2016 @02:38PM (#52696973) Homepage Journal

          which no one knows how to fix, and which affect all ARM-based devices, including iOS devices. How do you know that?

          I know that because I read the research paper, and the vulnerability derives from the fundamental architecture of CPU caches used in modern devices. ARM was thought perhaps to be safe because of some characteristics of the caching architecture which makes it more difficult than on x86... but this paper shows that not to be true.

          Apparently you don't know that, unlike your typical Android OEM, Apple holds one of only a few "Architecture" licenses from ARM, and thus can, and DOES, actually DESIGNS THEIR OWN ARM CORES FROM THE GROUND UP.

          Doesn't matter, unless they've invented an entirely new approach to caching.

          So, unless you actually have PROOF of this working on an iOS device, you shouldn't just lump them in with all the Android devices, just because they share (mist of) a common instruction set.

          It's got nothing to do with instruction sets. You should read the paper.

    • by Tesen ( 858022 )

      That's ok. I only surf porn from my android phone and leave all my ECommerce interaction to my Windows XP machine unpatched sitting in my DMZ.

  • It's amazing to me that there are so many ways to nail a phone with malware or spy on it or do something malicious to it or with it.

    You'd have thought that eventually they'd run out of new vulnerabilities to find, but damn, it's just like a never-ending shitstorm of exploit after exploit after exploit that never seems to stop.

    Yes, these are complex devices with a large attack surface (obviously, lol) but still, it's incredible that new exploits or holes or flaws are found almost every single day.

  • and then allowed attackers to take full control of the device.

    Who's playing my Pokemon Go?!?

UNIX is many things to many people, but it's never been everything to anybody.

Working...