News Stay informed about the latest enterprise technology news and product updates.

Android full-disk encryption is flawed enough for government work

Vulnerabilities on devices with Qualcomm chipsets can allow Android full-disk encryption to be bypassed by malicious actors or law enforcement.

Much has been written about law enforcement fighting Apple for access to encrypted and locked iPhones, but not...

so much about Android devices. New research showed that may be because Android full-disk encryption can be bypassed by stringing together exploits.

Security researcher Gal Beniamini demonstrated how an attacker could use vulnerabilities in kernel-code-execution handling in the secure element -- TrustZone -- of Qualcomm processors to break Android full-disk encryption. According to Beniamini, the trouble arises due to the way Android uses the hardware key for its full-disk encryption.

"The internal key-derivation function uses an actual hardware key, called the SHK, which would, no doubt, be hard to extract using software, but this is all irrelevant," Beniamini wrote. "Instead of creating a scheme which directly uses the hardware key without ever divulging it to software or firmware, the code above performs the encryption and validation of the key blobs using keys which are directly available to the TrustZone software."

Beniamini discovered he could string together two vulnerabilities to allow code execution in the Qualcomm Secure Execution Environment and escalation of privilege from the QSEE to TrustZone to obtain encryption keys and, ultimately, give an attacker an opportunity to brute-force the device password using those keys.

Neil Rankin, senior security researcher at Black Duck Software Inc., based in Boston, said one way to mitigate the risk of brute force being successful is to use a better password.

"There is nothing unusual about the brute-force element of this attack, so it would be quick to accomplish for short passwords, longer for larger lengths," Rankin wrote to SearchSecurity.

According to Rankin, Android devices provide users with the following options:

  • Simple PINs, which consist of about four numbers;
  • Swipes, which correspond to the numbers touched in the swipe; or
  • Strong, 16-character alphanumeric passwords.

"A five-character PIN could be cracked in a second or two," Rankin said. "A 16-character PIN would take considerably longer -- up to years, if special characters were included."

While the attack itself is nontrivial, especially if the device has a long, complex password that could withstand a brute-force attack, Beniamini said these vulnerabilities also mean OEMs have the ability to comply with law enforcement orders to break Android full-disk encryption.

"Since the key is available to TrustZone, OEMs could simply create and sign a TrustZone image, which extracts the KeyMaster keys, and flash it to the target device," Beniamini wrote. "This would allow law enforcement to easily brute-force the full-disk encryption password off the device using the leaked keys."

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, said law enforcement wouldn't necessarily need the help of OEMs.

"While the process might involve additional steps and could be more time-consuming, the result would be the same, without requiring the OEMs' assistance," Arsene told SearchSecurity. "Since the method could be used by anyone with the right skills, it's safe to assume that law enforcement or any type of attacker would not require the direct assistance of the OEM to break Android full-disk encryption."

The true risk of these vulnerabilities is hard to measure. Although many Android devices use Qualcomm processors, full-disk encryption has only been mandatory on devices that shipped with Android 6.0, and only 10% of devices run Android 6.0, per Google's latest platform numbers.

The two vulnerabilities used by Beniamini have been patched in Google security releases from January 2016 and May 2016, although it is unclear how many devices have received those security updates. But, Beniamini said even these patches could be rolled back.

"Even on patched devices, if an attacker can obtain the encrypted disk image (e.g., by using forensic tools), they can then downgrade the device to a vulnerable version, extract the key by exploiting TrustZone and use them to brute-force the encryption," Beniamini wrote. "Since the key is derived directly from the SHK, and the SHK cannot be modified, this renders all downgradable devices directly vulnerable."

Arsene said Beniamini may be understating how difficult such a downgrade would be.

"It's a pretty difficulty method, as you would still need an OEM to sign the TrustZone," Arsene said. "However, considering there's a wide range of Android OEMs -- unlike iPhone that is strictly governed by Apple -- it's plausible that law enforcement agencies could collaborate with one of them."

Next Steps

Learn more about Android's improving enterprise features.

Find out how Android security compares to other mobile OSes.

Get Android security policies all enterprises should adopt.

Dig Deeper on Alternative operating system security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your organization mandate Android full disk encryption on employee devices? Why or why not?
Cancel
I love these stories. It's nice for us to know what is out there and how it can affect us. On the flip side, is you are up to no good and were looking for new ways to exploit technology you now know another method. Granted we are at the mercy of the developer/manufacturer to fix this issue most of the time. In some cases we need to to an update or apply a patch. We know how lazy some of the end users are and this makes them a prime candidate for an attack.
Cancel
Well, there's goes that "solution" for Android. Perhaps it's time to back off and rethink the entire problem before we deliver another "fix" that isn't. It seems only the data thieves are concerned with encryption and security. And they seem to be doing just fine with it.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close