A security researcher at Johns Hopkins University who led an examination into the robustness of smartphone encryption systems says he was shocked by the Android and iOS vulnerabilities they discovered.
He said that iOS in particular has extremely secure encryption capabilities, but these are not in use much of the time â€¦
Cryptographers at Johns Hopkins University used publicly available documentation from Apple and Google as well as their own analysis to assess the robustness of Android and iOS encryption. They also studied more than a decadeâ€™s worth of reports about which of these mobile security features law enforcement and criminals have previously bypassed, or can currently, using special hacking tools [â€¦]
â€œIt just really shocked me, because I came into this project thinking that these phones are really protecting user data well,â€� says Johns Hopkins cryptographer Matthew Green, who oversaw the research. â€œNow Iâ€™ve come out of the project thinking almost nothing is protected as much as it could be. So why do we need a backdoor for law enforcement when the protections that these phones actually offer are so bad?â€�
The researchers said that iPhones essentially have three levels of protection:
- Before First Unlock (BFU), or immediately after a restart
- After First Unlock (AFU), when the phone has been locked but not restarted
- Complete Protection locks available for developers to use if they wish
When an iPhone is restarted, and not yet unlocked, it is in a state Apple calls Protected Until First User Authentication and which security researchers refer to as Before First Unlock (BFU). In this state, the highest level of encryption is applied, known as Complete Protection. It is virtually impossible to extract data from an iPhone in this state unless you can find a way to unlock it.
The risks begin after that first unlock, says the report.
When data is in the Complete Protection state, the keys to decrypt it are stored deep within the operating system and encrypted themselves. But once you unlock your device the first time after reboot, lots of encryption keys start getting stored in quick access memory, even while the phone is locked. At this point an attacker could find and exploit certain types of security vulnerabilities in iOS to grab encryption keys that are accessible in memory and decrypt big chunks of data from the phone.
Based on available reports about smartphone access tools, like those from the Israeli law enforcement contractor Cellebrite and US-based forensic access firm Grayshift, researchers realized that this is how almost all smartphone access tools likely work right now.
Apple does, however, offer one option Android doesnâ€™t.
Where Apple provides the option for developers to keep some data under the more stringent Complete Protection locks all the timeâ€”something a banking app, say, might take them up onâ€”Android doesnâ€™t have that mechanism after first unlock.Â
Most apps donâ€™t take advantage of this.
The risks do, however, need to be viewed in perspective.
Itâ€™s not hard to understand why Apple offers different levels of protection: performance. Having the phone operate in Complete Protection mode all the time â€“ only retrieving decryption keys when needed, and purging them from quick access memory after use â€“ would significantly slow down the phone. Apple takes a balanced approach which is appropriate for the vast majority of users.
Itâ€™s important to understand that the type of tools used to exploit this slightly weakened security state rely on physical access to the phone, and require knowledge of other zero-day iOS vulnerabilities in order to gain access to data. In practice, unless you are a criminal, or a high-value target for a nation state or major corporation, you arenâ€™t going to be at risk from this type of attack.
Apple said that it continually refines its privacy protections.
â€œApple devices are designed with multiple layers of security in order to protect against a wide range of potential threats, and we work constantly toÂ add new protections for our usersâ€™ data,â€� the spokesperson said in a statement. â€œAs customers continue to increase the amount of sensitive information they store on their devices, we will continue toÂ develop additional protections in both hardware and software to protect their data.â€�
As an aside, if you want to see an example of the difference between BFU and AFU protections, thereâ€™s a simple experiment you can conduct.
When your best friend calls your phone, their name usually shows up on the call screen because itâ€™s in your contacts. But if you restart your device, donâ€™t unlock it, and then have your friend call you, only their number will show up, not their name. Thatâ€™s because the keys to decrypt your address book data arenâ€™t in memory yet.
FTC: We use income earning auto affiliate links. More.
The post Johns Hopkins security researchers ‘shocked’ at Android and iOS vulnerabilities appeared first on TechFans.