Security experts have uncovered a serious security flaw in Android phones which could leave millions of users vulnerable to hackers.
The finding comes from an expert who says that phones running full disk encryption (FDE) and Qualcomm chips are most at risk.
An investigation by security analyst Gal Beniamini of the Israeli Defense Forces revealed that devices are particularly vulnerable to so called ‘brute force attacks’ where hackers overwhelm security measures using a persistent trial and error approach.
Android rolled out full disk encryption (FDE) on all devices from Android 5.0, which involves the phone generating a 128-bit master key based on the user’s password.
However, the way in which the key is stored on the device means it could potentially be easily cracked by cyber criminals and even law enforcement agencies.
Phone encryption was central to the recent FBI case involving Apple, in which authorities wanted the tech firm to break the encryption of an iPhone used by one of the attackers in the San Bernardino shootings in the US. In this case, the iPhone ran 256-bit FDE, which not even Apple could crack.
For Android users, the vulnerabilities are down to a combination of factors.
According to Neowin, these are namely flaws in how Qualcomm processors verify security and Android kernels the core operating system.
On a blog post outlining the full technical details of the Android hack, Beniamini explains that while both Google and the chip-maker have been made aware of the vulnerabilities, users may require hardware upgrades to fix the issue.
He wrote: ‘I’ve been in contact with Qualcomm regarding the issue prior to the release of this post, and have let them review the blog post.
‘As always, they’ve been very helpful and fast to respond. Unfortunately, it seems as though fixing the issue is not simple, and might require hardware changes.’
The post explained how vulnerable phones could be targeted through everyday activities including email, web browsing and text messages.
A spokesperson for Google told TOT: ‘We appreciate the researcher’s findings and paid him for his work through our Vulnerability Rewards Program. We rolled out patches for these issues earlier this year.’
