Android Encryption is Much Weaker Than iOS – Millions of Devices Exploitable
Earlier in the year, during the Apple and FBI fight over encryption many were surprised why there was no mention of Android or Google in the heated debate. Yes, the case was around an iPhone and yes, Android only started offering encryption with Android 5.0 Lollipop which isn't running on many devices. But, going forward it should bother law enforcement agencies like iOS does. Turns out, Android's full disk encryption can be broken by brute force and a little patience.
Android's full disk encryption can be cracked
We all showered accolades at Google for finally stepping up and thinking about user security and privacy when it first introduced full disk encryption. But as always, its lack of control over the devices that are powered by Android is proving to be its downfall. New research has revealed several methods that can be used to extract keys off an encrypted Android device. These methods work against an estimated 37% of enterprise users, even after the patch.
Security researcher Gal Beniamini has now revealed that it is possible to strip away encryption protections on Android smartphones that are powered by Qualcomm's Snapdragon processors.
"Maybe people didn't realize that before, that it's not just Google that can mess around with the software on your phone, but it's also [Google partners], and it's in a very significant way." - Dan Guido
How is it done...
Full Disk Encryption (FDE) randomly generates a 128-bit master key and 128-bit salt to protect data in an Android device. The master key is protected by device encryption key (DEK) based on user details: PIN, password, etc. This DEK is then stored alongside the encrypted file system in the smartphone's flash storage chips. Enter the correct PIN, password or touch screen and it will decrypt DEK, using it to unlock the file system. Similar to Apple, Android also introduces delays between decryption attempts and data wipes after a number of failed attempts.
However, in contrast to iOS, Qualcomm-powered Android devices store the disk encryption keys in software, leaving them vulnerable to a myriad of attacks that can pull these keys off a device and then load them off-site for password cracking. Technically, no one should be able to launch off-device brute-force attacks, because the key should be bound to the hardware. However, Qualcomm hasn't apparently followed this brief.
The binding of this key to the hardware is performed through a hardware-backed keystore, called KeyMaster. KeyMaster's implementation is done by the hardware vendor. Researcher discovered that using Android vulnerabilities (CVE-2015-6639, CVE-2016-2431), it was possible to extract keys from TrustZone, where Qualcomm has implemented the KeyMaster.
This FDE scheme relies on the KeyMaster module to 'bind' the key to the hardware of the device. My research has shown that this 'binding' can actually be circumvented on Qualcomm's devices. It could be the case that this is also possible on devices made by other SoC manufacturers.
For those not interested in the technical details, this essentially means that Qualcomm and OEMs can comply with law enforcement to break Full Disk Encryption. They can simply extract the KeyMaster keys using Android vulnerabilities and then move on to brute-force the PIN or password using the stolen keys.
This is not the first time that Qualcomm has specifically been highlighted for potentially causing security nightmares for Android users. Only a couple of months back we saw a serious information disclosure vulnerability in the Qualcomm tethering controller that allowed hackers to gain access to private user data. To the credit of the company, it is quick in responding and fixing the issues.
However, the latest encryption issue is not that simple to fix and "might require hardware changes." Android has fixed the exploited security holes, but we all know how fast they reach to the devices, if ever. This means that there won't be any full disk encryption on millions of Android devices powered by Qualcomm and possibly other SoCs too. Beniamini has said that he is sharing his research to "motivate OEMs and Google to come together and think of a more robust solution for FDE," and possibly launch "truly uncrackable" next generation Android devices. For those, who hate these findings - use a stronger password or move to iOS.