Android Handsets Vulnerable Due To Flawed Full Disk Encryption

According to report published by Neowin, hackers can use break into tens of millions of Android powered mobile devices by way of full disk encryption, thanks to a series of security flaws associated with Android kernel issues and Qualcomm chips. Gal Beniamini, a security research, discovered the flaws while working with Google and Qualcomm in fixing the issues. Despite the fact that a few of the issues have already been addressed, there are a certain number that may not be fully fixed, instead requiring new hardware. 

Mobile devices that are powered by Android 5.0 or newer version utilizes full disk encryption. This is the same security tool involved in Apple’s recent spat with the Federal Bureau of Investigation (FBI). Through full disk encryption, all information that is saved in a handset is rendered undetectable without a unique encryption key. Virtually all if not most Android handsets make use of this security tool, but as uncovered by Beniamini, hackers can take advantage of kernel flaws and vulnerabilities in some of Qualcomm’s security measures in order to grab hold of that encryption key. When that happens, the only thing protecting a handset from a hacker is a password.

In order to fully breach the security measures of an Android powered device, hackers will still need brute force and other hacking methods. Because of that, the full disk encryption flaw is not considered an immediate security threat by many. Moreover, in order for a hacker to be successful, the manufacturers of devices themselves would have to directly change something in the software -- the odds of that happening is really low. However, the vulnerability is notable for users who tend to put their entire faith in full disk encryption.

Qualcomm have since released a statement regarding the flaw. As reported by Engadget, the chip maker revealed that the two security vulnerabilities, specifically CVE-2015-6639 and CVE-2016-2431, were also detected by Qualcomm internally, and patches were rolled out to its customers and partners. As for Google, the tech giant has also issued its own statement, saying that it has deployed patches for these issues earlier in 2016.

As the world’s most widely used mobile operating system, Android is the biggest target for hackers. No OS is ever perfect and impenetrable, and Google’s has its own share of vulnerabilities. Some may remember that back in October of last year, two new Stagefright bugs were reported. These bugs had the potential of putting every Android powered handset out there at risk.