Earlier this week I talked at the annual HITB security conference in the Netherlands about some of my recent research into Android vulnerabilities. The topic of my talk was how performance counters in Android led to several serious vulnerabilities – including several that led to root access. This could allow an attacker to take control of a user’s device. I’d earlier disclosed some of these flaws beforehand, but withheld technical details until my talk.
These counters are kernel-based subsystems that were added to provide features for on-board benchmarks. These counters are present in most Android smartphones sold today – devices with versions 4.4.4 to 6.0.1 have generally enabled the system calls necessary. Even an app that doesn’t have any Android permissions can make these system calls.
However, the code for these features are not maintained as part of the Linux kernel: instead each developer creates their own Performance Monitor Unit (PMU) and maintains it. Beyond the internal code review of each CPU manufacturer, there is little oversight of this process.
This combination of powerful code and relatively lax code audits has resulted in some code which I’ve found has multiple vulnerabilities. I found five bugs in the stock version of Android, four of which are critical and can be used to run code on the device.
The technical details of these bugs are in my slides. Our research tells us that so far this particular vulnerability is still hard to exploit. However, attacks only get better with time: it is very possible that in the future a more reliable exploit for this class of vulnerability will emerge. It is important that the industry get ahead of the curve and fix this problem before it becomes exploited in the wild.
In addition, this highlights the important it is that patches be delivered quickly to users – there are still millions of devices at risk, because their OEMs and telcos have not been able to deliver patches in a timely manner. This is a significant problem that has been known about for years, but even now has yet to be resolved. The problem is even worse for Internet of Things (IoT) devices, which contains remarkably sensitive data about users. However, these devices are even more rarely updated than most smartphones and tablets, raising even more security and privacy concerns.