Hacking of the Qualcomm Secure Execution Environment permit to break Android Full Disk Encryption

Yes: if you have an Android smartphone with Qualcomm chipset FBI could be able to decrypt your device!


Bits, Please!” has published an article in which he explains how, with the complicity of a feature of QSEE (Qualcomm Secure Execution Environment) and some errors in the Android code, you can decrypt devices with Full Disk Encryption enabled.

Google started to implement Full Disk Encryption on Android starting with version 5.0 with the purposes of protecting data on the device from unauthorized access.

Android’s disk happens in the background and invisible to the user, the disk is encrypted/decrypted transparently.

Bits, Please!” recently has analyzed Android’s Full Disk Encryption implementation and came to the conclusion that that Android’s disk encryption on devices with Qualcomm chips hinges on the user’s account password only.


Android uses the user’s password to create a strong 2048 RSA key but, using a feature in the Qualcomm chipset is possible to extract the encryption key.

Qualcomm Trusted Execution Environment allows small apps, known as “Trustlets”, to run inside of this secure environment and away from the main Android OS. 
And one of these QSEE apps running is KeyMaster:


But exploiting an Android vulnerability you can load a custom QSEE app inside TrustZone, which can lead to privilege escalation and hijacking of the full space, as well as the theft of the unencrypted blob containing the keys generated for full-disk encryption.

Once this step is complete, with a brute-force attack it’s possible to extract the user password, PIN, or lock, and all you need to decrypt Android FDE:

CONCLUSIONS

The key derivation is not hardware bound. Instead of using a real hardware key which cannot be extracted by software (for example, the SHK), the KeyMaster application uses a key derived from the SHK and directly available to TrustZone.

Qualcomm and OEMs can comply with law enforcement to break Full Disk Encryption. Since the key is available to TrustZone, Qualcomm and OEMs could simply create and sign a TrustZone image which extracts the KeyMaster keys and flash it to the target device. This would allow law enforcement to easily brute-force the FDE password off the device using the leaked keys.

Patching TrustZone vulnerabilities does not necessarily protect you from this issue. Even on patched devices, if an attacker can obtain the encrypted disk image (e.g. by using forensic tools), they can then “downgrade” the device to a vulnerable version, extract the key by exploiting TrustZone, and use them to brute-force the encryption. Since the key is derived directly from the SHK, and the SHK cannot be modified, this renders all down-gradable devices directly vulnerable.

Android FDE is only as strong as the TrustZone kernel or KeyMaster. Finding a TrustZone kernel vulnerability or a vulnerability in the KeyMaster trustlet, directly leads to the disclosure of the KeyMaster keys, thus enabling off-device attacks on Android FDE.


The exploit

The researcher has published on GitHub the full sourcecode of the exploit (https://github.com/laginimaineb/ExtractKeyMaster) and a set of python scripts which can be used to brute-force Android Full Disk Encryption (https://github.com/laginimaineb/android_fde_bruteforce).


The original paper

The original article is highly technical but very interesting for a programmer or a security expert:

https://bits-please.blogspot.it/2016/06/extracting-qualcomms-keymaster-keys.html

Comments