bit-tech.net

Android 'master key' discovery raises security risk

Android 'master key' discovery raises security risk

A new security vulnerability, due to be described in-depth by Bluebox CTO Jeff Forristal at the Black Hat USA 2013 conference, spells trouble for Android users.

A security research firm claims to have discovered a 'master key' that can allow attackers to modify the code of Android applications without rendering their security certificates invalid, potentially opening a back door into millions of Android devices around the world.

Android applications are supplied as an Android Package (APK) file, which is installed by a helper process in the popular operating system. These packages include a cryptographic signature guaranteeing that the package being installed is the same as the package created by the developer. While it doesn't stop malware from being published on Android - anybody can register for a development account and publish whatever they want to the Google Play service, with malicious files often only being taken down following user complaints - it makes it harder for an attack to pose as a legitimate developer to fool users into installing the package.

At least that was the theory. According to Jeff Forristal, chief technical officer at security firm Bluebox, there's a problem: the Android security model can be fooled into thinking an invalid signature is valid, allowing an attacker to modify the code contained within an APK without triggering an alarm.

'The implications are huge,' Forristal claims in a blog post on the discovery. 'This vulnerability, around at least since the release of Android 1.6, could affect any Android phone released in the last 4 years – or nearly 900 million devices – and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.'

According to Bluebox's security team, Android overseer Google was informed of the vulnerability back in February 2013. In proof-of-concept testing, the team was able to modify a third-party developer's package in order to gain full super-user access to the system - using it to insert their own name into the phone's Baseband Version identifier, which appears in the Settings screen. Forristal has also promised to release technical details of the attack as part of a talk planned for the Black Hat USA 2013 security conference.

Releasing the technical details could, potentially, open up millions of Android users to attack. The undeniably fragmented nature of the Android ecosystem, in which devices only a year old can be abandoned by their creators and receive no software updates whatsoever, means that even if Google patches the flaw in its most recent release hundreds of millions of devices will be left exposed.

Thus far, Google has not commented on the claimed vulnerability.

22 Comments

Discuss in the forums Reply
Snips 4th July 2013, 10:38 Quote
Since February? Wow, this is very bad.

I think Google are keeping quiet whilst they work day and night to patch this, right?
Spreadie 4th July 2013, 10:50 Quote
Quote:
Originally Posted by Snips
I think Google are keeping quiet whilst they work day and night to patch this, right?
You'd like to think so, wouldn't you?

Even so, an awful lot of devices are likely to be left unpatched and vulnerable.

Nice timing for Firefox OS though. :)
Jaybles 4th July 2013, 10:53 Quote
And Jolla :)
Nexxo 4th July 2013, 10:54 Quote
Quote:
Originally Posted by Snips
Since February? Wow, this is very bad.

I think Google are keeping quiet whilst they work day and night to patch this, right?

Er...yes. Yes, of course they are.
Dave Lister 4th July 2013, 11:03 Quote
Following in microsofts footsteps, I wonder if custom roms still have this master key ! Incedently BT I've still never seen you cover the story of all versions of windows since win 95 second edition having back door keys built in for various government agencies to snoop around !
Gareth Halfacree 4th July 2013, 11:08 Quote
Quote:
Originally Posted by Dave Lister
Incedently BT I've still never seen you cover the story of all versions of windows since win 95 second edition having back door keys built in for various government agencies to snoop around !
Prove it, and an article shall appear. Alternatively, use the search function to bring up such classics as Windows 7 security courtesy of the NSA or Crypto 'backdoor' in Vista SP1. :p
Dave Lister 4th July 2013, 11:16 Quote
Quote:
Originally Posted by Gareth Halfacree
Quote:
Originally Posted by Dave Lister
Incedently BT I've still never seen you cover the story of all versions of windows since win 95 second edition having back door keys built in for various government agencies to snoop around !
Prove it, and an article shall appear. Alternatively, use the search function to bring up such classics as Windows 7 security courtesy of the NSA or Crypto 'backdoor' in Vista SP1. :p

Damn I'll have to go hunting for the article now !
faugusztin 4th July 2013, 11:30 Quote
Quote:
Originally Posted by Dave Lister
I wonder if custom roms still have this master key !

Technically there is no such thing as "master key" to include in any ROM in this case. Publishers have their private key, and the installer in Android checks if the signature is valid using the public key. The issue is that there is a vulnerability in Android which allows you to modify the packages without the ownership of the publishers private key. That is why they call it "master key", but there is no such thing to "have" in the Android ROM.

It is exactly meant as a master key in terminology of locks and lockpicking. You got your lock (APK package) and your key (private key), and others have their own locks and keys too, which can open only their own locks. But someone got the "master key", which can open all those locks. It doesn't mean it was made by the lock manufacturer, or that your keys are not good anymore - it is simply that someone can use a different means to access your locks; or in case of this vulnerability, to modify packages of publishers without the knowledge of their private signing key.
Gareth Halfacree 4th July 2013, 11:36 Quote
Quote:
Originally Posted by Dave Lister
Admittedly some sites are saying this was debunked years ago, but MS have never dismissed the claims apparently.
It was. There has never been any evidence of a back door in Windows for government agents - which is why you've never seen a story on Bit-Tech saying that there's a back door in Windows for government agents. Even when Microsoft accidentally leaked the Windows source code, guess what? No back door.

I'm not saying there isn't one in there - in fact, I reckon there probably is - just that there is absolutely no evidence, and without evidence there's no story to tell. Like I said, if you can find evidence - not random conspiracy theory blogs rehashing a pre-millennial rumour long debunked - then I'd be more than happy to write it up and see it run as a front-page exclusive.
SAimNE 4th July 2013, 11:47 Quote
it's not as bad as it sounds for the users.... worst case scenario install a custom OS that supplies a fix if google doesnt(there are going to be some). though for google this is going to be a decent blow to credibility if they dont fix this. not to mention they would probably loose quite a few customers to the overpriced mess iOS.
Dave Lister 4th July 2013, 11:51 Quote
Quote:
Originally Posted by Gareth Halfacree
Quote:
Originally Posted by Dave Lister
Admittedly some sites are saying this was debunked years ago, but MS have never dismissed the claims apparently.
It was. There has never been any evidence of a back door in Windows for government agents - which is why you've never seen a story on Bit-Tech saying that there's a back door in Windows for government agents. Even when Microsoft accidentally leaked the Windows source code, guess what? No back door.

I'm not saying there isn't one in there - in fact, I reckon there probably is - just that there is absolutely no evidence, and without evidence there's no story to tell. Like I said, if you can find evidence - not random conspiracy theory blogs rehashing a pre-millennial rumour long debunked - then I'd be more than happy to write it up and see it run as a front-page exclusive.

I'm guessing this story has just recently popped up on the radar because of the proven spying that has happened recently. But the second link does say that the second key has been shown to blong to the NSA, and the article is dated June of this year.
Dave Lister 4th July 2013, 11:54 Quote
Quote:
Originally Posted by faugusztin
Quote:
Originally Posted by Dave Lister
I wonder if custom roms still have this master key !

Technically there is no such thing as "master key" to include in any ROM in this case. Publishers have their private key, and the installer in Android checks if the signature is valid using the public key. The issue is that there is a vulnerability in Android which allows you to modify the packages without the ownership of the publishers private key. That is why they call it "master key", but there is no such thing to "have" in the Android ROM.

It is exactly meant as a master key in terminology of locks and lockpicking. You got your lock (APK package) and your key (private key), and others have their own locks and keys too, which can open only their own locks. But someone got the "master key", which can open all those locks. It doesn't mean it was made by the lock manufacturer, or that your keys are not good anymore - it is simply that someone can use a different means to access your locks; or in case of this vulnerability, to modify packages of publishers without the knowledge of their private signing key.

Consider me more educated on the matter now, cheers for the explanation faugusztin
Gareth Halfacree 4th July 2013, 12:22 Quote
Quote:
Originally Posted by Dave Lister
But the second link does say that the second key has been shown to blong to the NSA, and the article is dated June of this year.
The story which appears on a right-wing conspiracy site run by a single individual, you mean. Yeah, the source for that claim? Joseph Farah, a conspiracy theorist who was vocal in claiming that Barack Obama was not a US citizen, and therefore could not serve as president. After the birth certificate proving Obama's heritage was released, he claimed that he wouldn't believe it without seeing the long-form version of the birth certificate - going so far as to promise $15,000 to the hospital if it released the certificate. When the long-form birth certificate was released, he reneged on his offer and claimed that the certificate was fraudulent.

What I'm trying to say here is this: don't trust news you read from anti-government right-wing types (or, indeed, left-wing types - basically, any extremism is bad extremism) especially when the news paints the government in a bad light. Especially don't trust people like Farah, who is neither a security expert nor a cryptographer, to have any idea what he's talking about when it comes to cryptographic signing keys.
Andy Mc 4th July 2013, 12:37 Quote
So. Is this how Prisim is logging our mobile meta data then?




Brb, Just getting my tinfoil hat.
faugusztin 4th July 2013, 12:37 Quote
Quote:
Originally Posted by Dave Lister
Consider me more educated on the matter now, cheers for the explanation faugusztin

Just to be more detailed - while this "security hole" increases risk, it does only for those who are already living a dangerous life in first place. The reason is that while technically you could inject your own dangrous code in application of another publisher, that is only a part of the publishing process. You would also need to distribute the app, and this is where you hit a wall - to put it on Play Store or Amazon Appstore, you would need to get the logon credentials of the publisher, to upload your modified version as a new version of the app from the publisher.

Otherwise you would need to choose one of the less optimal distribution paths :
- Play Store/Amazon Appstore, but app would have to published with a different publisher and different namespace, which pretty much defies the point of doing this in first place
- manual distribution (warez sites etc) - this realistically the only place where this hole could work.

In short - if you only use official application stores, you still don't have to fear about the security of your phone unless the publisher of the application got hacked.
Dave Lister 4th July 2013, 12:40 Quote
Fair enough. Nobody should be trusted really. Anyway it's good to know you guys are on the ball and know about the murkier side of things :)
Gareth Halfacree 4th July 2013, 13:09 Quote
Quick update: CIO has word from third parties that Google's recent move to ban apps from self-updating outside Google Play was in response to this, and that Google Play itself has been updated to detect if files that are uploaded have been tampered with. It's also claimed that, while Google's stock Android install found on the Nexus family is still vulnerable, Samsung has apparently patched the Galaxy S4 to remove the flaw. No details yet on how, or how quickly other manufacturers will do the same for their own handsets.
faugusztin 4th July 2013, 13:28 Quote
Quote:
Originally Posted by Dave Lister
Fair enough. Nobody should be trusted really. Anyway it's good to know you guys are on the ball and know about the murkier side of things :)

It's not really a "murkier side", there are simply steps to publish an app in play store and you can't just go and publish an "Angry Birds" application with "ROVIO MOBILE LTD." set as publisher without really being "ROVIO MOBILE LTD.", as you can't register 2 publishers with the same name and you need to be able to access the Google Play Developer Console of the publisher to publish an app in their name in the first place.

Sure, in case when your user name and password is compromised and someone knows this "master key" trick, then yes, he could upload an updated version of an app without knowledge of the original signature - but in that case you have much bigger problem than a malicious app uploaded in your own name :).
Spreadie 4th July 2013, 13:33 Quote
Quote:
Originally Posted by faugusztin
Just to be more detailed - while this "security hole" increases risk, it does only for those who are already living a dangerous life in first place. The reason is that while technically you could inject your own dangrous code in application of another publisher, that is only a part of the publishing process. You would also need to distribute the app, and this is where you hit a wall - to put it on Play Store or Amazon Appstore, you would need to get the logon credentials of the publisher, to upload your modified version as a new version of the app from the publisher.

Otherwise you would need to choose one of the less optimal distribution paths :
- Play Store/Amazon Appstore, but app would have to published with a different publisher and different namespace, which pretty much defies the point of doing this in first place
- manual distribution (warez sites etc) - this realistically the only place where this hole could work.

In short - if you only use official application stores, you still don't have to fear about the security of your phone unless the publisher of the application got hacked.
I would argue it's a little naive to assume that there aren't any employees at genuine publishing houses with ties to people who have access to this code. So, to suggest the only people at risk are Ne'er-do-wells themselves is dismissive and a dangerous idea to propogate.
faugusztin 4th July 2013, 14:01 Quote
You need an inside man for that - and unless that inside man is an idiot willing to sit few years in jail for that, then it is not going to happen. I simply don't see this happening in Play Store (especially when Google knows about it for a while and probably implemented a check for this in the upload procedure (they are checking your APK files for malware, trojans already). So while it is possible that a client side fix is not yet distributed, server side fix could be already live for weeks or months. This is in my opinion confirmed by the fact that they will publish "proof of concept" at the end of this month (as that is the next big security conference), so the description of the attack is "safe to publish" as it is "fixed".

So yes, in my opinion the only danger is when you are installing from "other sources".
Snips 5th July 2013, 14:28 Quote
By the sound of things and from what I've seen, Google Play has so many filler apps that they have no idea what's being made available to the everyday user. That's the price for it being too open I suppose.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums