Android Ecosystem’s Full Disk Encryption Jeopardized

PUBLISHED BY
Carrie Ann



TAGS:


5 years ago




The Android ecosystem is the latest to face security glitches and the vulnerability could potentially compromise the security of hundreds of millions of devices. According to Gal Beniamini, a security researcher, and a member of Qualcomm’s Product Security Hall of Fame, those looking to purchase an Android device should only consider buying a Samsung or a Nexus device.

Android Ecosystem

That’s because, 57 percent of devices in the Android ecosystem have still not received timely updates even though Google had addressed the issue in the May security update, which fixes a security flaw affecting the smartphones and users privacy. Except for Google and Samsung, OEMs have not been able to release the monthly security patch for their devices. The vulnerability found by Beniamini use ARM’s TrustZone kernel code-execution to substantially break Android’s Full Disk Encryption (FDE).

Android smartphones running on 5.0 Lollipop or later use FDE, which makes all the content on the phone obscure unless the user has the special key required to decrypt it. This is quite similar to the security feature that was the bone of contention between Apple and the FBI recently.

An estimated 75 percent of the Nexus and Galaxy S6 smartphones have received patches, which is crucial because of a large user base of 5,00,000 phones. Meanwhile, Galaxy S5 has also surged to almost 45 percent from the previous 0.2 percent in January.

While conducting the testing of a wide range of smartphones by Duo Labs, only Nexus and Samsung Galaxy devices displayed considerably enhanced security measures when compared to other competing smartphones. Hence, from a security perspective, researchers like Beniamini have suggested brands like the latest Samsung Galaxy and Nexus devices.According to Beniamini’s report, by exploiting the CVE-2016-2431 flaw, the attackers can possibly exploit the discrepancy in Qualcomm’s security in order to recover that unique encryption key. They can also easily navigate through the levels of trust and privileges, which allows them to access encrypted data in smartphones. He further stated that the vulnerability cannot be sorted out completely with just a security patch as it might as well require hardware changes.

According to Beniamini’s report, by exploiting the CVE-2016-2431 flaw, the attackers can possibly exploit the discrepancy in Qualcomm’s security in order to recover that unique encryption key. They can also easily navigate through the levels of trust and privileges, which allows them to access encrypted data in smartphones. He further stated that the vulnerability cannot be sorted out completely with just a security patch as it might as well require hardware changes.

Full Disk Encryption (FDE) is basically designed to be impenetrable; however, it is certainly not as secure as Google expected it to be. Decoding FDE still needs a brute-force attack but once the attacker gets hold of the key, all that remains is finding out the password. The research also found that the key is not always tied to the hardware, meaning it can be extracted by too. Currently, Android’s FDE is only as strong as the TrustZone kernel, according to Beniamini. Any loopholes exploited here could easily endanger the devices encryption and thereby, exposing the private content.

According to Google, the company rolled out security updates beginning this year. Qualcomm, on the other hand, stated that the issue was sorted out internally with patches issued to customers and partners.

According to Qualcomm, the company gives utmost importance to security and privacy and continues to work proactively both internally as well as with security researchers to manage potential security threats. It further said that the company will work with Google and the Android ecosystem to identify and address flaws and to suggest improvements and boost the overall security.

You May Also Like:

Android Market Share Growth Brings More Misery for Apple CEO Tim Cook

Google Branded Android Smartphone Price and Release Date

Carrie Ann
Carrie Ann is Editor-in-Chief at Industry Leaders Magazine, based in Las Vegas. Carrie covers technology, trends, marketing, brands, productivity, and leadership. When she isn’t writing she prefers reading. She loves reading books and articles on business, economics, corporate law, luxury products, artificial intelligence, and latest technology. She’s keen on political discussions and shares an undying passion for gadgets. Follow Carrie Ann on Twitter, Facebook

Recent Posts

Ikea and Rockefeller Foundations to raise $10 billion for renewable energy projects in poor countries

Ikea and Rockefeller Foundations to raise $10 billion for renewable energy projects in poor countries

The Ikea and Rockefeller foundations are jointly launching a $10 billion fund to promote small-scale renewable power projects in developing nations. Both
10 hours ago
EC initiates another probe into Google’s adtech practices

EC initiates another probe into Google’s adtech practices

EU antitrust regulators are planning a formal investigation into Google’s digital advertising practices by the end of this year. Google is already facing unprecedented regulatory
18 hours ago
Some Microsoft employees stayed at data centers during Pandemic to keep all systems going

Some Microsoft employees stayed at data centers during Pandemic to keep all systems going

The Covid-19 pandemic ravaging the world for more than a year has forced companies and organizations to find viable solutions to keep the business going. Most found a solution in w
1 day ago
Meme stocks frenzy and 3 companies to follow

Meme stocks frenzy and 3 companies to follow

The doom and gloom about the stock market that has been predicted since the pandemic started has abated somewhat with the resilience shown by investors (helped by low-interest rate
1 day ago
US Space Force allows repurposed SpaceX rocket to launch GPS satellite

US Space Force allows repurposed SpaceX rocket to launch GPS satellite

A GPS navigation satellite built by Lockheed Martin is set to ride a reused SpaceX booster on a launch from Cape Canaveral, Florida, Thursday. It will be the first time a military
3 days ago
Disney boss says 40 pc ad revenue went to streaming sites, no plans of ad supported Disney+

Disney boss says 40 pc ad revenue went to streaming sites, no plans of ad supported Disney+

Walt Disney CEO Bob Chapel says the company’s advertising revenue for the upcoming fall television season was strong and went up by “double-digits” compared to 2019.
5 days ago