A vulnerability has been discovered in Android’s full-disk encryption (FDE) on devices running Qualcomm chips, and this includes the latest flagships as well.
Google’s struggles with the security aspect of its smartphone operating system, Android, are well documented. And things just got worse for the platform. The latest vulnerability includes both hardware and software elements in an Android phone. According to a report published by independent security researcher Gel Beniamini, the fault lies with the way Android’s Disk Encrypt keys are stored on phones running Qualcomm’s Snapdragon processors.
Disk encryption is a feature that is enabled in Android phones by default. But, Beniamini suggests that on phones running the Qualcomm chips, these data security keys are software within the software itself. This means that just like most other data stored within the operating system, these encryption keys are also potentially vulnerable to malicious attacks which can be designed to pull those keys from a device. Once a hacker has access to those keys, it is only a matter of time before they are used for password cracking. Any Android phone running Android 5.0 or later enforces full disk encryption by default. This is designed to make all the data stored on the device unrecognizable, unless someone has the encryption keys. But, the kernel flaws in the software and vulnerabilities in some of Qualcomm’s security measures linked to the hardware, might make it easier for hackers to get access to that encryption key. However, even after getting that key, the hacker will still need to get past the password wall, which would still require a time-consuming brute force attack.
Also read: Google at crossroads with Android security
This means that millions of Android phones are potentially at risk, with enterprises perhaps a bit more worried about data security than normal consumers. Incidentally, Beniamini had been in touch with Google and Qualcomm about the potential fixes for this vulnerability, and Google released a patch to fix the software side of things in the May security update. However, Qualcomm’s hands may be tied because it may actually require new hardware to fix the hardware-based issue. The two-factor authentication service, Duo Security, suggests that “57% of Android phones (are) vulnerable to the latest attack." And the reason for that is the delays by smartphone makers in patching phones with the monthly security updates that Google releases at the beginning of every month.
At present, Google’s own Nexus devices as well as most of Samsung’s recent Galaxy flagship phones are patched with the latest security updates, which mean they are more secure than phones which do not yet have the May security update. This means, the Nexus 6 (made by Motorola), the Nexus 6p (made by Huawei) and the Nexus 5X (made by LG) are patched up. In fact, our Huawei Nexus 6P phone also has the 1 June security patch, which is the latest release by Google—that is the big advantage of Nexus phones, because the software updates are not delayed by manufacturers or operators, and Google/Huawei will support security patches beyond 2017 for the Nexus 6P, for example. Data with Duo Security suggests that 75% of Galaxy S6 devices globally are up-to-date, for example, which shows that Samsung is being a bit more attentive to rolling out updates for their phones, than most other phone makers.
Also read: Google has solid reasons to build its own Android phone
There are basic differences between the way Google’s Android enforces encryption, and the way it deploys the same security feature in iOS devices. Each iOS device, such as an iPhone, generates a unique 256-bit key that cannot be modified. This is called a Unique Identification Number (UID). It is integrated into the device’s hardware during the manufacturing process itself, and is bound to the device’s hardware. This key cannot be accessed through the software, and even Apple cannot extract this. This is exactly what Apple was arguing about, during its very public spat with the Federal Bureau of Investigation (FBI) over how to access the data from San Bernardino shooter Syed Rizwan Farook’s iPhone 5c.