A security researcher was able to easily nullify Android’s full disk encryption that is utilized by millions of devices.
According to Techspot, the implementation of full disk encryption on Google’s Android mobile operating system has been an important step forward in terms of security and personal privacy. However, the security measure is not fail proof, as security researcher Gal Beniamini discovered.
Neowin explains that in order to encrypt files, alongside a user’s PIN, password or pattern, Android uses a strong 2048-bit RSA key. Brute force attacks are nearly impossible, due to the key’s strength. However, by utilizing Android kernel flaws, plus flaws in select Qualcomm security measures, an attacker could obtain the key and circumvent full disk encryption.
All an attacker would need in order to gain access to your data at that point is the user’s password. That may not be too difficult to achieve, given the poor password practices of most users.
Fortunately, Beniamini is not a hacker and the security researcher has been working with both Google and Qualcomm to fix some of the flaws. A Qualcomm representative said in a statement to Engadget that the two security vulnerabilities discussed by Beniamini were also discovered internally. Partners and customers have already been given access to patches.
A spokesperson for Google declared that the company appreciates the researcher’s findings and he was paid for his discovery through their Vulnerability Rewards Program. Earlier this year, Google also rolled out patches for the Android’s full disk encryption vulnerability issues.
The full disk encryption is used by any phone running on Android 5.0 or later versions. Apple’s recent fight with the FBI involved the same security feature.
Even if a few of the full disk encryption flaws have already been addressed, some of the issues may not be patchable. In this case, in order to avoid security flaws, Android users may instead need new hardware.