Design flaw breaks Android storage encryption

By on
Design flaw breaks Android storage encryption

Low-level attack makes it possible to extract encryption keys.

The full disk encryption used to safeguard information stored on Google Android devices can be broken, an independent researcher has found.

Gal Beniamini spent several years analysing the TrustZone platform found on Qualcomm chipsets, and utilised previously gained knowledge to run code that is able to extract the encryption keys used to scramble stored data on Android devices.

The researcher discovered that encryption keys derived from the TrustZone feature could be extracted by software and cracked by brute force outside the Android devices, thus bypassing security mechanisms that limit the number of password guesses that can be made.

Beniamini reported the vulnerabilities to Google and Qualcomm, and both have been patched in recent versions of Android.

However, the researcher said it could be possible to roll back patched versions of Android and extract the encryption keys for the storage.

Fixing the flaw could require a redesign of Qualcomm's TrustZone to make it harder to access encryption keys through software, Beniamini said.

Beniamini won a Google bug bounty for finding the encryption flaw. He earnt himself a mention in Qualcomm's Security Hall of Fame in 2014 for finding another vulnerability in TrustZone that allowed for arbitrary code execution.

He is a former researcher with the Israeli Defence Forces.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.
In Partnership With

Most Read Articles

Log In

Username / Email:
  |  Forgot your password?