Google’s implementation of full disk encryption on its Android mobile operating system was an important step forward in terms of personal privacy and security. But as security researcher Gal Beniamini discovered, however, it’s not fail proof.
As Neowin explains, Android uses a strong 2048-bit RSA key alongside a user’s PIN, password or pattern to encrypt files. The key’s strength makes brute-force attacks nearly impossible but by utilizing flaws in select Qualcomm security measures plus Android kernel flaws, an attacker could obtain the key and thus, nullify full disk encryption.
At that point, all an attacker would need to gain access to your data is your password. Given the poor password practices of most, that may not be too difficult to ascertain.
Fortunately, Beniamini isn’t a nefarious hacker and has been working with both Qualcomm and Google to rectify some of the flaws.
In a statement to Engadget, a Qualcomm representative said the two security vulnerabilities discussed in Beniamini’s post were also discovered internally and patches were made available to customers and partners.
Similarly, a spokesperson for Google said they appreciate the researcher’s findings and paid him for his work through their Vulnerability Rewards Program. What’s more, they also rolled out patches for the issues earlier this year.
The bad news, however, is that the core of the problem may be unpatchable without new hardware.
Full details on the vulnerabilities can be found in Beniamini’s blog post.