A security researcher discovered a flaw in how Android devices handle full disk encryption which makes it easier for attackers to gain access to the data.
Google started to implement Full Disk Encryption on Android starting with version 5.0. The idea behind the security feature is to protect data on the device from unauthorized access.
The recent Apple versus the FBI case has shown that full disk encryption can protect data even from powerful organizations. While the FBI managed to gain access to the data eventually, it had to resort to hacking the device instead of beating its full disk encryption implementation.
Android’s disk encryption in a nutshell is derived from the user’s authentication code and a hardware derived key. The disk is decrypted when Android users enter their password.
All of this happens in the background and invisible to the user. Google implemented additional means to improve the security of the data. It introduced delays between password attempts to make brute forcing less useful, and there is even an option to wipe the data after failed decryption attempts.
A security researcher analyzed Android’s full disk encryption implementation recently and came to the conclusion that it is not as secure as it should be.
Flaw in Android Full Disk Encryption
You find all the technical bits of the analysis on this blog, and it is a good read if you are interested in security. The information is highly technical on the other hand and most Android users are probably only interested in what this means for them.
Basically, what it means is that in worst case, Android’s disk encryption hinges on the user’s account password only. The researcher managed to gain code execution privileges within the TrustZone kernel by exploiting two security vulnerabilities discovered in 2014. Qualcomm did create patches for these vulnerabilities.
While you may have thought that this is the case anyway, it is not. Android uses the password to create a strong 2048-but RSA key derived from it instead.
Another takeaway from the analysis is that Qualcomm or OEMs can comply with law enforcement to break the full disk encryption.
Since the key is available to TrustZone, Qualcomm and OEMs could simply create and sign a TrustZone image which extracts the KeyMaster keys and flash it to the target device. This would allow law enforcement to easily brute-force the FDE password off the device using the leaked keys.
Again, recreating the attack requires executing code within the TrustZone kernel which means that creating a modified TrustZone kernel image is not sufficient.
Ultimately, it means that hackers can break Android’s full disk encryption when Qualcomm chips are used, and OEMs or Qualcomm may be coerced to do the same.
The researcher has created a proof of concept script which is available on GitHub, and a brute force script to brute force Android’s full disk encryption off the device.
There is little that users can do about it. Without doubt the best defense is to use a very secure password for the device.