Android phone encryption can be bypassed, Defcon hackers say

July 30, 2012
1 37 4

The personal data that’s stored on your Android device is not as secure as you may think once it gets into the wrong hands. Sure, your lost/stolen smartphone is protected by some sort of unlock code, but that kind of security does not guarantee that your data won’t fall into the wrong hands.

AllThingsD talked to Viaforensics’ director of research and development Thomas Cannon at the Defcon hacker conference, who revealed that the actual passwords that people use to protect their Android devices are the weak link that can be exploited to bypass the device’s encryption.

Apparently hackers won’t try to find a flaw in the “Linux-based encryption,” but rather go for the passwords that protect it, which are pretty weak:

That’s because Android uses the same password to decrypt the data on the phone as is used to unlock the device. People tend to use either short PIN numbers, simple patterns or easy-to-remember words. As a result, the encryption is fairly easily broken, through what is known as a brute-force attack.

One way to fix this security exploit is to have Google implement a two-password security system, one password for booting the device, which would be used to decrypt the phone during boot, and another one that can be used to unlock the device.

The publication points out that only Android devices running Android 3.0 or later come with encrypted data, while previous Android versions don’t offer this security feature to users.

This is the second report in as many weeks that details security deficiencies of Android, with a previous story revealing that devices running any Android version up to Jelly Bean are prone to malicious attacks – the good news here is that Jelly Bean is more secure than its predecessors, but then again, not all Android devices out there will be able to run it