Light Dark
July 6, 2016 By Larry Loeb 2 min read

Android devices contains an OS feature called full-disk encryption (FDE) that aims to increase the overall security of specific hardware. This Android encryption is applied to the entire hard disk on which it resides.

However, a security researcher just figured out a way to extract the key to that encryption from the Qualcomm chips that store it. Gal Beniamini, the Israeli security researcher in question, discussed the vulnerability on his blog, Bits, Please! His research found that a TrustZone kernel vulnerability can be both breached and manipulated on Qualcomm’s chip.

A Nagging Problem

According to Ars Technica, an estimated 37 percent of all Android devices are directly vulnerable because they have yet to apply recent patches that would mitigate the attack. The lack of over-the-air updates and carrier or manufacturer support may be to blame here.

Beniamini told Google about the situation before he posted his blog — in fact, Google already paid him for the exploit discovery through the company’s bug bounty program.

Android has historically been a latecomer to FDE and all its technicalities. Apple handled it well for iOS devices, and its approach is generally considered to be far more robust.

Bigger Implications for Android Encryption

Dan Guido, co-founder and CEO of Trail of Bits, told Ars Technica that he is also more broadly concerned about what the exploit revealed about Android. “What it means is that now you trust a second party, you trust somebody who built the software that holds the key,” he said.

“Maybe people didn’t realize that before, that it’s not just Google that can mess around with the software on your phone, but it’s also [Google partners], and it’s in a very significant way.”

He added that the FDE methods used by Android and iOS are “completely different,” with iOS considered a much more secure option. That’s a pretty clear-cut file system choice.

Apple plans to make its phones even more secure than they have been. The company is so sure that its hardening will work that the iOS kernel was intentionally left unencrypted in the upcoming full release of iOS 10, TechCrunch confirmed. That is stunning and unprecedented — and a sign that Android encryption still has a long way to go.

 |  |  |  |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from

November 15, 2024

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

November 14, 2024

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

November 13, 2024

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature