Qualcomm-powered Android devices found to have faulty full disk encryption
Google's Android platform has had its problems with security in the best, but a number of encryption features have been built into the software, as well as hardware, in recent years, significantly improving the situation. Unfortunately things are still far from perfect, as security researcher Gal Beniamini has discovered a vulnerability that leaves the Full Disk Encryption feature at risk to brute force attacks.
This is said to affect as many as hundreds of millions of Android devices, but what's really surprising is that those with Qualcomm processors — even newer flagship models — are seen as the most vulnerable.
It seems the source of the security issue lies within the combination of Android kernel flaws and Qualcomm chips, although any smartphone running Android 5.0 or later and using full disk encryption is said to be at risk. But what makes the situation worse is that while both Google and Qualcomm have released patches recently addressing these issues, Beniamini's report says there are still some holes that can't be fixed without new hardware.
Full disk encryption is a feature that keeps all of a device's data secure by making it unreadable without a unique key. The recent legal battle between Apple and the FBI was centered on that fact, and that not even Apple has access to users' encryption keys. Unfortunately, Beniamini details that even with this feature, the Android vulnerabilities could allow a hacker to get that key. From there, all that's left is a user's password.
The silver lining in all this is that Beniamini is working with both Google and Qualcomm to come up with a solution, and that it's still highly unlikely for most Android users to be at risk of an attacker using this method. For one, a brute-force attack would still need to be pulled of to get passed the password, otherwise the encryption key won't work.
The real importance in this news lies in the fact that Android's full disk encryption isn't quite as full-proof as it seems, and that other processor and hardware makers learn from this to prevent repeats of such flawed security.
SOURCE Gal Beniamini/Bits Please