“What If the FBI Tried to Crack an Android Phone?” Researchers Attack a Device to Find the Answer

Author Photo
Apr 19, 2016

Apple’s fight with the FBI over unlocking an iPhone took a substantial amount of news time in the previous couple of months. Unlike Apple, however, we haven’t heard much about the government agencies trying to crack into Android devices. Yes, only a small fraction of Android devices is upgraded to the newer versions of the mobile operating system that enables encryption on the devices, similar to iOS. But what if the device involved in the San Bernardino shootings had been running on Android? “Would the same technical and legal drama have played out,” two researchers at the North Carolina State University asked themselves.

fbi-warrant-google-court-orderRelatedFBI’s Latest Battle with Silicon Valley – Google Gets Apple and Microsoft’s Support in Resisting a Court Order

“What if the FBI tried to crack an Android phone?”

TL;DR – we wouldn’t have seen the same level of drama if the phone in question had been running on Android.

Unlike the Apple-FBI saga over encryption and user privacy, we haven’t heard much about government agencies looking to crack into Android devices. William Enck and Adwait Nadkarni of the NCSU were curious to know what if the device involved in the San Bernardino shootings had been running on Android.

Remember, the government managed to unlock the iPhone 5c without the help of Apple, using support from a grey hat hacker, and possibly other third parties. After this the researcher duo tried to replicate what the FBI wanted to do with an iPhone, on their Android phone, and discovered that it was possible to remotely update and then unlock the encryption keys on an Android device.

Beyond the fact the Android ecosystem involves more companies, we discovered some technical differences, including a way to remotely update and therefore unlock encryption keys, something the FBI was not able to do for the iPhone 5c on its own.

How could the FBI crack into an Android phone?

Data encryption on devices involves a key that is created by combining a user’s unlock code – passcode – and a complicated number specific to the individual device. To break into an encrypted phone, an attacker can either crack this key directly, or the combinations of the passcode and device keys.

fbi-monitoring-android-with-hacksRelatedCourts in Contradiction: Microsoft Doesn’t Have to Comply, But Google Has to?

Since decoding these keys is very difficult, attackers often try to look for non-code-breaking options:

  • If the contents are stored on an SD card which isn’t encrypted;
  • The device is rooted;
  • Using Android’s Backup API which backs up the information, making it accessible from the backup site directly. This depends on the applications that are installed on the phone.

Above and some other options are tried to get into an Android phone without having to go through the tedious and difficult process of breaking the encryption key. However, “if these options are not available, code-breaking is the remaining way in,” researchers said. Attackers would go for a brute-force attack by trying every possible encryption key, until the right one is discovered. Enck and Nadkarni then describe two types of brute-force attacks that could be employed: offline and online.

Offline and online brute-force attacks

In an offline attack, attackers can copy “the data off the device and onto a more powerful computer” to try all the different passcode combinations with specialized software. However, offline brute force attack requires trying every single possible encryption key, or user’s passcode.

To try every potential solution to a fairly standard 128-bit AES key means trying all 100 undecillion (1038) potential solutions – enough to take a supercomputer more than a billion billion years.

Unlike an offline attack, an online attack targets the mobile device directly. Since online brute-force attack happens directly on the phone, it doesn’t have to guess the device-specific key, which is accessible in the device’s firmware. All that the attacker now needs is a user’s passcode.

However, “the phone itself can be configured to resist online attacks,” said the researchers. “For example, the phone can insert a time delay between a failed passcode guess and allowing another attempt, or even delete the data after a certain number of failed attempts,” which is what was preventing the FBI from getting inside the iPhone 5c as iOS automatically introduces “increasingly long delays after each failure, and, at a user’s option, wiping the device after 10 passcode failures.”

While iOS prevents online brute-force attacks on its devices, what happens to Android phones? To test this, the researchers used a Nexus 4 running stock Android 5.1.1 with full disk encryption enabled. Android imposed a 30-second delay after five failed passcode attempts, before allowing for any further tries. However, the delay didn’t get any longer with subsequent failures. Here, the behavior of Android devices also differs depending on the manufacturers as some may offer increasing delays similar to iOS.

Researchers noted that both the iOS and Android work similarly when offline attacks are considered. But, there is a difference between Android and iOS for online brute-force attacks. They also said that the big difference in both the mobile operating systems occurs when remote control software is used. “Android security may also be weakened by remote control software, depending on the software used,” said Enck and Nadkarni.

Android has a more secure default for online attacks at start-up, but our Nexus 4 did not allow the user to set a maximum number of failed attempts from the lock screen (other devices may vary). Devices running iOS have both of these capabilities, but a user must enable them manually in advance.

If the FBI needed to hack into an Android phone, there is a “more diverse landscape.” Unlike iPhones that are only signed by Apple, many companies build and sell Android devices, including Google, its OEM and carrier partners. Instead of relying on a single company, the FBI could have tried to persuade the company that signs the software, and has the potential to “include a “back door” or other entry point for an attacker who had secured the company’s assistance.” That would be necessary if the FBI couldn’t get in the Android device itself.

Building their own Mobile Device Management (MDM) application for their Android device, the researchers were able to reset the passcode without user’s consent. While the FBI failed to “gain access to the iPhone 5c by resetting the password this way, we were successful with a similar attack on our Android device,” researchers concluded.