Qualcomm In A Tight Spot Over Device Encryption Issue | TechTree.com

Qualcomm In A Tight Spot Over Device Encryption Issue

In almost 60 per cent of the Android devices, encryption flaw made all of them vulnerable to decryption attacks from the online world


Encryption of smart devices has been a rage in the technology world. While the government in the US has been trying to get a stronghold on it, in the Congress, the showdown between FBI and Apple Inc. sheds more light on the prevailing issue and now Qualcomm is the latest entity to face the heat. According to some investigations, about 60 per cent of Android devices have been vulnerable to cyber-attacks which could decrypt a device completely, especially those using Qualcomm processors. What is mainly creating the controversy in the issue is that the processor maker mentioned the security flaw in November 2014 and February 2015, but patches came into being only this year from Google.

When the Federal Trade Commission and the Federal Communications Commission (FCC) looked into the speed with which Google issued updates in the recent past, the security patches for the vulnerability started appearing around that time. The organization then bought to light the Stagefright Bug in Android as being one of the main weaknesses present.

The supply chain complexity

What is exposing Android to such a vulnerability is the fact that Android is an open-source OS. This means that device makers are tweaking the OS according to the needs to suit their devices best ways possible, as parts like microchips, cameras, and other hardware need to be aligned accordingly. Also, Google being software centric, typically has devices that store the encryption keys in the software of the device, instead of the hardware, which is what Apple does. Due to this very reason, the hacker/attacker could then get hold of the encryption keys, and expose the devices to a full decryption, thus making it open to manipulations.

In the case of Apple, the encryptions are stored in the hardware of the device. During their face-off with the FBI, it came to light that FBI couldn't circumvent some of the features like time taken between attempts at unlocking a phone through a password, or even the total wipe of the device after 10 consecutive attempts at unlocking the device. This was the case involving the San Bernandino shooter, as he used an iPhone.

The core of the fix

Security researcher Gal Beniamini had discovered and spoke of Android's full-disk encryption, as early as August 2014. This was communicated with Qualcomm, who then issued security patches by November 2014. However, the implementation of the patches were not carried out till early this year, due to which Beniamini re-discovered the flaw amongst most Android devices using Qualcomm chips.

However, there could be another twist to the tale; the OEM disconnect. Since Android is open-source, the implementation of updates and security patches could vary from device maker to the next, as they mostly customize according to the device release schedule, and functionality. Even though Google could have released the security patches in time, a great many devices may not have received because the device makers (OEMs) may not have sent them out to users in time.

Image credit: toptensocialmedia.com


TAGS: Google, Android, Qualcomm, Security