A researcher with viaForensics demonstrated how to beat encryption for Android devices at the DEF CON security conference in Las Vegas.
According to Thomas Cannon, director of research and development for viaForensics, the idea was to demonstrate the ways that black hats – or the government – can get access to the data on a user’s phone if it is lost, seized or stolen. Rather than rely on a flaw in the encryption itself, Cannon choose to show how a sophisticated attacker can brute force weak passwords protecting a device.
“I presented on a number of methods for gaining access to user data on Android devices,” he told SecurityWeek after his presentation.
According to Thomas Cannon, a hacker would have to obtain a copy of the userdata partition and the encrypted master key with salt stored in a footer file. To do this, the attacker would need to obtain access to the device through an unlocked Bootloader, JTAG, chip-off or an exploit in the firmware.
“Once you have those, you can run password guesses through the decryption process and see if it is successful (at a simple level),” he said. “This is automated and can be optimized to try large numbers of guesses very fast. The implications of the attack are that if you have a weak encryption password it will be possible to crack your encrypted key and get at your data in a reasonable time frame. In that sense it is no different from any other system which uses passwords.”
He described the level of sophistication necessary for the attack as high.
“So the presentation was about how your data can be accessed, techniques used, it wasn’t aimed at warning users about a flaw in the encryption,” he said. “If there is a flaw it is that on stock Android devices the encryption password is the same as the lock screen password, meaning that users set passwords that are easy and quick to type, which can be cracked. Advanced users with root access can change their encryption password while keeping their lock screen password simple, but this isn’t an option for regular users. It is a balance between convenience and security, and the users have to decide where to draw that line.”