Latest in Gear

Image credit: Flickr/王馬文

Millions of Android devices have flawed full disk encryption

Those running on Qualcomm processors are particularly vulnerable.
1973 Shares
Share
Tweet
Share
Save

Sponsored Links

Flickr/王馬文

Hackers can use brute force to break into tens of millions of Android devices using full disk encryption, thanks to a series of security issues linked specifically to Android kernel flaws and Qualcomm processors, Neowin reports. The vulnerabilities were uncovered by security researcher Gal Beniamini, who is working with Google and Qualcomm to patch the problems -- and some of the flaws have already been addressed. However, a few of the issues may not be patchable, instead requiring new hardware, the report says.

Any phone using Android 5.0 or later uses full disk encryption, the same security feature at the heart of Apple's recent fight with the FBI. Full disk encryption makes all data on a device unrecognizable without a unique key. Even though modern Android devices use this security feature, Beniamini's research found that an attacker can exploit kernel flaws and vulnerabilities in some of Qualcomm's security measures to get that encryption key. Then, all that stands between the hacker and a device's information is a password.

Since any attack on an Android device would still require brute force and additional hacking methods, this isn't an immediate security threat for a majority of users. Plus, in order for an attack to work in this case, device manufacturers themselves would have to directly modify the software, which is unlikely to happen. But, the vulnerability is notable for those who put their complete trust in full disk encryption.

We've reached out to Qualcomm for comment on the flaw and will update this story as the company responds.

Update: A Qualcomm spokesperson gave Engadget the following comment:

"Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies, Inc. (QTI). QTI continues to work proactively both internally as well as with security researchers such as Gal Beniamini to identify and address potential security vulnerabilities. The two security vulnerabilities (CVE-2015-6639 and CVE-2016-2431) discussed in Beniamini's June 30 blog post were also discovered internally and patches were made available to our customers and partners. We have and will continue to work with Google and the Android ecosystem to help address security vulnerabilities and to recommend improvements to the Android ecosystem to enhance security overall."

Update 2: A Google spokesperson provided Engadget the following statement:

"We appreciate the researcher's findings and paid him for his work through our Vulnerability Rewards Program. We rolled out patches for these issues earlier this year."

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
1973 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's 2019 Back-to-School Guide

Engadget's 2019 Back-to-School Guide

View
Hyundai teases all-electric concept '45' for Frankfurt

Hyundai teases all-electric concept '45' for Frankfurt

View
iPhone Pro, new iPad and 16-inch MacBook Pro details emerge

iPhone Pro, new iPad and 16-inch MacBook Pro details emerge

View
Russia tests new Soyuz rocket by sending a humanoid robot to the ISS

Russia tests new Soyuz rocket by sending a humanoid robot to the ISS

View
Android Q is now simply Android 10

Android Q is now simply Android 10

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr