A cybersecurity researcher in Israel exposed a critical flaw in Google’s Android operating system that can be exploited to decrypt a device. What’s more, the researcher posted the exploit code on the internet and revealed several methods to extract crypto keys off a locked handset.
After a federal judge mandated that Apple provide the FBI a custom firmware file that would unlock the iPhone of the San Bernardino shooter in 2015, researchers began to look into the key differences between the “hackability” of the cryptographic security functions of iOS and Android phones, namely that it was far easier to hack into an Android than an Apple smartphone.
A blog post published by Gal Beniamini, a separate independent Israeli researcher working with Google and Qualcomm, revealed that, in stark contrast to the iPhone's iOS, Qualcomm-powered Android devices store the disk encryption keys in software. With the keys vulnerable to attack, hackers could then extract the key from the device and upload it onto a server cluster, field-programmable gate array, or supercomputer that is optimized for super-fast password cracking. Beyond hacks, the design also makes it possible for phone manufacturers to assist law enforcement agencies in unlocking an encrypted device.
In his post, Beniamini included the exploitation code that extracts the disk encryption keys by exploiting two vulnerabilities in TrustZone, a collection of security features within the ARM processors Qualcomm sells to manufacturers. By stitching together the exploits, the attack code is able to execute code within the TrustZone kernel, which manages cryptographic keys and protects hardware. Beniamini’s proof-of-concept attack was part of a research effort to uncover security flaws in the software.
While both Google and Qualcomm were quick to note that both of the vulnerabilities involved — indexed as CVE-2015-6639 and CVE-2016-2431 — have since been patched, Beniamini said that “many Android devices that were once vulnerable but later patched [including a Nexus 6 he tested] can be rolled back to their earlier, unprotected state.” The rollback capacity means that with slightly more work, an attacker can exploit many devices, even after they’re patched. Furthermore, an estimated 37% of all Android phone users who have not yet received the patch remain susceptible to attack.
For those concerned about the immediate security of their phone, any attack on an Android device would still require brute force and additional hacking methods to unlock the user’s password. With that said, the vulnerability is notable for those who put their complete trust in full-disk encryption.
Sources: ars technica , Engadget
Advertisement
Learn more about Electronic Products Digital
