All PCs, smartphones, and other gadgets running Linux-based systems such as Android are susceptible to extremely intrusive hacks due to a three-year-old flaw that was only discovered on Tuesday. Now the race to patch and secure millions of devices is on.
Known as a zero-day exploit, the Linux bug was unknown to the manufacturer, so is now vulnerable to attack before fixes, upgrades, and replacements are fully ready.
Discovery of what is identified as CVE-2016-0728 was made by Israeli defense startup Perception Point. By working with Linux researchers, Perception Point found that by manipulating the central Linux kernel, an app or user could gain unlimited control over the root systems. The problem has existed since Linux version 3.8, which is also present in devices running the Android version KitKat or better, or about two-thirds of all Android products.
The trouble lies in the keyring, part of the kernel that stores sensitive security information like encryption keys. Even built-in or add-on security features like “supervisor mode access prevention” and “supervisor mode execution protection” are still not enough protection to absolutely guarantee against hackers.
A fix is anticipated from top distributors of Linux this week, but it could be months or years before millions of Android handset or embedded device users are squared away, due to the fact their software updates are not prompted automatically. While Perception Point says the sensitivity has yet to be exploited, the risk is still real for now.