Security Hole Discovered in Android Marshmallow, Lollipop Devices with Qualcomm CPUs

Android Marshmallow, Lollipop Full Disk Encryption

Ever since the introduction of Android OS, there is no doubt that it has grown steadily into a more mature software, especially now that user security has turned out to be the major focus not just for Google, but also for many other OEMs.

Today, many devices are built with encryption baked inside. We also see monthly security patches being rolled out to Android devices running Android Lollipop and above. As a result, the nature of Android as an OS keeps becoming safer and secure as the clock ticks. Despite this, security holes and flaws cannot be avoided in any case, be it now or in future.

This is true because a security researcher by the name Gal Beniamini recently discovered a vulnerability that puts millions of people who are currently using any of Android Lollipop or Marshmallow devices that are powered by Qualcomm-made Snapdragon chipsets. Apparently, these devices are faced with an issue that makes Full Disk Encryption open to Brute-Force attacks.

This issue has been related to TrustZone kernel flaws that are affecting Qualcomm chipsets. American chipmaker, Qualcomm, has its Snapdragon chipsets in millions of devices across the globe. With such a security hole, it means lots of people’s personal data could be at risk. On the brighter side, both Google and Qualcomm claim that they have already taken care of this issue through Android security patches released in January and May this year.

Android Marshmallow, Lollipop Full Disk Encryption

According to Beniamini, the issues are associated with vulnerabilities CVE-2015-6639 and CVE-2016-2431 and though Google says it took care of these two in January and May respectively, it is possible that some Android users are yet to update their devices with the May security patch. In case you haven’t downloaded the May security patch, your device can be an easy target by those looking for your personal data since the hole allows them to gain access to the unique encryption key for decrypting the device, but they’ll still need to figure out your password first. The Brute-Force attack is the one that actually gives away the unique key.

Since Google and Qualcomm have both addressed these issues, it remains for you to ensure that you get your Android Marshmallow or Android Lollipop phone always stays updated with the latest monthly security patches.

Share your comments here