Design flaw breaks Android storage encryption

By

Low-level attack makes it possible to extract encryption keys.

The full disk encryption used to safeguard information stored on Google Android devices can be broken, an independent researcher has found.

Design flaw breaks Android storage encryption

Gal Beniamini spent several years analysing the TrustZone platform found on Qualcomm chipsets, and utilised previously gained knowledge to run code that is able to extract the encryption keys used to scramble stored data on Android devices.

The researcher discovered that encryption keys derived from the TrustZone feature could be extracted by software and cracked by brute force outside the Android devices, thus bypassing security mechanisms that limit the number of password guesses that can be made.

Beniamini reported the vulnerabilities to Google and Qualcomm, and both have been patched in recent versions of Android.

However, the researcher said it could be possible to roll back patched versions of Android and extract the encryption keys for the storage.

Fixing the flaw could require a redesign of Qualcomm's TrustZone to make it harder to access encryption keys through software, Beniamini said.

Beniamini won a Google bug bounty for finding the encryption flaw. He earnt himself a mention in Qualcomm's Security Hall of Fame in 2014 for finding another vulnerability in TrustZone that allowed for arbitrary code execution.

He is a former researcher with the Israeli Defence Forces.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"

Qantas contacted by "potential cyber criminal"

Qantas contacted by "potential cyber criminal"

SA Power Networks tackles IAM, cloud security under five-year strategy

SA Power Networks tackles IAM, cloud security under five-year strategy

Log In

  |  Forgot your password?