At Defcon, Hackers Show How to Hack Your Android Phone Encryption

If you lose your Android phone, your data could find its way into the wrong hands, even if you have encryption turned on.

A pair of security researchers have found an easy way past the encryption on many Android phones.

The method isn’t a flaw in the Linux-based encryption system used in Android itself, but rather the fact that the passwords that protect the encryption tend to be rather weak.

That’s because Android uses the same password to decrypt the data on the phone as is used to unlock the device. People tend to use either short PIN numbers, simple patterns or easy-to-remember words. As a result, the encryption is fairly easily broken, through what is known as a brute-force attack.

“The encryption is good but you are able to brute-force it,” said Thomas Cannon, director of research and development for Chicago-based Viaforensics. Cannon highlighted the issue during a presentation at the Defcon hacker conference on Saturday.

Once unlocked, all the information in the user data partition is easily accessible.

An easy fix, Cannon told AllThingsD, is if Android were to incorporate two passwords — a strong one for decrypting a phone at boot-up, and a simpler, easy-to-remember one for unlocking the device.

“You only boot up your phone once in a while,” Cannon said.

Not all Android devices are vulnerable, Cannon said. First of all, Android didn’t even support encrypted data until Android 3.0, so there’s nothing to crack on devices before then — a user’s data is already unencrypted. The technique also relies on either devices without what’s known as an unlocked bootloader, or else ones that are easily unlocked.