back to article Cracking Android's full-disk encryption is easy on millions of phones – with a little patience

Android's full-disk encryption on millions of devices can be cracked by brute-force much more easily than expected – and there's working code to prove it. Essentially, if someone seizes your Qualcomm Snapdragon-powered phone, they can potentially decrypt its file system's contents with a friendly Python script without knowing …

  1. allthecoolshortnamesweretaken

    Well, that's good news. For the FBI, etc.

    1. NoneSuch Silver badge
      Big Brother

      During WW2 the best Enigma code was the equivalent of 88 bit and could be broken using mechanical machines in under 24h.

      Today, 75 years later, our encryption standard is 256 bit (or less), while our computing power has scaled logarithmically beyond our wildest dreams.

      The US gov says AES 256 is all any of us needs and outlaws anything stronger from being circulated. And no one sees the inherent flaw in this.

      1. Anonymous Coward
        Anonymous Coward

        You do realize

        That 256 bit encryption is not 3x stronger than 88 bit, but rather 374,144,419,156,711,147,060,143,317,175,368,453,031,918,731,001,856 times stronger, right? Assuming no weakness in AES is found that seriously compromises its strength, and no true quantum computers appear, AES-256 will likely be secure for our lifetime. Certainly for the lifetime of the phone you are carrying today.

        Besides, worrying about compromise of AES-256 letting someone decrypt your phone's filesystem, when there are a metric shitload of exploits against it that can do all that and more, is rather pointless.

      2. Crazy Operations Guy

        The Enigma was easy to crack, not because of key length, but because the message was in a well-defined format, the key was re-used for all messages during a day and was used for communications in both directions, meassage length was limited to 250 characters (and only 26 characters at that), and the plain-text was predictable (A ship out on patrols would only be send so many different messages).

        The Enigma suffered from many, many flaws that key length was the least of them.

      3. asdf

        nitpicking

        Though I agree with the gist of what you are saying I have to nitpick.

        >88 bit and could be broken using mechanical machines in under 24h.

        As mentioned by the other poster truly random inputs to well implemented 88 bit encryption could not be defeated in a day in the 1940s. Its questionable if it could be broken today in a day.

        >while our computing power has scaled logarithmically

        I think you meant to say exponentially as logarithmically means the computing power would have flat lined pretty soon after.

        >The US gov says AES 256 is all any of us needs and outlaws anything stronger from being circulated.

        They outlawed math? For the paranoid ChaCha20 is also 256 bit (size due to technical reasons not legal) and the NSA had nothing to do with its creation (part of why Google is pushing it). Basically until quantum computers become a thing or somebody proves factorization is not NP hard 256 bit will probably suffice. Its domain is probably larger than the number of atoms, photons and even neutrinos in the observable universe combined.

        1. asdf

          Re: nitpicking

          Not saying that more than 256 bit should be illegal by the way and in fact I don't believe it is unless you try to export it to one of the bad guy countries. Even then considering the bleeding edge of encryption theory is coming out of Belgium we only have to worry if they don't allow import which AFAIK is not the case. Links would be great if I am incorrect.

        2. You aint sin me, roit

          Re: nitpicking

          "Basically until quantum computers become a thing or somebody proves factorization is not NP hard 256 bit will probably suffice."

          AES is a symmetric algorithm, nothing to do with the factorization of big numbers.

          The asymmetric RSA algorithm cited was using a 2048 bit key. "Probably" good for a couple of years...

  2. Mikel
    Black Helicopters

    The lock on the front door

    It's not there to hold back a foreign invasion. It's there to discourage casual passers-by from raiding the refrigerator.

  3. Anonymous Coward
    Anonymous Coward

    Now you know ..

    .. why the FBI has never publicly tried to force Google to cough up some code to break it.

    Besides, why ruin a cosy friendship?

  4. This post has been deleted by its author

  5. Gene Cash Silver badge

    DRM

    Note that a vulnerability in a large complex DRM module (Widevine) was the crowbar used to crack things open. The DRM leaves a much bigger attack surface. Nice.

    These are going to be attacked anyway, to break the DRM. Attacking your device is just a tasty, tasty biscuit on top.

  6. Gene Cash Silver badge

    Wrong info

    "If you're running a Nexus device or otherwise have received and installed the fixes from Google and Qualcomm, then you're safe"

    NO, you're not! As noted in the end of the linked article: "for some reason, the fix was not applied to Nexus devices"

    1. Vic

      Re: Wrong info

      NO, you're not! As noted in the end of the linked article: "for some reason, the fix was not applied to Nexus devices"

      Besides - if the attacker is sufficiently-motivated and has physical access to a device, that which has been fixed can be un-fixed...

      Vic.

  7. Doogie Howser MD
    Thumb Up

    Extra marks

    For the usage of a picture of Vinz Clortho. Bravo!

    "Would you like some coffee, Mr Tully?"

  8. JeffyPoooh
    Pint

    Yep.

    "But... there's always a but." and "(...there will be more. There always is)..."

    Yep. Those observations are why it never actually takes "10^77 years" to hack gadgets.

    Thank you.

  9. eJ2095

    Too much Keynaster..

    Wonder if the backdoor password is "Gozer"

  10. Rimpel

    inevitably weak pin/password

    Android uses the same pin/password for FDE as the lock screen. Due to the inconvenience of having to enter the code every time you unlock your phone it is likely to be weak so brute forcing the FDE should be trivial.

    1. ACZ

      Re: inevitably weak pin/password

      Exactly. Just need to know what kind of screen lock is enabled (pattern, PIN, password, fingerprint) and in most cases the set of combinations to brute-force reduces very significantly. So, effectively, pattern, PIN, are now totally compromised on most devices (well... they weren't exactly strong in the first place). Most passwords will be similarly compromised.

      Don't know how fingerprints are processed to convert across to a numerical form for the crypto, but I do wonder whether fingerprint or an appropriately long/complex password are the only realistic options now.

      Also wonder how this affects Blackhone etc.

      1. oneeye

        Re: inevitably weak pin/password

        So long as Black Phone updates their operating system, the exploits have already been patched in AOSP Code. But, it was late getting there, from what I read in the blog posts by the researcher. He had expected it to make the January 2016 monthly patch.

        The guy is incredibly talented. Still finishing school or very near to it. Like to see his paycheck in a couple years.

    2. asdf

      Re: inevitably weak pin/password

      >Android uses the same pin/password for FDE as the lock screen.

      Not strictly true as through the CLI if you have root you can set a password different to your lock screen and they will stay diverged until the next time you change the lock screen pin/pwd whatever. That said Android FDE has always been a POS and is one area iOS absolutely owns Google's shit. That FBI triumph of iOS was due to the FBI getting lucky and the terrorist owning the 5c the one recent iPhone without TrustedZone (or whatever marketing called) hardware.

  11. John Savard

    Others

    Qualcomm, however, is a major and well-regarded manufacturer of processors for Android phones.

    What about other companies that produce the processors for discount phones? MediaTek comes to mind, but I think there are others even further downmarket.

    Of course, the owners of cheap phones might not have secrets that are as interesting... but I would be worried that cracking their security could be even easier.

    1. Anonymous Coward
      Anonymous Coward

      Re: Others

      Those cheaper SoCs may not even support a secure CPU separate from the main one.

    2. Crazy Operations Guy

      Re: Others

      A lot of the security folk I work with tend to chose the cheaper phones on purpose, as they keep getting stolen, and they usually have fewer obstacles to flashing a custom firmware.

      We do security and financial auditing and so are privy to some pretty imagining secrets such as security vulnerabilities and yet-to-be submitted financial information. None of that information is actually on the devices, but attackers may very well gain access to it using those devices (stealing two-factor auth tokens, data for social engineering attacks, etc). Oddly enough, the devices seem to go missing most often when going through customs checkpoints, and in some countries far more often than others, its so weird how the people in charge of thoroughly tracking every item going in and out of a country could allow something as sensitive as a laptop or phone containing protected secrets just disappear like that, its just so weird...

  12. Crazy Operations Guy

    Which processors have been fixed and which are vulnerable?

    Any word on which processors are susceptible to this attack and which aren't?

  13. gnasher729 Silver badge

    Enigma may have had a total of 88 bits of settings, but in reality only just over 14 bit for the rotor settings (3 x 26 values) plus just over 8 bits for the rotor choice (3 out of 8) needed to be cracked if a long enough cleartext could be guessed, and the switchboard cabling could then easily be deduced. Less than 6 million settings. Some rather clever mathematics was involved here :-)

    A fourth rotor was added for top secret submarine messages, but the Enigmas with four rotors used the first three rotors with exactly the same settings as everyone else, so after the 3 rotor code was cracked, 4 rotors were trivial (a huge mistake in the usage; properly used the fourth rotor would have made cracking 130 times harder).

    1. Ramazan
      Holmes

      > Less than 6 million settings

      5905536

  14. Bruno de Florence
    Happy

    They, whoever they are, are welcome to peek at the bits pics I exchange with other gay males. If you got it, flaunt it :-)

  15. Almost Me

    Some more Engima Figures

    *Assuming* only 8 rotors available at any one time:

    3 Rotor Engima.

    Rotor choice 8*7*6 = 336 = 8.4 bits

    Rotor Position 26*26*26 = 17576 = 14.1 bits

    Total Entropy = 5905536 = 22.5 bits

    4 Rotor Enigma (Naval)

    Rotor choice 8*7*6*5 = 1680 = 10.7 bits

    Rotor Position 26*26*26*26 = 456976 = 18.8 bits

    Total Entropy = 767719680 = 29.5 bits

    The daily key also determined how the rotor starting positions were offset, and (possibly) also when a rotor change would "carry" to the next position. Sometimes the wiring of a rotor needed to be deduced too. There were different keys in use on different networks, so it wasn't just a matter of breaking one key each day.

    The key insight of Turing, Welchman and others was that it was possible to break the rotor settings by brute force search based upon a known plaintext, and then to break the plugboard setting afterwards.

    The original breaks were *by hand*. Best description I've found is in "The Hut Six Story" by Gordon Welchman.

    (And if you think it's all trivial with modern computers, check out the enigma@home project.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like