The full disk encryption used to safeguard information stored on Google Android devices can be broken, an independent researcher has found.
Gal Beniamini spent several years analysing the TrustZone platform found on Qualcomm chipsets, and utilised previously gained knowledge to run code that is able to extract the encryption keys used to scramble stored data on Android devices.
The researcher discovered that encryption keys derived from the TrustZone feature could be extracted by software and cracked by brute force outside the Android devices, thus bypassing security mechanisms that limit the number of password guesses that can be made.
Beniamini reported the vulnerabilities to Google and Qualcomm, and both have been patched in recent versions of Android.
However, the researcher said it could be possible to roll back patched versions of Android and extract the encryption keys for the storage.
Fixing the flaw could require a redesign of Qualcomm's TrustZone to make it harder to access encryption keys through software, Beniamini said.
Beniamini won a Google bug bounty for finding the encryption flaw. He earnt himself a mention in Qualcomm's Security Hall of Fame in 2014 for finding another vulnerability in TrustZone that allowed for arbitrary code execution.
He is a former researcher with the Israeli Defence Forces.
