Researchers at Cambridge University have uncovered a critical vulnerability in Google’s Android OS. Over 500 million Android devices have a flawed implementation of the factory reset feature, leaving user data vulnerable. This weakness allows an attacker to access login credentials, contacts, emails, text messages and other information on the device even after the factory reset has done its wipe.
In determining the vulnerability, 21 devices were tested with Android versions spanning 2.3-4.3 from 5 different manufacturers. Each device had some old data that was recoverable and in 80% of cases, the master token, used to communicate with Google, was retrieved. Obtaining the token allowed the researchers to sync with Google servers for contacts, Gmail and Google Calendar. Tokens for other apps like Facebook were also retrieved after the reset.
The vulnerability arises from a number of factors. One of these is that the manufacturer, in creating their Android build, failed to supply the proper drivers to ensure the flash memory was wiped. Another factor is the inability of the OS to access all parts of storage due to the file system and flash controller. This is a factor inherent in how flash storage currently works, with the OS seeing less storage space than is actually being used by the device. More troubling is that full disk encryption fails to protect data as the decryption key is not wiped, allowing an attacker to first break the decryption key, then proceed to decrypt the device and it’s less than deleted contents.
Factory Reset is a critical function built into Android itself. It’s used when the phone is being retired, recycled or being resold as a way to prevent sensitive information from being passed on. The fact that such an important built-in function is so broken is troubling. It also raises issues with Android remote wiping function which likely has become less useful due to this vulnerability. For now, the only way to ensure security is to wipe storage repeatedly in hopes that all space will eventually get wiped or physical destruction of the device.
ColourPrimary ColourBlackMain radiator colour (cage)BlackMain radiator colour (fins)BlackDimensionsLength393 mmWidth120 mmHeight25.5 mmRadiator size360 mmRadiator SpecificationsFin density…
Compatible with the latest Intel and AMD CPUs Large 240mm radiator to dissipate heat Two…
Not a week goes by without a new game getting some form of DLSS or…
110% mechanical keyboard with 109 keys in a UK ISO layout V-silk PBT keycaps with…
Last week, Europe saw a spectacular rise in video game sales, particularly for Fallout 4,…
TEAMGROUP has unveiled the MP44Q M.2 PCIe 4.0 SSD, a cutting-edge addition to their lineup…