The full-disk encryption protecting your Android can be cracked.
4 July, 2016. \\ Admin

If you have an Android device running 5.0 (Lollipop) or later, and powered by a Qualcomm Snapdragon processor, then you should know that a security researcher demonstrated how to crack the full-disk encryption (FDE) with brute-force attacks; the fix is not necessarily as simple as installing new firmware and might require changes to hardware.
firefox intro
Why I switched back to Firefox

Remember when you ditched Firefox for Chrome and pinkie-swore you’d never go back? Yeah, me too.
Read Now

Full-disk encryption, which is supported on devices running Lollipop on up, is supposed to protect files on the storage drive. Android uses a randomly chosen 128-bit device encryption key which is further encrypted using a user’s PIN, password or swipe pattern. The master key, or Device Encryption Key (DEK), is stored on a user’s device; it is bound to the device’s hardware though Android’s KeyMaster, which runs in the TrustZone. In other words, an attacker should not be able to extract the crypto key for this walled-off and protected section.

But security researcher Gal Beniamini demonstrated how an attacker could use brute-force attacks to extract the key off a locked phone that has a Qualcomm processor. Not only did he show “how TrustZone kernel code-execution can be used to effectively break Android's Full Disk Encryption (FDE) scheme,” he also released the attack code; on GitHub, Beniamini provided both the source code to extract Qualcomm’s KeyMaster keys as well as the Python scripts to brute-force the FDE off the device.

“The key derivation is not hardware bound,” Beniamini explained. “Instead of using a real hardware key which cannot be extracted by software (for example, the SHK), the KeyMaster application uses a key derived from the SHK and directly available to TrustZone.”

It’s not only attackers that could break the encryption on vulnerable devices, according Beniamini. He suggested OEMs might comply with law enforcement to break Android’s full-disk encryption. “Since the key is available to TrustZone, OEMs could simply create and sign a TrustZone image which extracts the KeyMaster keys and flash it to the target device,” he wrote. “This would allow law enforcement to easily brute-force the FDE password off the device using the leaked keys.”

Millions of Androids are reportedly still vulnerable, even though Qualcomm said “patches were made available to our customers and partners,” and Google said it rolled out patches in May and January. Duo Security told Ars Technica that an estimated 37 percent of all Android phones running the Duo app had not yet received the patches.

“Patching TrustZone vulnerabilities does not necessarily protect you from this issue,” Beniamini wrote. “Even on patched devices, if an attacker can obtain the encrypted disk image (e.g. by using forensic tools), they can then ‘downgrade’ the device to a vulnerable version, extract the key by exploiting TrustZone, and use them to brute-force the encryption. Since the key is derived directly from the SHK, and the SHK cannot be modified, this renders all down-gradable devices directly vulnerable.”

Beniamini delved into the technical details which you can check out in full on “Bits, Please!” He concluded:

    As we've seen, the current encryption scheme is far from bullet-proof, and can be hacked by an adversary or even broken by the OEMs themselves (if they are coerced to comply with law enforcement). I hope that by shedding light on the subject, this research will motivate OEMs and Google to come together and think of a more robust solution for FDE.

The Editor.

Other Stories You May Like.

    listening to music during exercise gives your workout boost and make activities less painful

    20 Sept, 2016. \\ Admin

    what is the secret to piecing together the perfect workout playlist? Research suggests that rhythm is the most important factor for the average gym-goer

    Why teenagers become obese at puberty

    9 Sept, 2016. \\ Admin

    In addition, the study also found that teenagers exercise less during puberty, adding to the calorie excess that underlies obesity.

  • Melania and Barron Trump Victorious Over YouTuber

    29 Nov, 2016. \\ Admin

    Fact is ... Barron does not have autism and the video perpetuated the bullying, but the guy behind the video says it will come down

  • YouTuber Gives Official Apology to Melania & Barron Trump

    30 Nov, 2016. \\ Admin

  • Anambra guber: Obiano and battle for second term

    5 Jan, 2017. \\ Admin

    The PDP itself is a formidable party any day in Anambra State and with people like Peter Obi who is alleged to have vowed to ensure

  • Uber Sued, Passenger Says Driver Left Him for Dead

    6 Jan, 2017. \\ Admin

    Adding insult to injury, Joseph says the driver charged him for a 28 minute ride -- and Uber has refused to ID the driver for investigators.

  • Uber Sued After Alleged Wild Ride with Sleepy Driver

    9 Jan, 2017. \\ Admin

    Marisa Hyland says it all went down last summer in NYC, when a driver named June repeatedly averted crashing by

  • 'LHHH' Star Off The Hook In Uber Battery Case

    23 Jan, 2017. \\ Admin

    More good news for Mari ... according to court docs, her $26k bail money was returned. You'll recall ... Mari was a wanted woman

  • Anambra 2017: Guber aspirants to pay N9m before pasting posters

    30 Jan, 2017. \\ Admin

    His words, “Fixing of outrageous fees for party candidates publicity is a sign of government resentment for popular participation

  • Uber CEO drops out of Trump's business advisory council

    3 Feb, 2017. \\ Admin

    Membership on this council is an endorsement of bigotry, period. Thanks to the thousands of activists who protested

  • Cheating French man suing Uber after his wife divorced him

    13 Feb, 2017. \\ Admin

    The notifications, which included the man's pickup and drop-off times and locations, led his wife to discover he was having an affair. The couple have since divorced

  • Lagos Uber drivers take to the streets in protest

    8 May, 2017. \\ Admin

    After a meeting in which all drivers agreed to down tools to express their discomfort with the platform, a decision to also hit the streets of Lagos in a peaceful protests was reached