Posted by Robert Vamosi on July 8, 2016
A vulnerability exploiting full disk encryption of Qualcomm-based Android smartphones may have been disclosed to Google more than one year prior to the patch issued last May.
A vulnerability exploiting full disk encryption of Qualcomm-based Android smartphones may have been disclosed to Google up to one year prior to the patch issued last May.
In a blog post published last week, Security researcher Gal Beniamini outlined the process of breaking Android’s full disk encryption. He has discovered several issues in the implementation of Android’s full disk encryption that would allow an attacker to decrypt an Android device with a Qualcomm chip.
Starting with Android 5.0, Android devices automatically protect all of the user’s information by enabling full disk encryption, however how each device does that is up the manufacturer. Android devices powered by Qualcomm chips store their encryption keys in software rather than in hardware. Beniamini said he exploited several weaknesses in Qualcomm’s security and was able to pull the encryption keys off an Android device.
Only Qualcomm now says Google knew about the vulnerabilities in November 2014 and February 2015. Google did issue patches for this vulnerability, but did so in January and May of this year. “Apparently, even though they fixed the issue internally, OEMs [Original Equipment Manufacturers] did not apply the fix (perhaps they forgot or simply missed it),” Beniamini told TechCrunch.
“We appreciate the researcher’s findings and paid him for his work through our Vulnerability Rewards Program. We rolled out patches for these issues earlier this year,” a Google spokesperson told TechCrunch.
“I think just having closer integration with manufacturers could help prevent such issues in the future. It’s not ideal, but I think all parties involved are doing a very good job, it’s just a matter of co-ordinating expectations,” Beniamini said in a memo to TechCrunch.
Get the latest Software Integrity news, thought leadership, and more.