- Daily Zen
The Android ecosystem is the latest to face security glitches and the vulnerability could potentially compromise the security of hundreds of millions of devices. According to Gal Beniamini, a security researcher, and a member of Qualcomm’s Product Security Hall of Fame, those looking to purchase an Android device should only consider buying a Samsung or a Nexus device.
That’s because, 57 percent of devices in the Android ecosystem have still not received timely updates even though Google had addressed the issue in the May security update, which fixes a security flaw affecting the smartphones and users privacy. Except for Google and Samsung, OEMs have not been able to release the monthly security patch for their devices. The vulnerability found by Beniamini use ARM’s TrustZone kernel code-execution to substantially break Android’s Full Disk Encryption (FDE).
Android smartphones running on 5.0 Lollipop or later use FDE, which makes all the content on the phone obscure unless the user has the special key required to decrypt it. This is quite similar to the security feature that was the bone of contention between Apple and the FBI recently.
An estimated 75 percent of the Nexus and Galaxy S6 smartphones have received patches, which is crucial because of a large user base of 5,00,000 phones. Meanwhile, Galaxy S5 has also surged to almost 45 percent from the previous 0.2 percent in January.
While conducting the testing of a wide range of smartphones by Duo Labs, only Nexus and Samsung Galaxy devices displayed considerably enhanced security measures when compared to other competing smartphones. Hence, from a security perspective, researchers like Beniamini have suggested brands like the latest Samsung Galaxy and Nexus devices.According to Beniamini’s report, by exploiting the CVE-2016-2431 flaw, the attackers can possibly exploit the discrepancy in Qualcomm’s security in order to recover that unique encryption key. They can also easily navigate through the levels of trust and privileges, which allows them to access encrypted data in smartphones. He further stated that the vulnerability cannot be sorted out completely with just a security patch as it might as well require hardware changes.
According to Beniamini’s report, by exploiting the CVE-2016-2431 flaw, the attackers can possibly exploit the discrepancy in Qualcomm’s security in order to recover that unique encryption key. They can also easily navigate through the levels of trust and privileges, which allows them to access encrypted data in smartphones. He further stated that the vulnerability cannot be sorted out completely with just a security patch as it might as well require hardware changes.
Full Disk Encryption (FDE) is basically designed to be impenetrable; however, it is certainly not as secure as Google expected it to be. Decoding FDE still needs a brute-force attack but once the attacker gets hold of the key, all that remains is finding out the password. The research also found that the key is not always tied to the hardware, meaning it can be extracted by too. Currently, Android’s FDE is only as strong as the TrustZone kernel, according to Beniamini. Any loopholes exploited here could easily endanger the devices encryption and thereby, exposing the private content.
According to Google, the company rolled out security updates beginning this year. Qualcomm, on the other hand, stated that the issue was sorted out internally with patches issued to customers and partners.
According to Qualcomm, the company gives utmost importance to security and privacy and continues to work proactively both internally as well as with security researchers to manage potential security threats. It further said that the company will work with Google and the Android ecosystem to identify and address flaws and to suggest improvements and boost the overall security.
You May Also Like: