If you have an Android device running 5.0 (Lollipop) or later, and powered by a Qualcomm Snapdragon processor, then you should know that a security researcher demonstrated how to crack the full-disk encryption (FDE) with brute-force attacks; the fix is not necessarily as simple as installing new firmware and might require changes to hardware.
Security researcher Gal Beniamini demonstrated this unexpected flaw in Android encryption, as Network World explains. Full-disk encryption is available on devices running Android 5.0 Lollipop or later, and the attack works on phones that are powered by Qualcomm processors. Full-disk encryption (FDE) is supposed to encrypt the device with 128-bit device encryption. Decrypting should be impossible without knowing the PIN, password or gesture that protects the device.
The Device Encryption Key (DEK) found on the device is bound to that device through Android’s KeyMaster, which runs in the TrustZone. But Beniamini proved that he could brute-force his way into extracting the key off a locked phone, and he provided the tools necessary to do it on Github.
“The key derivation is not hardware bound,” Beniamini said. “Instead of using a real hardware key which cannot be extracted by software (for example, the SHK), the KeyMaster application uses a key derived from the SHK and directly available to TrustZone.”
He continued, “Since the key is available to TrustZone, OEMs could simply create and sign a TrustZone image which extracts the KeyMaster keys and flash it to the target device. This would allow law enforcement to easily brute-force the FDE password off the device using the leaked keys.”
It appears that millions of Android devices are still vulnerable. Qualcomm and Google have patched the issue with updates in May and January, but many users haven’t yet received the patch.
Even once the fix is installed, the patches will not offer full protection. “If an attacker can obtain the encrypted disk image (e.g. by using forensic tools), they can then ‘downgrade’ the device to a vulnerable version, extract the key by exploiting TrustZone, and use them to brute-force the encryption,” the researcher said. “Since the key is derived directly from the SHK, and the SHK cannot be modified, this renders all down-gradable devices directly vulnerable.”
Beniamni also goes over Apple’s approach to FDE, which is apparently pretty good at keeping your data safe. We are going to take a more summarized look at both systems.
Each iDevice has a unique 256-bit key that cannot be modified, called a Unique Identification Number (UID). It is randomly generated and basically fused in to the device’s hardware at the factory. This key is bound to the device’s hardware and is completely inaccessible to both software and firmware, meaning that even Apple cannot extract it from the device once it’s been set. The UID is also used in combination with the user’s password, in order to generate an encryption key which effectively “tangles” the device-specific key and the user’s password. This complicates the matters for would-be attackers a lot, as it necessitates the use of the device itself for each cracking attempt, which in itself allows Apple to introduce a myriad of other measures – such as an incrementally increasing delay between subsequent password guesses – to further mitigate brute-force attacks.
“That’s significantly different than how iOS works,” Dan Guido, an expert in mobile device encryption and the founder and CEO of security consultancy Trail of Bits, told Ars. “What it means is that now you trust a second party, you trust somebody who built the software that holds the key. Maybe people didn’t realize that before, that it’s not just Google that can mess around with the software on your phone, but it’s also [Google partners], and it’s in a very significant way.”
“Google has always been behind on full disk encryption on Android. They have never been as good as the techniques that Apple and iOS have used. They’ve put all their cards in this method based on TrustZone and based on the keymaster, and now it’s come out how risky that is. It exposes a larger amount of attack surface. It involves a third party in the full disk encryption, and all this extra software that handles this key could potentially have bugs that allow an attacker to read it back out. Whereas on iOS it’s very simple. It’s just a chip. The chip is the Secure Enclave, and the Secure Enclave communicates via this thing they call the[interrupt-driven] mailbox. And that basically means you put really simple data in on one end, and you get really simple data out the other end. And there’s not a lot else that you can do with it.
These two approaches are completely different. [On iOS] there’s no software to exploit to read the hardware key. On Android they expose the full-disk encryption key to a fairly complex piece of software this researcher has exploited.”
Matt Green, a Johns Hopkins University professor specializing in encryption, agreed. The problem the FBI had after seizing an encrypted iPhone belonging to a gunman who killed 14 and wounded 22 in San Bernardino, California, was that the forensics experts had no way to remove the underlying UID key from the device. That meant the password that locked the key could only be cracked by entering it on the device itself, a slow and cumbersome process that risked triggering a built-in data-wiping feature.
“The way Apple builds their phone is they actually build that UID key into the silicon of the device so even if they can push a software update they can never actually extract it from the device short of using an electron microscope or something like that,” Green explained. “It sounds like in the Qualcomm TrustZone, that’s not true.”
Beniamini said he wouldn’t be surprised if TrustZone implementations from chipmakers other than Qualcomm contain similar vulnerabilities.
“The design of the FDE key-derivation function is conducive to that, and I believe it was only meant to keep encryption keys on devices (keymaster’s original purpose), not to safeguard FDE,” he explained.
The take-away from the research is that Android’s full-disk encryption still provides meaningful protection as long as people use a strong password. But everything else being equal, iPhone disk encryption is probably more secure. Yes, the FBI was ultimately able to break the disk encryption on the San Bernardino shooter’s phone, but unlike the case with Android, that technique has yet to be made public, and it applied only to an older iPhone that didn’t have Secure Enclave. By contrast, an estimated one-third of Android phones are vulnerable to publicly released exploit code, and a much larger slice can be unlocked with the assistance of its manufacturers. For the truly paranoid, iOS is arguably a better bet.