A new security issue (
Google's Adrian Ludwig, lead engineer for Android security,
As always, there are still plenty of questions. Let's talk about them.
What is going on?
There's a bug in the Linux kernel (version 3.8 and higher) that lets an attacker get root access. The kernel needs to have been built with the Keyring service enabled, and an attack needs to do a lot of math to make a number count as high as it possibly can, then go back to zero. It takes 4,294,967,296 computations to cycle a 32-bit integer (two to the 32nd power) back to zero. This takes just 30 minutes or so on a brand new Intel i7 CPU, but would take a lot longer (as in a whole lot longer) on a phone CPU.
Once the number goes the whole way around (think of how a pinball machine goes back to zero once your score reaches 999,999,999) and back to zero, the attacker can gain access to the memory space and execute code as the super user.
Should you be worried?
We should always be concerned when a security exploit arises. This time is no different. But there are a few things here that make many question the number of potentially affected devices.
- The recommended kernel configuration for Android devices does not have the CONFIG_KEYS variable turned on, and that means this exploit will have no effect. The people who made your phone may have enabled it, and custom ROM cookers might have, too.
- All Nexus phones are unaffected — they use the default kernel configuration and the Keyring is not enabled in the kernel.
- SELinux negates the attack vector, so if your phone or tablet is running Android 5.0 or higher, you should be unaffected.
- Most devices not running Android 5.0 or higher will be using an older version of the Linux kernel, and are unaffected.
Yes, plenty of computers, phones and tablets are affected by this exploit. But we doubt the numbers Perception Point has given.
We can't audit all 11,000 different models of Androids out there, but we can direct everyone with more questions to their relevant
What should I do?
This is one of those security issues that can be exploited by an app — provided your phone is vulnerable as we talked about above. Because there is a lot of calculation involved, you would have to have a bad app running in the foreground for a long time, so something like a game would be a good app to try and hack an exploit into.
To stay safe, don't install apps you do not trust. Ever.
If you're not sure who you can trust, just make sure you do not allow apps to be installed from unknown sources and stick to Google Play.
It really is that easy to be 100 percent safe from this one.
What about updates for the exploits?
Google's Ludwig says that the patch was released January 20 to open source and delivered to all partners. Manufacturers will have to include this patch to be compliant with the security patch level of March 1, 2016, and later.