More than half of Android phones are vulnerable to encryption bypass

Android logoA newly revealed vulnerability on Android phones is able to bypass the full disk encryption on over half of devices.

The attack, demonstrated by Israeli security researcher Gal Beniamini, can allow an attacker to break through the levels of trust and privileges that are intended to ensure only legitimate code can access secret material, such as DRM keys or disk encryption keys.

Although the attack was patched in the May security update, two-factor authentication specialist Duo Security says that only 43 percent of Android devices are patched and safe from this type of attack, leaving 57 percent still at risk.

From Android 5.0 (Lollipop) onwards the OS automatically protects all of the user's information by enabling full disk encryption based on a Linux Kernel subsystem. It uses a key derived from the user's unlock credentials and bound to the hardware using Android's KeyMaster key store.

More than half of Android phones are vulnerable to encryption bypass

On devices with Qualcomm processors though -- and Qualcomm is one of the biggest suppliers to the Android market -- Beniamini's research shows it's possible to get KeyMaster to execute hijacked system calls and send keys to a shared buffer from which they can be read.

Duo says that users need to ensure their phones are patched -- according to its data the Nexus and Galaxy S6 were the most patched phones at around 75 percent with the Galaxy S5 at 45 percent. For businesses it recommends using an endpoint visibility solution to identify unpatched devices that may be putting corporate data at risk.

The Duo Security blog has more information and there's a full technical description of the attack on Beniamini's own blog.

Source: Betanews

Tags: Android, OSes, security

Add comment

Your name:
Sign in with:
Your comment:

Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party

Last news

The NVIDIA GeForce GTX 1180 will be Turing-based with a 12nm FinFET die shrink
This only works on posts made by profiles that are public
The device will be standalone and based on a Qualcomm chipset
Apple plans on offering a cheaper smart speaker that will be priced at $199
Chrome will adopt a new approach to indicating site security
Data shows they are leading smartphone sale worldwide
Is this an error or it is really happening?
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 /
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /

News Archive



Do you use microSD card with your phone?
or leave your own version in comments (10)