What you need to know about the CONFIG_KEYS Linux kernel vulnerability

By Jerry Hildenbrand
last updated

A new security issue (CVE-2016-0728 for those who like to keep track of these things) was announced on January 14 by Perception Point, a security research team. The bug affects kernels compiled with the CONFIG_KEYS kernel configuration switch set to "on," and has been present in all Linux kernels since version 3.8. The exploit allows root escalation by cycling a 32-bit integer back to zero. Perception point claims that "approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices" are affected.

Google's Adrian Ludwig, lead engineer for Android security, has responded, saying the exploit has been patched and released to open source as of January 20.

As always, there are still plenty of questions. Let's talk about them.

What is going on?

There's a bug in the Linux kernel (version 3.8 and higher) that lets an attacker get root access. The kernel needs to have been built with the Keyring service enabled, and an attack needs to do a lot of math to make a number count as high as it possibly can, then go back to zero. It takes 4,294,967,296 computations to cycle a 32-bit integer (two to the 32nd power) back to zero. This takes just 30 minutes or so on a brand new Intel i7 CPU, but would take a lot longer (as in a whole lot longer) on a phone CPU.

Once the number goes the whole way around (think of how a pinball machine goes back to zero once your score reaches 999,999,999) and back to zero, the attacker can gain access to the memory space and execute code as the super user.

Should you be worried?

We should always be concerned when a security exploit arises. This time is no different. But there are a few things here that make many question the number of potentially affected devices.

  • The recommended kernel configuration for Android devices does not have the CONFIG_KEYS variable turned on, and that means this exploit will have no effect. The people who made your phone may have enabled it, and custom ROM cookers might have, too.
  • All Nexus phones are unaffected — they use the default kernel configuration and the Keyring is not enabled in the kernel.
  • SELinux negates the attack vector, so if your phone or tablet is running Android 5.0 or higher, you should be unaffected.
  • Most devices not running Android 5.0 or higher will be using an older version of the Linux kernel, and are unaffected.

Yes, plenty of computers, phones and tablets are affected by this exploit. But we doubt the numbers Perception Point has given.

We can't audit all 11,000 different models of Androids out there, but we can direct everyone with more questions to their relevant device forum. In a nutshell, if you're running Lollipop you're safe. If you're not, look at the About device screen and check your kernel version. If it's earlier than 3.8 you're safe.

What should I do?

This is one of those security issues that can be exploited by an app — provided your phone is vulnerable as we talked about above. Because there is a lot of calculation involved, you would have to have a bad app running in the foreground for a long time, so something like a game would be a good app to try and hack an exploit into.

To stay safe, don't install apps you do not trust. Ever.

If you're not sure who you can trust, just make sure you do not allow apps to be installed from unknown sources and stick to Google Play.

It really is that easy to be 100 percent safe from this one.

What about updates for the exploits?

Google's Ludwig says that the patch was released January 20 to open source and delivered to all partners. Manufacturers will have to include this patch to be compliant with the security patch level of March 1, 2016, and later.

Jerry Hildenbrand
Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

47 Comments
  • #nexusmasterrace Posted via my glorious Nexus 6P
  • #ugh Posted via the Android Central App
  • #fu,bullshit Sent from my Nexus 6 Posted via the Android Central App
  • Be happy that your Nexus is unaffected. Posted via the Android Central App on my Frost Nexus 6P
  • It is the Napoleon Complex that Nexus users have that pisses me off
  • That's painting with a very, very broad brush. The same dbag fanboys exists on any type of platform, brand, manufacturer, device, etc. etc. You know this already, of course.
  • yep, i know
  • woohooo!!! NEXUS NEXUS NEXUS! "All Nexus phones are unaffected — they use the default kernel configuration and the Keyring is not enabled in the kernel."
  • Maybe a way to root otherwise un-rootable devices like my moto e 2vzw Posted via the Android Central App
  • Unlikely, judging from the article a very small number of android devices are likely to be vulnerable. Even if your moto Es kernel was compiled with config_keys enabled, the chance that SELinux isn't being enforced is pretty much zero Posted via the Android Central App
  • Thank you, Jerry, for explaining this. Well done, and appreciated. Posted via the Android Central App
  • You're welcome :) It's important that each and every security issue be addressed (in my opinion) and explained in easy language. Our lives are in these phones!
  • +1 Posted via the AC App from SM-N910F
  • Thank you for heading off the inevitable FUD that will ensue as a result of this. Posted using SwiftKey on my LG G4 via the Android Central App
  • Oh the FUD will come...apple boys should get here soon Posted via the Android Central App
  • Lol fud... bare yourselves I see the fuds coming.
  • Stopped reading after jerry said it was patched on the 20th Posted from my Nexus 6/Nexus 7 2013/Surface Pro 3
  • Lol @ 66 percent of Android devices affected. Never go full retard. And they just went full retard. Posted via the Android Central App
  • I never heard of this until now.
  • Thanks Jerry. Posted via the Android Central App
  • "think of how a pinball machine goes back to zero once your score reaches 999,999,999" -- that only happens on mechanical reels, solid state pinball machines don't do that.
  • Feel better now? Posted via the Android Central App
  • He's just making a comparison so we could understand the variables.
  • I know of no machine with mechanical reels that go that high, most go back to zero after 99,999, some at 999,999, but 999,999,999? doubtful. That and the SS sitting in my house doesn't go that high either, but I have not scored more than 999,999 to see what happens, I'll try harder (yes 6 digit ss display).
  • Meanwhile, I have never freaked out over a security exploit.....ever. Soft and sweet Marshmallow
  • Same here. But, I do know a person who was wringing her hands and panicking over the stagefright issue, and she has a flip phone!
  • Haha wow a person with a flip phone in this time of day. Posted via the Android Central App on my Frost Nexus 6P
  • Same. But sometimes I do get friends mentioning things like this, because they've heard from a friend, who heard from a friend... These plain English articles are great for not only explaining to me, but for sending to friends to explain why they don't need to worry. Posted via the Android Central App
  • Exactly. Stagefright, what? Posted via the Android Central App
  • Easy to understand explanation. Whenever I hear about one these vulnerabilities, AC is the 1st place I go to gets the real explanation.
  • Can I use it to root my phone? Lol
  • Not sure what to freak out over more. This, or the 27 feet of death snow headed to the northeast. Posted via the Android Central App
  • I heard it was 30
  • I heard 36 inches. Posted via the Android Central App
  • they have settled on roughly 12-18" in philly last I heard,
  • 27 feet or inches? Posted via the Android Central App
  • 27 feet? Lol what is this the great ice age 2.0 or what lol.
  • Not so good to be a Google gangster. Lol. On a serious tip, this is why I buy Nexus. Posted via the Android Central App
  • It's still exploitable with SELinux enabled. They just have to know what they are doing to make it effective to bypass SELinux. Posted via the Android Central App
  • Thanks for the tip about checking kernels.
    Although my phone and tablet are on KitKat, both kernels are 3.4. Posted via the Android Central App
  • Monthly security patch, check. Unknown sources disabled, check. A splash of Jerry awesomeness, check. Thanks for caring about privacy and security, man. Geek On! Unlocked Marshmallow Nexus 6 on Verizon. I'm a happy guy.
  • Sounds like this security flaw is the same one used by these Root Tools you can get to help unlock your phone. The ones that use brute force to get root. I wonder if this is the same way they work. Everyone in the Rom Development forums are complaining that manufacturers and google are locking down the phones, making it more difficult for users to root and do a custom rom. Well maybe, they are just making them more secure (as they should be) and the side effect is a more complicated root process.
  • well while this may be true for rom developers if it's true for them it's also true for big brother, the Chinese, Russian Crime Syndicates, and only God knows who else... I have to agree with a couple posts above... SURE IS GREAT TO HAVE A NEXUS 6P!!!! If google doesn't fix it someone else on xda will!!!! Just say no to closed walled in dev gardens!
  • They're loving this over in CrackBerry. Posted via the Android Central App
  • Galaxy s3 not affected!!! Posted via the Android Central App
  • Umm I wonder if this includes the BlackBerry Priv ?? Any thoughts Posted via the Android Central App
  • The Priv ships with Lollipop, Android 5.0 with SELinux, and should not be vulnerable. EDIT:  Corrected original comment that Android 5.0 was "Marshmallow".  I have Marshmallow on the brain, apparently. Sorry about that.