Researcher Extracts Encryption Keys From Qualcomm Powered Android Devices

A researcher found a vulnerability with Android’s Full Disk Encryption (FDE) on devices that use Qualcomm’s chip. In a blog post published on Thursday, Gal Beniamini who is an Israeli researcher started by drawing our attention to the stark differences between the iOS encryption which was eventually broken by the FBI and Qualcomm powered Android devices which store encryption keys in software. At the heart of the research according to Ars Technica are two vulnerabilities involving  CVE-2015-6639 and CVE-2016-2431which Google and Qualcomm have both claimed to have been fixed with the first in January and the other in May and have made payout to the researcher in their bug bounty program.

“But researchers from two-factor authentication service Duo Security told Ars that an estimated 37 percent of all the Android phones that use the Duo app remain susceptible to the attack because they have yet to receive the patches. The lack of updates is the result of restrictions imposed by manufacturers or carriers that prevent end users from installing updates released by Google.

What’s more, Gal Beniamini, the independent Israeli researcher who authored the blog post and wrote the exploit code, said that many Android devices that were once vulnerable but later patched—including a Nexus 6 he tested—can be rolled back to their earlier, unprotected state. He suspects the reversion is possible if a device has an unlocked, or unlockable….. researcher that published the post included exploit code that extracts the disk encryption keys by exploiting two vulnerabilities in TrustZone. TrustZone is a collection of security features within the ARM processors Qualcomm sells to handset manufacturers. By stitching together the exploits, the attack code is able to execute code within the TrustZone kernel, which is an enclave dedicated for sensitive operations such as managing cryptographic keys and protecting hardware.”

Commenting further on the strength of encryption of Apple’s iOS devices and Qualcomm powered Android devices, the researcher said “each device has an immutable 256-bit unique key called the UID, which is randomly generated and fused into the device’s hardware at the factory. The key is stored in a way which completely prevents access to it using software or firmware (it can only be set as a key for the AES Engine), meaning that even Apple cannot extract it from the device once it’s been set. This device-specific key is then used in combination with the provided user’s password in order to generate the resulting encryption key used to protect the data on the device. This effectively ‘tangles’ the password and the UID key.”

So even though the American government through the FBI was able to break into the iPhone 5C of the suspected San Bernardino terrorist after reportedly paying a sum of $1m, it’s still very difficult to break into newer iPhones. This is not to say the Android FDE can easily be broken into, it just means you would need a really strong password.

Here are four conclusions from Beniamini’s research in case you don’t want to go through the entire research;

• The key derivation is not hardware bound. Instead of using a real hardware key which cannot be extracted by software (for example, the SHK). This means the vulnerably is software based and this raises the vulnerability levels for millions of devices.
• OEMs (original equipment manufacturer) can comply with law enforcement to break Full Disk Encryption. Since the key is available to TrustZone, OEMs could simply create and sign a TrustZone image which extracts the KeyMaster keys and flash it to the target device. This would allow law enforcement to easily brute-force the FDE password off the device using the leaked keys. Brute force was practically impossible in the FBI-Apple case where the FBI tried out many methods.
• Patching TrustZone vulnerabilities does not necessarily protect you from this issue. Even on patched devices, if an attacker can obtain the encrypted disk image (e.g. by using forensic tools), they can then “downgrade” the device to a vulnerable version, extract the key by exploiting TrustZone, and use them to brute-force the encryption. Since the key is derived directly from the SHK, and the SHK cannot be modified, this renders all down-gradable devices directly vulnerable.
• Android FDE is only as strong as the TrustZone kernel or KeyMaster. Finding a TrustZone kernel vulnerability or a vulnerability in the KeyMaster trustlet, directly leads to the disclosure of the KeyMaster keys, thus enabling off-device attacks on Android FDE.

Vulnerabilities in the Android operating system have been the subject of researches with some being admitted by Google thereby issuing a fix and eventual bounty payout to the researcher  while others have not been as successful. Again this is not to say Android by itself is the problem, it’s mostly always around third part devices as is the case in this research or apps through which hackers get into Android run devices.