Qualcomm Snapdragon Vulnerability Could Lead to Brute-Force Android Breach

snapdragonOn the cusp of the new Android N (Nougat) OS update release, it turns out there is a full disk encryption breach which can be broken through brute force. It can also take immense patience, but a determined hacker may be able to strip away, layer by layer, the encryption protections on all smartphones powered by Qualcomm Snapdragon processors.

Now, Android has a security feature called Full Disk Encryption (FDE), which first came around at the Android 5.0 update. This security feature randomly generates a 128-bit master key and a 128-bit salt that protects user data.  Also known as the Device Encryption Key (DEK), the master key is designed to protect all encryption that is based on the user’s credentials—via PIN, password, or touchscreen pattern.

Once the system forms the key, it becomes encrypted on the device.

Now, this is still just a code, which means it can be vulnerable to brute force breaches, which is basically just repeated trial and error attempts. As such, Android also introduced delays between failed log in attempts which makes the brute force process arduous and extremely time consuming.  Furthermore, to prevent off-device, brute-force attacks, this key is bound to the device’s hardware.

That is where the flaw exists, apparently.

Basically, this binding of the key to the hardware is performed via Android’s Hardware-Backed Keystroke system called KeyMaster. It is a module which operates within a Trusted Execution Environment (TEE), considered by the system to be the “secure world” while the Android OS is considered to be the “non-secure world.”

All of this coding is done within the system so it is tough to crack. However, the Android KeyMaster implementation depends on hardware vendor specifications and Qualcomm runs through the Snapdragon “TrustZone,” which the company provides through a Trusted Execution Environment they call the Qualcomm Secure Execution Environment (or QSEE).

Unfortunately, it is quite possible to exploit an Android vulnerability that will allow you to load your own QSEE app within the TrustZone. This can then lead to an escalation of privileges that allows for hijacking of the full space in addition to theft of all the unencrypted data.  Once you achieve this vulnerability, then, you can begin the much simpler (if not time-consuming) brute-force attack to break into the device (actually millions of devices).

Of course, Qualcomm is working on a fix but, because of the complex hardware-based nature of this vulnerability, a simple fix may be difficult.