It’s far from surprising anymore to hear about security glitches in Android but this latest find could potentially compromise the security of hundreds of millions of devices. The flaw has been spotted by Gal Beniamini, a security researcher, who’s found a way to use ARM’s TrustZone kernel code-execution to essentially break Android’s Full Disk Encryption (FDE).
All Android smartphones running on 5.0 Lollipop or later use something called FDE, which makes all the data on your phone unreadable unless you have the unique key needed to decrypt it. This is the similar to the security feature that caused a tussle between the FBI and Apple recently. According to Beniamini’s report, an attacker can potentially exploit certain loopholes in Qualcomm’s security in order to recover that unique encryption key. He also states that the issue cannot be completely resolved with merely a security patch as it might require hardware changes.
FDE is designed to be uncrackable but clearly it’s not as secure as Google hoped. Breaking FDE still requires a brute-force attack but once the attacker has the key, all that’s left is figuring out your password. Beniamini’s research also found that the key is not hardware bound which means it can be extracted by software. He goes on to state that Android’s current FDE is only as strong as the TrustZone kernel. Any vulnerability exploited here could easily compromise the devices encryption and thereby, exposing your private data.
Google says it rolled out patches for this issue earlier this year. Qualcomm says the issue was “identified internally” and fixed, with patches issued to “customers and partners”, but if and when these fixes find their way down to consumer devices out there is anyone’s guess.
Qualcomm’s full statement: “Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies, Inc. (QTI). QTI continues to work proactively both internally as well as with security researchers such as Gal Beniamini to identify and address potential security vulnerabilities. The two security vulnerabilities (CVE-2015-6639 and CVE-2016-2431) discussed in Beniamini’s June 30 blog post were also discovered internally and patches were made available to our customers and partners. We have and will continue to work with Google and the Android ecosystem to help address security vulnerabilities and to recommend improvements to the Android ecosystem to enhance security overall.”