Simple Python script can be used to launch the attack

Jul 1, 2016 15:20 GMT  ·  By

An attacker can break Android's FDE (Full-Disk Encryption) for devices running on Qualcomm Snapdragon processors, according to independent security researcher Gal Beniamini.

By default, Android FDE, supported since Android Lollipop (5.0), uses a randomly chosen 128-bit Device Encryption Key (DEK), which is additionally encrypted using a value that can be the user's PIN, password, or swipe pattern.

Android uses the DEK key to lock the files you keep on your smartphone's storage drive. The PIN/password/swipe gesture will encrypt this key, so it would be safe to store it on the phone without an attacker grabbing the DEK key and decrypting your files.

Attackers can extract DEK key from QSEE's KeyMaster

This encrypted DEK key is stored on the smartphone's KeyMaster module, an area of the Android's TrustZone, a special section of the Android kernel, working separately from the rest of the kernel, and tasked with processing the most crucial and sensitive operations, like the ones that handle encrypted data.

On Qualcomm-based devices, the KeyMaster module doesn't reside in the OS TrustedZone, but in the Qualcomm Secure Execution Environment, a custom implementation of the TruztZone for Qualcomm chipsets.

Beniamini says that there are many public vulnerabilities (CVE-2016-2431) for the QSEE that can be used to leak the KeyMaster module's content. The researcher says he can load a malicious app in the QSEE that would allow him to gain control of the entire component.

This would enable him to steal the encrypted DEK key, which is not hardware-bound and can be extracted for subsequent off-device brute-force attacks.

DEK key can be brute-forced with simple Python script

For this, he even put together an 88-line Python script that can do the job and brute-force the encrypted DEK key to reveal the actual DEK key that can unlock the user's files. The script is available on GitHub.

Fixing this issue is problematic since it requires hardware changes to Qualcomm chips. At this point, all existing devices can be considered compromised if subjected to Beniamini's attack.

"As we've seen, the current encryption scheme is far from bullet-proof, and can be hacked by an adversary or even broken by the OEMs themselves (if they are coerced to comply with law enforcement)," Beniaminimi writes. "I hope that by shedding light on the subject, this research will motivate OEMs and Google to come together and think of a more robust solution for FDE."

According to Duo Security, 57% of all Android devices, from the company's internal data set, are vulnerable to this attack, the rest having Google's May Android security update installed, which patched CVE-2016-2431, or just don't use a Qualcomm chip.

"As always, we find the only Android devices that we can recommend without major reservations are Nexus and, now, Samsung devices, provided they keep providing those updates quickly," a Duo spokesperson told Softpedia.

UPDATE [July 1, 2016]: Added statistics from Duo Security.

Beniamini running his Python script, extracting DEK key
Beniamini running his Python script, extracting DEK key

Photo Gallery (2 Images)

Android FDE can be cracked
Beniamini running his Python script, extracting DEK key
Open gallery