Full disk encryption vulnerabilities discovered in Qualcomm-powered Android devices

Full disk encryption vulnerabilities discovered in Qualcomm-powered Android devices
Independent security researcher Gel Beniamini recently discovered a vulnerability in Android's full-disk encryption (FDE) on devices with Qualcomm chips, even newer ones used in flagship models. In a blog post published Thursday, Beniamini outlines how crypto keys could be extracted from a locked handset via a brute-force attack.

The problem lies in both the hardware and software compartments, as Android stores the disk encryption keys in software, which makes them vulnerable to extraction on Qualcomm-powered devices due to two oversights in ARM's TrustZone – hardware-based security built into SoCs by semiconductor chip designers before they are distributed to the device manufacturers. The blog post also includes the exploit code capable to execute code within the TrustZone kernel and thus, to extract cryptographic keys, which can then be cracked in numerous different ways.

Beniamni also goes over Apple's approach to FDE, which is apparently pretty good at keeping your data safe. We are going to take a more summarized look at both systems.

Each iDevice has a unique 256-bit key that cannot be modified, called a Unique Identification Number (UID). It is randomly generated and basically fused in to the device's hardware at the factory. This key is bound to the device's hardware and is completely inaccessible to both software and firmware, meaning that even Apple cannot extract it from the device once it's been set. The UID is also used in combination with the user's password, in order to generate an encryption key which effectively “tangles” the device-specific key and the user's password. This complicates the matters for would-be attackers a lot, as it necessitates the use of the device itself for each cracking attempt, which in itself allows Apple to introduce a myriad of other measures – such as an incrementally increasing delay between subsequent password guesses – to further mitigate brute-force attacks.

Android's FDE on the other hand, is based on a Linux Kernel subsystem called dm-crypt, which is widely deployed and researched, which is definitely a good thing. The system is actually quite robust with its encryption scheme, but is unfortunately only as strong as the encryption key employed to protect the information. In short, a device running Android 5.0 or later generates a random 128-bit master key and a 128-bit salt key. The master key is protected by an elaborate key derivation scheme, which involves the user's unlock credentials to derive a key which ultimately decrypts the master key. The master key is then stored on the device, inside a special – and unencrypted – structure called the “crypto footer”, and which can be extracted in a number of different ways. It's not that simple, granted, but it's possible, since the key derivation is not hardware bound.

The worst part is, Beniamini claims, that patching TrustZone vulnerabilities does not necessarily protect users from this issue, as even on patched devices, hackers can still obtain the encrypted disk image which can be used to roll the device back to a vulnerable version, extract the key by exploiting TrustZone, and crack the key.

While both vulnerabilities have apparently already been fixed earlier this year, some independent sources have reported estimates that the majority of devices out there are still vulnerable, as they haven't received the latest security patches.

Having said all that, Beniamini claims that regular users are not likely to fall victim to such an attack, as the protection scheme involved is elaborate enough to not make it worthwhile for would-be attackers. Enterprise Android users on the other hand, are still at risk. Beniamini is currently working with both Google and Qualcomm to come up with a solution to the issue and we can only hope for the best.

source: Gel Beniamini via ARS Technica

FEATURED VIDEO

11 Comments

1. ph00ny

Posts: 2026; Member since: May 26, 2011

2. Podrick

Posts: 1284; Member since: Aug 19, 2015

+1. Was gonna post the same thing. PA, its not funny anymore!

6. marorun

Posts: 5029; Member since: Mar 30, 2015

If you say a lie often enuf its will become true in the head of many.

8. ph00ny

Posts: 2026; Member since: May 26, 2011

I think this is one many instances of the reposted article by different writers. I guess no one is reading/approving these articles before they get posted?

9. marorun

Posts: 5029; Member since: Mar 30, 2015

Or Maybe they do but ignore it for some articles..

3. BobbyBaster

Posts: 28; Member since: Mar 07, 2016

Android vulnerable as ever. Can't say I'm surprised.

7. submar

Posts: 713; Member since: Sep 19, 2014

Tim forgot to drive you back to your pen??

4. Barney_stinson

Posts: 672; Member since: May 30, 2016

Oh geez!! Save us from terrorist! That stupid encryption

5. marorun

Posts: 5029; Member since: Mar 30, 2015

128 bit encryption would only take millions of year to break. All you have to do is use fingerprint or a very complex password. Iphonearena at its best! http://security.stackexchange.com/questions/31726/why-so-long-to-break-128-bit-encryption Sure Apple one is even harder to break at 256 bit but anyway even with a super computer you cant brute force 128 bit unless someone put a short easy password ( then even apple can get crack if the user dont use good password/finger print) Love those pathetic article thats praise apple using lies! :)

10. TechieXP1969

Posts: 14967; Member since: Sep 25, 2013

Who would even need to worry about this?

11. elitewolverine

Posts: 5192; Member since: Oct 28, 2013

Businesses

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.