[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Cryptography] Android Full Disk Encryption Broken - Extracting Qualcomm's KeyMaster Keys



Jeffrey Schiller <jis@mit.edu> writes:

>If you look at the exploit you will see it is a simple case of failing to
>check array/string bounds.

... which is exactly what was exploited in the 2013 attack, alongside a whole
boatload of other missing defensive features, no DEP, no ASLR, executable
stack, strcpy()s all over the place, it was described at the time as a "hack
like it's 1999" attack.  As I said in the previous post, security is more than
just a fancy name and a lot of marketing, you have to actually make an effort
to make it secure.

Oh, and given that this looks like a repeat of the same flaws from three years
ago, patching your insecure code also helps.

Peter.