Full disk encryption flaw could affect millions of Android users

Full disk encryption flaw could affect millions of Android users

When it comes to vulnerabilities and security, Google’s Android has never been in the good books of security experts or even its users to a great extent. Now, another vulnerability has surfaced that claims to leave millions of devices affected. Security expert Gal Beniamini has now revealed another flaw in Android encryption.

According to the DailyMail, the security researcher has said that Android devices with full disk encryption and powered by Qualcomm processors are at risk of brute force attacks wherein hackers can use persistent trial and error approach. Full disk encryption is on all devices running Android 5.0 onwards. It generates a 128-bit master key for a user’s password. The report adds that the key is stored in the device and can be cracked by malicious minds.

“Android FDE is only as strong as the TrustZone kernel or KeyMaster. Finding a TrustZone kernel vulnerability or a vulnerability in the KeyMaster trustlet, directly leads to the disclosure of the KeyMaster keys, thus enabling off-device attacks on Android FDE,” Beniamini explains.

A combination of things like Qualcomm processors verifying security and Android kernels are causing the vulnerability. Google along with Qualcomm is working at releasing security patches, but Beniamini said hat fixing the issue may require hardware upgrade.

“Full disk encryption is used world-wide, and can sometimes be instrumental to ensuring the privacy of people’s most intimate pieces of information. As such, I believe the encryption scheme should be designed to be as “bullet-proof” as possible, against all types of adversaries. As we’ve seen, the current encryption scheme is far from bullet-proof, and can be hacked by an adversary or even broken by the OEMs themselves (if they are coerced to comply with law enforcement),” he adds.

Lately, encryption debate had taken centre stage when Apple refused to unlock an iPhone belonging to a terrorist involved in San Bernardino shooting. The FBI reportedly managed to break into the device without Apple’s help and is believed to have paid a whopping $13 million to do so.

American ISIS Recruits Down, but Encryption Is Helping Terrorists’Online Efforts, Says FBI Director

American ISIS Recruits Down, but Encryption Is Helping Terrorists'Online Efforts, Says FBI Director

The number of Americans traveling to the Middle East to fight alongside Islamic State has dropped, but the terrorist group’s efforts to radicalize people online is getting a major boost from encryption technology, FBI Director James Comey said Wednesday.

Since August, just one American a month has traveled or attempted to travel to the Middle East to join the group, compared with around six to 10 a month in the preceding year and a half, Mr. Comey told reporters in a round table meeting at FBI headquarters.

However, federal authorities have their hands full trying to counter Islamic State’s social media appeal. Of around 1,000 open FBI investigations into people who may have been radicalized across the U.S., about 80% are related to Islamic State, Mr. Comey said.

The increasing use of encrypted communications is complicating law enforcement’s efforts to protect national security, said Mr. Comey, calling the technology a “huge feature of terrorist tradecraft.”

The FBI director cited Facebook Inc.’s WhatsApp texting service, which last month launched end-to-end encryption in which only the sender and receiver are able to read the contents of messages.

“WhatsApp has over a billion customers—overwhelmingly good people but in that billion customers are terrorists and criminals,” Mr. Comey said. He predicted an inevitable “collision” between law enforcement and technology companies offering such services.

Silicon Valley leaders argue that stronger encryption is necessary to protect consumers from a variety of threats.

“While we recognize the important work of law enforcement in keeping people safe, efforts to weaken encryption risk exposing people’s information to abuse from cybercriminals, hackers and rogue states,” WhatsApp CEO Jan Koum wrote last month in a blog post accompanying the rollout of the stronger encryption technology. The company Wednesday declined to comment on Mr. Comey’s remarks.

The FBI also continues to face major challenges in unlocking phones used by criminals including terrorists, Mr. Comey said. Investigators have been unable to unlock around 500 of the 4,000 or so devices the FBI has examined in the first six month of this fiscal year, which began Oct. 1, he said.

“I expect that number just to grow as the prevalence of the technology grows with newer models,” Mr. Comey added.

A terrorist’s locked iPhone recently sparked a high-stakes legal battle between the Justice Department and Apple Inc.
After Syed Rizwan Farook and his wife killed 14 people and wounded 22 in a December shooting rampage in San Bernardino, Calif., FBI agents couldn’t unlock the phone of Mr. Farook—who, along with his wife, was killed later that day in a shootout with police.

The government tried to force Apple to write software to open the device, but the technology company resisted, saying that such an action could compromise the security of millions of other phones.

That court case came to an abrupt end in March, when the FBI said it no longer needed Apple’s help because an unidentified third party had shown it a way to bypass the phone’s security features.

Encryption; Friend of Freedom, Guardian of Privacy

The issue of government access to private encrypted data has been in the public eye since the San Bernardino shootings in December, 2015. When an iPhone was found the FBI requested that Apple write code to override the phone’s security features. The FBI was ultimately able to decrypt the phone without Apple’s assistance. However, the ensuing debate over encryption has just begun.

High profile criminal and national security issues serve to shed light on an issue which is pervasive throughout the country. Local governments presumably have thousands of devices they would like to decrypt for investigatory purposes as New York City alone has hundreds. Seeking a resolution and remembering the horrific terror attacks of September 11, 2001 New York State Assembly Bill A8093A is in committee and seeks to outlaw the sale of phones in the state which have encryption not by passable to law enforcement.

Encryption allows for the safe keeping and targeting dissemination of private thoughts and information without worry off judgment, retaliation or mistreatment. On a grander scale encryption prevents unchecked government oversight. It can be argued that encryption technology is a hedge against current and future totalitarian regimes. With a history of occupation and abuse of power it is no surprise that Germany and France are not pushing for encryption backdoors.

Backdoors in encrypted devises and software provide another avenue for unwelcome parties to gain access. Hackers are often intelligent, well-funded and act on their own, in groups and most harmfully with foreign entities. Holes have a way of being found and master keys have a way of being lost.

Senators Richard Burr and Diane Feinstein are undoubtedly well intended with their draft law entitled the Compliance with Court Orders Act of 2016. The act calls for providers of communication services including software publishers to decrypt data when served with a court order. The data would have to be provided in an intelligible format or alternatively technical assistance for its retrieval. Prosecutors have a need to gather evidence. Governments have a duty to prevent crime and acts of terror.

However, experts question the feasibility of building backdoors into all types of encryption as it comes in many forms and from a host of global providers. Further, there is concern that the measure, if adopted, will backfire as the targeting of backdoors by our adversaries is assured. Cyberwar in the form of illicit data collection, theft of trade secrets and access to infrastructure is all too common and may escalate as tensions rise between adversaries. Ransomware and cyber extortion have been spreading, most recently at hospitals, and the knowledge of the existence of backdoors will motivate those who seek unseemly profits.

Efforts to prosecute the accused, fight crime and terror are noble causes. However, government should be wise in the approach lest we weaken our shared defenses in the process. The big corporate names of Silicon Valley recognize the dangers of backdoors and are speaking out and lobbying against Senator Burr and Feinstein’s efforts. The draft legislation does ensure that the monetary cost of decrypting is paid to the, “covered entity.” However, the costs to society at large remain up for discussion.

The encryption challenge

The encryption challenge

IT managers know the movies get it wrong. A teenager with a laptop cannot crack multiple layers of encryption — unless that laptop is connected to a supercomputer somewhere and the teenager can afford to wait a few billion years.

Encryption works. It works so well that even the government gets stymied, as demonstrated by the lengths to which the FBI went to access an iPhone used by one of the San Bernardino, Calif., shooters.

So in the face of ever more damaging stories about data breaches, why aren’t all government agencies encrypting everything, everywhere, all the time?

Encryption can be costly and time consuming. It can also be sabotaged by users and difficult to integrate with legacy applications.

Furthermore, according to a recent 451 Research survey of senior security executives, government agencies seem to be fighting the previous war. Instead of protecting data from hackers who’ve already gotten in, they’re still focusing on keeping the bad guys out of their systems.

Among U.S. government respondents, the top category for increased spending in the next 12 months was network defenses — at 53 percent. By comparison, spending for data-at-rest defenses such as encryption ranked dead last, with just 37 percent planning to increase their spending.

Part of the reason for those figures is that government agencies overestimate the benefits of perimeter defenses. Sixty percent said network defenses were “very” effective, a higher percentage than any other category, while government respondents ranked data-at-rest defenses as less effective than respondents in any other category.

There was a time when that attitude made sense. “Organizations used to say that they wouldn’t encrypt data in their data centers because they’re behind solid walls and require a [password] to get in,” said Steve Pate, chief architect at security firm HyTrust.

That attitude, however, runs counter to the modern reality that there is no longer a perimeter to protect. Every organization uses third-party service providers, offers mobile access or connects to the web — or a combination of all three.

A security audit at the Office of Personnel Management, for example, showed that use of multifactor authentication, such as the government’s own personal identity verification card readers, was not required for remote access to OPM applications. That made it easy for an attacker with a stolen login and password to bypass all perimeter defenses and directly log into the OPM systems.

An over-reliance on perimeter defenses also means that government agencies pay less attention to where their important data is stored than they should.

According to the 451 Research survey, government respondents were among those with the lowest confidence in the security of their sensitive data’s location. Although 50 percent of financial-sector respondents expressed confidence, only 37 percent of government respondents could say the same.

In fact, only 16 percent of all respondents cited “lack of perceived need” as a barrier to adopting data security, but 31 percent — or almost twice as many — government respondents did so.

Earlier this year, the Ponemon Institute released a report showing that 33 percent of government agencies use encryption extensively, compared to 41 percent of companies in general and far behind the financial sector at 56 percent. In that survey of more than 5,000 technology experts, 16 percent of agency respondents said they had no encryption strategy.

On a positive note, the public sector has been making headway. Last year, for example, only 25 percent of government respondents to the Ponemon survey said they were using encryption extensively.

“This is showing heightened interest in data protection,” said Peter Galvin, vice president of strategy at Thales e-Security, which sponsored the Ponemon report. High-profile data breaches have drawn public attention to the issue, he added.

How Apple makes encryption easy and invisible

How Apple makes encryption easy and invisible

Do you know how many times a day you unlock your iPhone? Every time you do, you’re participating in Apple’s user-friendly encryption scheme.

Friday, the company hosted a security “deep dive” at which it shared some interesting numbers about its security measures and philosophy as well as user habits. To be honest, we’re less concerned with how Apple’s standards work than the fact that they do and will continue to. But that’s kind of the point behind the whole system — Apple designed its encryption system so that we don’t even have to think about it.

Apple’s encryption and security protocols have faced a ton of scrutiny during its recent showdown with the government. And if anything, that debate has gotten more people thinking seriously about how data can and should be secured. And the topic is not going away for a while.

We weren’t there Friday, but Ben Bajarin from Techpinions offers some great analysis, and his piece includes some really cool stats. For one, Apple says that the average user unlocks their phone 80 times a day. We don’t know if that’s across all platforms or just iOS. It sounds a little low in my case, however, because I’m generally pretty fidgety.

But because people are checking their phones so often, it’s important for Apple developers to make encryption powerful without causing the end user frustration. Like if they could just plunk their thumb down, and their phone would unlock, for example.

89 percent of people who own Touch ID-enabled devices use the feature, Apple says. And that’s a really impressive adoption rate, but it makes sense when you think about how much easier the biometric system is to use than a passcode.

Passcodes are great, of course, and you have to have one. But as an experiment a while ago, I turned off Touch ID and went numbers-only to unlock my phone. And guess what? It was really annoying. I switched the feature back on by the end of the day.

Apple also talked up its so-called Secure Enclave, which is its slightly intimidating name for the single co-processor that has handled all encryption for its devices since the iPhone 5s. Each Enclave has its own, unique ID that it uses to scramble up all of the other data for safekeeping. And neither Apple nor other parts of your phone know what that UID is; it all just happens on its own. And that’s pretty much how we prefer it.

Apple’s rivals wary of taking stand on encryption issue, against the FBI

Apple’s rivals wary of taking stand on encryption issue, against the FBI

As Apple resists the US government in a high profile stand-off over privacy, rival device makers are, for now, keeping a low profile.

Most are Asian companies — the region produces eight of every 10 smartphones sold around the world — and operate in a complex legal, political and security landscape.

Only China’s Huawei has publicly backed Apple CEO Tim Cook in his fight to resist demands to unlock an encrypted iPhone belonging to one of those who went on a shooting rampage in San Bernardino, California in December.

“We put a lot of investment into privacy, and security protection is key. It is very important for the consumer,” Richard Yu, chief executive of Huawei’s consumer business group, told reporters at the Mobile World Congress earlier this week.

But Yu stopped short of saying explicitly that Huawei would adopt the same stance. “Some things the government requires from vendors we cannot do,” he said, citing an example of unlocking an encrypted Android device. “These are important things for the consumer, for privacy protection.”

Lenovo Group CEO Yang Yuanqing declined to say whether he backs the Apple position, saying the issue required time and consideration.

“Today it happens to Apple, tomorrow it could happen to Lenovo mobile phones. So we must be very serious to consider. We need to take some time,” Yang told Reuters.

Samsung Electronics Co and Chinese device maker Xiaomi declined to comment, while ZTE Corporation did not respond to requests for comments.

South Korean mobile maker LG Electronics Inc said it takes personal privacy and security very seriously, but declined to say whether it had ever worked with any government to insert so-called “backdoors” into its products or whether it had ever been asked to unlock a smartphone.

“Nobody wants to be seen as a roadblock to an investigation,” said a spokesperson for Micromax, India’s biggest local smartphone maker. “Nobody wants that kind of stigma. We have to take care of both customer security as well as (a) genuine threat to national security.”

Many Asian countries don’t have privacy laws that device makers can fall back on to resist demands from law enforcement authorities.

“As part of the evidence gathering process provided for under the law, law enforcement agencies in Singapore may request information from persons or organizations,” Singapore’s Ministry of Home Affairs Spokesperson told Reuters.
An official at India’s telecom regulator said authorities can ask for private user data from technology companies, as can those in Indonesia, said Ismail Cawidu, spokesman for Indonesia’s Communication and Information Ministry.
Eugene Tan, associate professor of law at the Singapore Management University, said he wouldn’t be surprised if technology firms weren’t being asked for access to their devices.

“It’s just that these are not made public. You can imagine for the technology companies, they are also concerned about the publicity — if they are seen to be caving in to law enforcement agencies, there is always a fear that people may not use their products and services,” he said.

Micromax said this was commonplace in India. “I can’t say no to a law enforcement request, and every day there is one,” the company’s spokesperson said. “You have to comply with requests in the larger interest of national security.”

The Apple battle may even spur regulators in some markets to demand device makers to grant them access.
Thailand’s telecoms regulator said it is studying the possibility of having separate agreements with handset makers and social media firms such as Facebook and Naver’s LINE to help extract data from mobile phones.
“There is political pressure” for regulating devices, said Rob Bratby, manager of Olswang Asia, a technology-focused law firm based in Singapore.

He said there was no evidence of any such regulatory interest yet, but it was a matter of time.

Apple and FBI to testify before Congress next week over encryption

Apple and FBI to testify before Congress next week over encryption

Over the past few days, Apple has made it abundantly clear that it will not comply with the FBI’s demand that it write a new piece of software to help bypass built-in iPhone security measures.

On the contrary, Apple has said that it wants the FBI to withdraw all of its demands while adding that the only way to move forward is to form a commission of experts on intelligence, technology, and civil liberties to discuss “the implications for law enforcement, national security, privacy, and personal freedoms.”

In the meantime, Apple has vehemently argued that Congress should be tasked with determining the fate of the shooter’s iPhone, not the courts. Come next Tuesday, Apple will finally be able to plead its case directly in front of our country’s lawmakers.

Earlier today, the House Judiciary Committee announced that it will be holding a congressional hearing on encryption on Tuesday, March 1. The hearing itself is called, “The Encryption Tightrope: Balancing Americans’ Security and Privacy.”

Slated to testify on the first panel is FBI director James Comey who, you might recall, recently penned a blogpost arguing that the current debate isn’t about the implications of encryption, but rather about “the victims and justice.”

On the second panel, Apple’s top lawyer, Bruce Sewell, will appear and present Apple’s case. Appearing alongside him will be Susan Landau, a cybersecurity expert, and New York District Attorney Cyrus R. Vance, Jr.

A statement from the House Judiciary Committee on the upcoming hearing reads as follows:

Apple and FBI to testify before Congress next week over encryption

This should undoubtedly make for a lively hearing.

Speaking to the seriousness with which Apple views this debate, Tim Cook yesterday said that helping the FBI would be tantamount to creating the “software equivalent of cancer.”

The Netherlands will not weaken encryption for security purposes

The Netherlands will not weaken encryption for security purposes

The Dutch government believes that confidence in secure communication and storage data is essential for the development of the Dutch economy.

The Netherlands will not follow the trend of weakening encryption for security purposes, according to a statement by the Dutch Minister of Security and Justice.

In contrast, with the United Kingdom where the Investigatory Powers Bill, will ban internet firms of holding client’s private communication information the Dutch government believes that strong encryption is key for the future growth of the Dutch economy.

Daily Dot website reported that Ard van der Steur, the Dutch minister of security and justice, wrote in a statement that the Dutch executive cabinet endorsed “the importance of strong encryption for Internet security to support the protection of privacy for citizens, companies, the government, and the entire Dutch economy”.

The statement continues saying: “Therefore, the government believes that it is currently not desirable to take legal measures against the development, availability and use of encryption within the Netherlands.”

Van der Steur added in the statement that “confidence in secure communication and storage data is essential for the future growth potential of the Dutch economy, which is mainly in the digital economy.”

The Dutch Minister also explained that weakening encryption will not lead to a safer world, as criminal organizations will have easier access to sensitive private information.

According to Daily Dot, the minister of security and justice described at length the virtues of encryption, from protecting laptops against theft to allowing the Dutch government itself to communicate online safely with its citizens about taxes and digital IDs. “Cryptography is key to security in the digital domain,” Van der Steur argued.

Paris attack stokes the flames in fight over US data encryption

Last week’s terrorist attack on Paris sounded a call to arms for hawkish U.S. officials seeking broad oversight of encrypted digital communications, some of whom used the opportunity to rekindle discussions with Silicon Valley technology companies.

Paris attack stokes the flames in fight over US data encryption

In an interview with MSNBC on Monday, Senator Diane Feinstein (D-Calif.) said Silicon Valley companies, particularly those marketing secure Internet messaging services, should help government agencies protect the homeland by allowing controlled access to encrypted data.

“They have apps to communicate on that cannot be pierced even with a court order, so they have a kind of secret way of being able to conduct operations and operational planning,” Feinstein said of ISIS terrorists. She hammered the point home, reminding MSNBC’s Andrea Mitchell of recent video footage showing ISIS leaders giving potential sleeper cells the go ahead to carry out attacks on U.S. soil.

Last month the Senate passed the controversial Cybersecurity Information Sharing Act, a bill that effectively allows companies to legally share customer data with the Department of Homeland Security and other government agencies. Feinstein is a co-sponsor of the bill.

As iOS and Android dominate modern mobile communications, Apple and Google have been singled out as part of the problem for providing end-to-end encryption messaging services. For example, strong encryption in iOS 8 and above makes it virtually impossible to eavesdrop on iMessage conversations or gain physical device access, even with appropriate warrants.

“I have actually gone to Silicon Valley, I have met with the chief counsels of most of the big companies, I have asked for help and I haven’t gotten any help,” Feinstein said. “I think Silicon Valley has to take a look at their products, because if you create a product that allows evil monsters to communicate in this way, to behead children, to strike innocents, whether it’s at a game in a stadium, in a small restaurant in Paris, take down an airliner, that’s a big problem.”

Bloomberg reports other top-ranking U.S. officials, including CIA Director John Brennan, made similar comments, but fell short of asking that new laws be enacted.

“There are a lot of technological capabilities that are available right now that make it exceptionally difficult — both technically as well as legally — for intelligence security services to have insight that they need,” Brennan said today at an event in Washington, D.C.

For its part, Apple has been a vocal advocate of consumer privacy and pushed back against CISA alongside other tech companies in October. CEO Tim Cook has repeatedly warned of the detrimental effects a back door policy would have not only on individual users, but the tech industry as a whole.

Critics to Apple’s position argue CISA lets providers share data while still maintaining privacy, a proverbial win-win situation for everyone involved. Americans could find themselves putting to those claims to the test sooner rather than later, as the bill is headed to the House of Representatives and, if passed, to President Obama for ratification.

Your self-encrypting hard drive isn’t nearly as secure as you thought

Your self-encrypting hard drive isn't nearly as secure as you thought

If you want to keep your information away from hackers and snoops, whether it’s your Internet use, email, hard drive data or your backup, the best thing you can do is use encryption. Encryption scrambles your data and, in theory, the only way to unscramble it is to know the password. That’s why choosing a strong password no one can guess is important.

This is also what makes a ransomware virus that encrypts your files so dangerous. Without paying for the decryption password, you can’t get your files back. Learn three steps you can take to beat ransomware. Unfortunately for your security, encryption isn’t always a secure as you’d hope.

Without going into too much technical detail, there are a lot of ways that encryption can happen, from the method it uses to encrypt the data to how many bits it uses. For example, you’ll see 128-bit AES and 256-bit AES show up a lot in programs and Web encryption. There’s SHA-1 and SHA-2 from the NSA. For your router, you’ll see options like WEP, WPA TKIP, WPA2 AES and more.

Unfortunately, not all encryption is created equal. For centuries, mathematicians and cryptographers have been coming up with and breaking encryption schemes. As computers have gotten more powerful, encryption that should have taken centuries to crack can fail in seconds.

That’s why you don’t see much 64-bit AES anymore, why using WEP on your router is the same has having no encryption, and why large organizations are moving from SHA-1 to SHA-2 encryption.

Of course, this is way more than the average person should have to think about. You should be able to trust that every company is using the best encryption possible in the products you buy and use. Unfortunately, that often isn’t the case, and we just got a fresh reminder.