All Full-Disk Encryption isn’t Created Equal

For a while I’ve been guarded when recommending Android devices to friends. The only devices I’ve been willing to recommend are those like the Google Nexus line that receive regular security updates in a timely manner. However, after this little fiasco I don’t know if I’m willing to recommend any Android device anymore:

Privacy advocates take note: Android’s full-disk encryption just got dramatically easier to defeat on devices that use chips from semiconductor maker Qualcomm, thanks to new research that reveals several methods to extract crypto keys off of a locked handset. Those methods include publicly available attack code that works against an estimated 37 percent of enterprise users.

A blog post published Thursday revealed that in stark contrast to the iPhone’s iOS, Qualcomm-powered Android devices store the disk encryption keys in software. That leaves the keys vulnerable to a variety of attacks that can pull a key off a device. From there, the key can be loaded onto a server cluster, field-programmable gate array, or supercomputer that has been optimized for super-fast password cracking.

[…]

Beniamini’s research highlights several other previously overlooked disk-encryption weaknesses in Qualcomm-based Android devices. Since the key resides in software, it likely can be extracted using other vulnerabilities that have yet to be made public. Beyond hacks, Beniamini said the design makes it possible for phone manufacturers to assist law enforcement agencies in unlocking an encrypted device. Since the key is available to TrustZone, the hardware makers can simply create and sign a TrustZone image that extracts what are known as the keymaster keys. Those keys can then be flashed to the target device. (Beniamini’s post originally speculated QualComm also had the ability to create and sign such an image, but the Qualcomm spokeswoman disputed this claim and said only manufacturers have this capability.)

Apple designed its full-disk encryption on iOS very well. Each iOS device has a unique key referred to as the device’s UID that is mixed with whatever password you enter. In order to brute force the encryption key you need both the password and the device’s UID, which is difficult to extract. Qualcomm-based devices rely on a less secure scheme.

But this problem has two parts. The first part is the vulnerability itself. Full-disk encryption isn’t a novel idea. Scheme for properly implementing full-disk encryption have been around for a while now. Qualcomm not following those schemes puts into question the security of any of their devices. Now recommending a device involves both ensuring the handset manufacturers releases updates in a timely manner and isn’t using a Qualcomm chipset. The second part is the usual Android problem of security patch availability being hit or miss:

But researchers from two-factor authentication service Duo Security told Ars that an estimated 37 percent of all the Android phones that use the Duo app remain susceptible to the attack because they have yet to receive the patches. The lack of updates is the result of restrictions imposed by manufacturers or carriers that prevent end users from installing updates released by Google.

Apple was smart when it refused to allow the carriers to be involved in the firmware of iOS devices. Since Apple controls iOS with an iron fist it also prevents hardware manufacturers from interfering with the availability of iOS updates. Google wanted a more open platform, which is commendable. However, Google failed to maintain any real control over Android, which has left uses at the mercy of the handset manufacturers. Google would have been smart to restrict the availability of its proprietary applications to manufacturers who make their handsets to pull Android updates directly from Google.