Samsung Electronics Co., Ltd. is a major manufacturer of electronic components, such as lithium-ion batteries, semiconductors, image sensors, camera modules, and displays. They are leading the global market in manufacturing mobile phones and smartphones, as well as a major vendor of tablet computers. The company has been the world’s largest television manufacturer since 2006, the world’s largest manufacturer of mobile phones since 2011, the world’s largest memory chip manufacturer from 2017 to 2018, and had been the largest semiconductor company in the world, briefly dethroning Intel, the decades-long champion.
The main obstacle to the data extraction from Samsung devices is that the user data is encrypted by default. Any modern Samsung smartphone uses encryption with a hardware-protected key, which cannot be disabled. Samsung devices released before 2019 use full-disk encryption (FDE).
What is FDE?
Android full-disk encryption is based on a dm-crypt kernel feature that works on a block device level. Because of this, encryption works with eMMC and similar flash devices presented to the kernel as block devices. On the first boot, the device generates a random master key and hashes it with the default passcode and the stored salt. The default passcode is “default_password”. However, the resulting hash is also signed via Trusted Execution Environment, such as TrustZone, which uses the signature hash to encrypt the master key. The signature is made using a hardware-protected key. When the user sets the PIN, pattern, or device password, only the master key gets re-encrypted and saved, meaning that no changes in PIN, pattern, or user password cause re-encryption of user data.
If the FDE is used, the master key will be required to decrypt the user data. To get it, the investigator will have to obtain the password and hardware-protected key to be able to execute code on the device with an increased privilege level.
It is worth noting that the master key will be encrypted using a user password, only if the Secure Startup mode is enabled in the settings. If it is disabled, the default passcode will be used when encrypting the master key. Thus, if the Secure Startup mode is disabled, which is the default setting in most Samsung devices, then the investigator does not need to know the password to decrypt user data.
On Samsung devices released since 2019, File-Based Encryption (FBE) has been used to encrypt user data. The use of FBE, in itself, is not new. It appeared in 2016 in the Google Pixel line devices running Android 7.0, however, Samsung, for some reason, continued to use FDE even in their top devices, such as the Galaxy S9, Note 9, and others.
File-based encryption includes a new feature called Direct Boot. It allows encrypted devices to load directly to the lock screen state, while enabling a number of services to run till the screen is unlocked. When file-based encryption is used, each file is encrypted with its own key at the file system level. Therefore, user data can be located in one of two storages:
- Credential Encrypted storage (CE) – the default storage, which is available only after the device has been unlocked
- Device Encrypted storage (DE) – a storage location available at the direct boot mode and after the device has been unlocked
Our file-based encryption approach does not support Secure Startup mode. Thus, to access CE storage the user password is always required.
Samsung devices that are based on Exynos chipsets have a vulnerability in sboot, which allows running a modified image on the device.Samsung devices that are based on Exynos chipsets have a vulnerability in sboot, which allows running a modified image on the device.
The list of the vulnerable SoCs:
- Exynos 3 Quad 3475
- Exynos 7 Octa 7420
- Exynos 7 Octa 7580
- Exynos 8 Octa 8890
- Exynos 7 Quad 7570
- Exynos 7 Octa 7870
- Exynos 7 Series 7880
- Exynos 7 Series 7885
- Exynos 9 Series 8895
- Exynos 7 Series 7884
- Exynos 7 Series 9610
- Exynos 9 Series 9810
- Exynos 9 Series 9820
- Exynos 7 Series 7904
- Exynos 7 Series 9611
- Exynos 9825
Loading the device using a modified image gives investigators increased access privileges up to root access. This vulnerability does not enable access to TrustZone contents including the encryption keys. However, with root privileges, an investigator can try an unlimited number of passwords or run password bruteforce automatically. It is worth noting that Samsung devices use additional security mechanisms, such as KNOX, Defex, and RKP, which are designed to limit the power of root rights. However, by modifying the boot image in a special way, it is possible to partially bypass them.
Oxygen Forensics has developed a solution which enables extraction of physical images, automated password bruteforce, and data decryption from FDE Samsung devices based on Exynos chipsets with Android versions 7 to 9. This method differs favorably from the Samsung Custom Recovery approach since the removal of FRP is not required and the KNOX-flag state remains unchanged.
The new method consists of two stages. During first stage, the image with limited functionality designed to extract the original boot image is uploaded to the device. During the second stage, the extracted original image is patched and then uploaded back to the device. After that, it becomes possible to run an automatic password bruteforce on the device as well as decryption of user data, if the password has been found or the Secure Startup mode is disabled. This division into stages enables fine-tuning of the solution, taking into account the features of different Android OS versions.
It is worth noting that the content of the CACHE partition is changed by the process. During the last stage of working with the device the initial CACHE state is restored.
In case of an emergency, such as a power failure, a faulty USB cable, etc., the device will remain in the special mode. Oxygen Forensic specialists have designed a special recovery procedure to restore the device functionality for such cases.
During the process, before making any changes to the CACHE partition, a full copy of it is saved on the PC, which allows returning the device to its original state regardless of the stage at which the failure occurred. If the failure occurred on the PC side during the process, the worst thing that will occur to the device will be the loss of the contents of the CACHE partition. However, this will not affect user data consistency or device performance in any way.