Qualcomm says it issued patch for Android encryption flaw over a year ago

Cracking encryption is a subject of perpetual fascination.

Congress has made numerous efforts to legislate it. The FBI tried to pressure Apple to do it. New messaging apps continuously debut with claims about strong encryption, and controversy bubbles when they forget it.

So when a researcher found a flaw in Android’s full disk encryption scheme closing week that allowed for decryption of the tool, it regarded in the beginning like a modern protection discovery.

But chipmaker Qualcomm now claims it informed Google approximately the vulnerabilities in November 2014 and February 2015. Google issued patches in January and might of this yr — which means that the agency may additionally have regarded about the trouble for over a year before rolling out fixes.

The patches got here because the Federal Exchange Fee and the Federal Communications Commission introduced parallel investigations into the pace at which Google and other telephone makers roll out safety updates. The FCC referred to the Stagefright trojan horse in Android as one of the protection vulnerabilities that stimulated the investigations.

With a lot countrywide cognizance on robust encryption, the yr-long delay looks like an obvious hassle. But to recognize why users didn’t get their arms on a fix until might also, you need to understand a little about the complicated deliver chain that goes into Android gadgets and Android’s method to securing its large environment.
Deliver-chain complex

Android is an open-source platform, so masses of cellphone producers are constructing gadgets to run Android. The ones devices are in turn made from plenty of different components from manufacturers of chips, cameras and different hardware.

Android often gets in comparison to its biggest competitor, the iPhone, but the contrast is a chunk sticky. IPhone is essentially simply one device (k, perhaps a dozen devices in case you need to remember each 5s, 6 and six Plus as particular). Whilst Apple tightly controls its production, Android is on thousands of devices over which Google has little to no manage.

This various supply chain is what brought about the make the most used to interrupt Android’s full disk encryption.

Security researcher Gal Beniamini observed numerous troubles inside the implementation of Android’s complete disk encryption that would permit an attacker to decrypt an Android tool with a Qualcomm chip. The decryption makes the most involves a complicated procedure, however the heart of the issue is that Android gadgets powered by Qualcomm chips store their encryption keys in software in place of in hardware.

The hardware-software program distinction have become a key part of Apple’s fight with the FBI over unlocking an iPhone used by the San Bernardino shooter. Because Apple stores encryption keys in hardware, investigators couldn’t keep away from a number of the functions the agency makes use of to defend its gadgets, like time delays among password attempts and a tool wipe after 10 wrong passwords tries.

If Apple stored the keys in software, investigators could have been able to drag the keys off the device and run password guesses greater quick and without the hazard of dropping all the statistics on the phone. (Even though it’s feasible that the FBI did find a way to do this besides, the method it used to interrupt into the smartphone has not been made public.)
New discover, antique computer virus

In a blog submit posted closing week, Beniamini outlined the process of breaking Android’s complete disk encryption; he exploited several weaknesses in Qualcomm’s security to pull the encryption keys off an Android tool.

Beniamini disclosed the problems to Android and Qualcomm and become paid via Google’s computer virus bounty application for his work.

“We admire the researcher’s findings and paid him for his work through our Vulnerability Rewards software. We rolled our patches for these troubles in advance this 12 months,” a Google spokesperson stated. Google issued two patches in advance this yr to fix the problems Beniamini observed.

However according to Qualcomm, Google must have regarded approximately the vulnerability because 2014. A Qualcomm spokesperson said the organization found the same vulnerabilities exploited via Beniamini as early as August 2014 and made patches available to Google in November 2014 and February 2015.

Nevertheless, the vulnerability lingered in Android long sufficient for Beniamini to discover his take advantage of. (Google didn’t touch upon the exact timeline that lead up to the patches.)

“Reputedly, even though they fixed the difficulty internally, OEMs [Original Equipment Manufacturers] did know not follow the restoration (perhaps they forgot or in reality overlooked it),” Beniamini informed TechCrunch in a message.

It’s now not completely clean why Android’s repair changed into so delayed. It’s possible that the Android team didn’t understand how the Qualcomm flaw could be exploited in Android until Beniamini pointed it out. It’s additionally possible that the slow repair become the result of Android’s method to safety. With Android running on