Well, that's good news. For the FBI, etc.
Cracking Android's full-disk encryption is easy on millions of phones – with a little patience
Android's full-disk encryption on millions of devices can be cracked by brute-force much more easily than expected – and there's working code to prove it. Essentially, if someone seizes your Qualcomm Snapdragon-powered phone, they can potentially decrypt its file system's contents with a friendly Python script without knowing …
COMMENTS
-
-
Friday 1st July 2016 16:05 GMT NoneSuch
During WW2 the best Enigma code was the equivalent of 88 bit and could be broken using mechanical machines in under 24h.
Today, 75 years later, our encryption standard is 256 bit (or less), while our computing power has scaled logarithmically beyond our wildest dreams.
The US gov says AES 256 is all any of us needs and outlaws anything stronger from being circulated. And no one sees the inherent flaw in this.
-
Friday 1st July 2016 18:27 GMT Anonymous Coward
You do realize
That 256 bit encryption is not 3x stronger than 88 bit, but rather 374,144,419,156,711,147,060,143,317,175,368,453,031,918,731,001,856 times stronger, right? Assuming no weakness in AES is found that seriously compromises its strength, and no true quantum computers appear, AES-256 will likely be secure for our lifetime. Certainly for the lifetime of the phone you are carrying today.
Besides, worrying about compromise of AES-256 letting someone decrypt your phone's filesystem, when there are a metric shitload of exploits against it that can do all that and more, is rather pointless.
-
Friday 1st July 2016 19:53 GMT Crazy Operations Guy
The Enigma was easy to crack, not because of key length, but because the message was in a well-defined format, the key was re-used for all messages during a day and was used for communications in both directions, meassage length was limited to 250 characters (and only 26 characters at that), and the plain-text was predictable (A ship out on patrols would only be send so many different messages).
The Enigma suffered from many, many flaws that key length was the least of them.
-
Saturday 2nd July 2016 02:33 GMT asdf
nitpicking
Though I agree with the gist of what you are saying I have to nitpick.
>88 bit and could be broken using mechanical machines in under 24h.
As mentioned by the other poster truly random inputs to well implemented 88 bit encryption could not be defeated in a day in the 1940s. Its questionable if it could be broken today in a day.
>while our computing power has scaled logarithmically
I think you meant to say exponentially as logarithmically means the computing power would have flat lined pretty soon after.
>The US gov says AES 256 is all any of us needs and outlaws anything stronger from being circulated.
They outlawed math? For the paranoid ChaCha20 is also 256 bit (size due to technical reasons not legal) and the NSA had nothing to do with its creation (part of why Google is pushing it). Basically until quantum computers become a thing or somebody proves factorization is not NP hard 256 bit will probably suffice. Its domain is probably larger than the number of atoms, photons and even neutrinos in the observable universe combined.
-
Saturday 2nd July 2016 02:46 GMT asdf
Re: nitpicking
Not saying that more than 256 bit should be illegal by the way and in fact I don't believe it is unless you try to export it to one of the bad guy countries. Even then considering the bleeding edge of encryption theory is coming out of Belgium we only have to worry if they don't allow import which AFAIK is not the case. Links would be great if I am incorrect.
-
Monday 4th July 2016 12:31 GMT You aint sin me, roit
Re: nitpicking
"Basically until quantum computers become a thing or somebody proves factorization is not NP hard 256 bit will probably suffice."
AES is a symmetric algorithm, nothing to do with the factorization of big numbers.
The asymmetric RSA algorithm cited was using a 2048 bit key. "Probably" good for a couple of years...
-
-
-
-
This post has been deleted by its author
-
-
Friday 1st July 2016 12:45 GMT ACZ
Re: inevitably weak pin/password
Exactly. Just need to know what kind of screen lock is enabled (pattern, PIN, password, fingerprint) and in most cases the set of combinations to brute-force reduces very significantly. So, effectively, pattern, PIN, are now totally compromised on most devices (well... they weren't exactly strong in the first place). Most passwords will be similarly compromised.
Don't know how fingerprints are processed to convert across to a numerical form for the crypto, but I do wonder whether fingerprint or an appropriately long/complex password are the only realistic options now.
Also wonder how this affects Blackhone etc.
-
Monday 4th July 2016 21:51 GMT oneeye
Re: inevitably weak pin/password
So long as Black Phone updates their operating system, the exploits have already been patched in AOSP Code. But, it was late getting there, from what I read in the blog posts by the researcher. He had expected it to make the January 2016 monthly patch.
The guy is incredibly talented. Still finishing school or very near to it. Like to see his paycheck in a couple years.
-
-
Saturday 2nd July 2016 03:10 GMT asdf
Re: inevitably weak pin/password
>Android uses the same pin/password for FDE as the lock screen.
Not strictly true as through the CLI if you have root you can set a password different to your lock screen and they will stay diverged until the next time you change the lock screen pin/pwd whatever. That said Android FDE has always been a POS and is one area iOS absolutely owns Google's shit. That FBI triumph of iOS was due to the FBI getting lucky and the terrorist owning the 5c the one recent iPhone without TrustedZone (or whatever marketing called) hardware.
-
-
Friday 1st July 2016 16:01 GMT John Savard
Others
Qualcomm, however, is a major and well-regarded manufacturer of processors for Android phones.
What about other companies that produce the processors for discount phones? MediaTek comes to mind, but I think there are others even further downmarket.
Of course, the owners of cheap phones might not have secrets that are as interesting... but I would be worried that cracking their security could be even easier.
-
Friday 1st July 2016 20:09 GMT Crazy Operations Guy
Re: Others
A lot of the security folk I work with tend to chose the cheaper phones on purpose, as they keep getting stolen, and they usually have fewer obstacles to flashing a custom firmware.
We do security and financial auditing and so are privy to some pretty imagining secrets such as security vulnerabilities and yet-to-be submitted financial information. None of that information is actually on the devices, but attackers may very well gain access to it using those devices (stealing two-factor auth tokens, data for social engineering attacks, etc). Oddly enough, the devices seem to go missing most often when going through customs checkpoints, and in some countries far more often than others, its so weird how the people in charge of thoroughly tracking every item going in and out of a country could allow something as sensitive as a laptop or phone containing protected secrets just disappear like that, its just so weird...
-
Saturday 2nd July 2016 19:45 GMT gnasher729
Enigma may have had a total of 88 bits of settings, but in reality only just over 14 bit for the rotor settings (3 x 26 values) plus just over 8 bits for the rotor choice (3 out of 8) needed to be cracked if a long enough cleartext could be guessed, and the switchboard cabling could then easily be deduced. Less than 6 million settings. Some rather clever mathematics was involved here :-)
A fourth rotor was added for top secret submarine messages, but the Enigmas with four rotors used the first three rotors with exactly the same settings as everyone else, so after the 3 rotor code was cracked, 4 rotors were trivial (a huge mistake in the usage; properly used the fourth rotor would have made cracking 130 times harder).
-
Tuesday 5th July 2016 01:58 GMT Almost Me
Some more Engima Figures
*Assuming* only 8 rotors available at any one time:
3 Rotor Engima.
Rotor choice 8*7*6 = 336 = 8.4 bits
Rotor Position 26*26*26 = 17576 = 14.1 bits
Total Entropy = 5905536 = 22.5 bits
4 Rotor Enigma (Naval)
Rotor choice 8*7*6*5 = 1680 = 10.7 bits
Rotor Position 26*26*26*26 = 456976 = 18.8 bits
Total Entropy = 767719680 = 29.5 bits
The daily key also determined how the rotor starting positions were offset, and (possibly) also when a rotor change would "carry" to the next position. Sometimes the wiring of a rotor needed to be deduced too. There were different keys in use on different networks, so it wasn't just a matter of breaking one key each day.
The key insight of Turing, Welchman and others was that it was possible to break the rotor settings by brute force search based upon a known plaintext, and then to break the plugboard setting afterwards.
The original breaks were *by hand*. Best description I've found is in "The Hut Six Story" by Gordon Welchman.
(And if you think it's all trivial with modern computers, check out the enigma@home project.)