Android devices have gotten more secure over the years with security being a prominent focus for many OEMs as well as Google. As things like encryption are built into devices and monthly security patches continue to be sent out to them, the nature of Android as an operating becomes safer and continues to stay relatively secure. This doesn’t mean that there aren’t or won’t be possible flaws and vulnerabilities within the system currently or in the future. One such example were vulnerabilities discovered by security researcher Gal Beniamini that puts millions of Android devices running on Qualcomm processors at risk due to an issue with the Full Disk Encryption, which, resides on Android devices that run Android 5.0 Lollipop and above.
The flaw, which made Full Disk Encryption susceptible to Brute-Force attacks, had to do with TrustZone kernel flaws on Qualcomm processors and could have potentially affected millions of devices, although it is worth noting that Qualcomm as well as Google both point out that the flaws were also discovered internally and patches have been sent out to customers and partners, with Google highlighting that the January 2016 security patch and the May 2016 security patch addressed the issues outlined in Beniamini’s post from yesterday, regarding vulnerability CVE-2015-6639, and vulnerability CVE-2016-2431. Although the updates for these patches have been sent out, this also doesn’t mean that every device has received the updates yet that patch these risks, at least for the update sent out in May, as it’s highly likely that all devices have the update from January that patched the CVE-2015-6639 vulnerability.
Had these issues not been patched, and during the time that they weren’t, it could have been possible for hackers to execute a Brute-Force attack that would allow them to potentially access personal data on an encrypted device should they figure out the password, as the attack would given them the unique encryption key they would need to decrypt the device. Without a Brute-Force attack method, the unique key would not be available and the data on the device would stay encrypted. While these vulnerabilities were listed as critical on both of Google’s Nexus security bulletins from January and May, according to Google these have been fixed, displaying that both Google and Qualcomm went to work quickly after each vulnerability was discovered.