Android Master Key Security Breach Affects 99% of Andoid Phones

The security firm known as Bluebox Security makes it their job to find security holes in computer systems and electronic devices. The company has worked hard to stay one step ahead of hackers and have now announced that they have identified the mother of all security holes in the Android operating system: a digital skeleton key or master key that would unlock 99% of the Android phones on the market.

Thus far, no hacker has been known to have found a means of exploiting the master key. Google, the owner and developer of Android, was notified about the security exposure months ago.

All versions of Android since the donut release (version 1.6) are affected. The master key issue has apparently left a donut sized hole in all subsequent releases also. Since 2009, there have been over 900 million Android phones sold. Should a hacker make use of the master key, they would have access to all of the contents of a phone plus the ability to listen in on conversations.

In short, the master key allows someone to take over the phone. Bluebox demonstrated the power of the master key by altering a phone’s baseband version which isn’t otherwise possible except through a firmware upgrade.

The hacker can even use the phone to eavesdrop on private conversations.

Writing on the BlueBox blog, Jeff Forristal, said the implications of the discovery were “huge”.

Forristal writes:

While the risk to the individual and the enterprise is great (a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer (e.g. Cisco with AnyConnect VPN) – that are granted special elevated privileges within Android – specifically System UID access.

Forristal goes on to explain that the exploit can lead to the installation of a trojan:

Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.

Source material:

‘Master key’ to Android phones uncovered

Android master key Exploitation In Every Adroid Phone: Reports