July 6, 2016 By Larry Loeb 2 min read

Android devices contains an OS feature called full-disk encryption (FDE) that aims to increase the overall security of specific hardware. This Android encryption is applied to the entire hard disk on which it resides.

However, a security researcher just figured out a way to extract the key to that encryption from the Qualcomm chips that store it. Gal Beniamini, the Israeli security researcher in question, discussed the vulnerability on his blog, Bits, Please! His research found that a TrustZone kernel vulnerability can be both breached and manipulated on Qualcomm’s chip.

A Nagging Problem

According to Ars Technica, an estimated 37 percent of all Android devices are directly vulnerable because they have yet to apply recent patches that would mitigate the attack. The lack of over-the-air updates and carrier or manufacturer support may be to blame here.

Beniamini told Google about the situation before he posted his blog — in fact, Google already paid him for the exploit discovery through the company’s bug bounty program.

Android has historically been a latecomer to FDE and all its technicalities. Apple handled it well for iOS devices, and its approach is generally considered to be far more robust.

Bigger Implications for Android Encryption

Dan Guido, co-founder and CEO of Trail of Bits, told Ars Technica that he is also more broadly concerned about what the exploit revealed about Android. “What it means is that now you trust a second party, you trust somebody who built the software that holds the key,” he said.

“Maybe people didn’t realize that before, that it’s not just Google that can mess around with the software on your phone, but it’s also [Google partners], and it’s in a very significant way.”

He added that the FDE methods used by Android and iOS are “completely different,” with iOS considered a much more secure option. That’s a pretty clear-cut file system choice.

Apple plans to make its phones even more secure than they have been. The company is so sure that its hardening will work that the iOS kernel was intentionally left unencrypted in the upcoming full release of iOS 10, TechCrunch confirmed. That is stunning and unprecedented — and a sign that Android encryption still has a long way to go.

More from

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Ransomware attack on Rhode Island health system exposes data of hundreds of thousands

3 min read - Rhode Island is grappling with the fallout of a significant ransomware attack that has compromised the personal information of hundreds of thousands of residents enrolled in the state’s health and social services programs. Officials confirmed the attack on the RIBridges system—the state’s central platform for benefits like Medicaid and SNAP—after hackers infiltrated the system on December 5, planting malicious software and threatening to release sensitive data unless a ransom is paid. Governor Dan McKee, addressing the media, called the attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today