Android Central Explains The CONFIG_KEYS Vulnerability


I’ve been reading snippets about the latest Android vulnerability here and there, but have never fully understood it—that is until yesterday, when Android Central’s Jerry Hildenbrand posted his excellent breakdown of CONFIG_KEYS to that site.

The attack vector was recently discovered by a security company called Perception Point. It’s an issue not with Android itself but with the Linux kernel that lies underneath, potentially affecting up to 66% of all Android devices along with tens of millions of Linux-powered PCs and servers.

Sounds scary, right? Fortunately, like Stagefright, the only successful attacks using this exploit have been carried out in security research firm labs, and the aggregate risk to Android users is low.

Over to Jerry for the best explanation of CONFIG_KEYS that I’ve read so far:

There’s a bug in the Linux kernel (version 3.8 and higher) that lets an attacker get root access. The kernel needs to have been built with the Keyring service enabled, and an attack needs to do a lot of math to make a number count as high as it possibly can, then go back to zero. It takes 4,294,967,296 computations to cycle a 32-bit integer (two to the 32nd power) back to zero. This takes just 30 minutes or so on a brand new Intel i7 CPU, but would take a lot longer (as in a whole lot longer) on a phone CPU.

Once the number goes the whole way around (think of how a pinball machine goes back to zero once your score reaches 999,999,999) and back to zero, the attacker can gain access to the memory space and execute code as the super user.

So the actual risk of a phone being attacked is slim at best. Here’s some more good news:

  • The recommended kernel configuration for Android devices does not have the CONFIG_KEYS variable turned on, and that means this exploit will have no effect. The people who made your phone may have enabled it, and custom ROM cookers might have, too.
  • All Nexus phones are unaffected — they use the default kernel configuration and the Keyring is not enabled in the kernel.
  • SELinux negates the attack vector, so if your phone or tablet is running Android 5.0 or higher, you should be unaffected.
  • Most devices not running Android 5.0 or higher will be using an older version of the Linux kernel, and are unaffected.

TL;DR If you’re running Android 5.0 or higher then you’re probably okay. And if you’re not running Android 5.0 or higher then you’re also probably okay.

Thanks, Jerry!

Source: Android Central

Leave a Reply