Almost all modern smartphones support FBE(file-based encryption), and BFU state generally refer to a phone which is powered off, or has been rebooted without being unlocked at least once.
For a long time, I thought there was absolutely no way to bypass/exploit the encryption of BFU state since neither the encryption key nor the password reside anywhere in the phone, both in terms of hardware and software.
As a result, the only possible way to crack a BFU state phone would be to bypass the limit of maximum attempts and brute force until you find a correct password.
However, someone on a online forum who claims to be a person working in the field of forensics said it was possible to crack the BFU state phone without brute-forcing. Using zero-day exploits of the hardware(for Samsung, the Knox vault) and glitching the security chip with fib(focused ion beam? not sure what this means) of ~8 microvolts rendered the extraction of the encryption key(not the user password) possible.
He also mentioned rootkeys, DEK blobs, etc, but I do not have sufficient knowledge about Android’s FBE algorithm and its hardware implementation on samsung/pixel devices.
Can anyone elaborate more on this? If it’s true that even in BFU state, the encryption key itself is kept in a separate hardware, it might be possible to crack a BFU state phone (similar to how Bitlocker was cracked by physically extracting the keys stored in the TPM).
Not sure about other phones but iPhones and google pixels derive the key from your password, it’s not just sitting around waiting to be extracted. You can bypass the hardware rate limiting sometimes using methods like that though.
iOS, iPadOS, and visionOS support six-digit, four-digit, and arbitrary-length alphanumeric passcodes. Besides unlocking the device, a passcode or password provides entropy for certain encryption keys. This means an attacker in possession of a device can’t get access to data in specific protection classes without the passcode.
The passcode or password is entangled with the device’s UID, so brute-force attempts must be performed on the device under attack. A large iteration count is used to make each attempt slower. The iteration count is calibrated so that one attempt takes approximately 80 milliseconds. In fact, it would take more than five and one-half years to try all combinations of a six-character alphanumeric passcode with lowercase letters and numbers.
The stronger the user passcode is, the stronger the encryption key becomes.
As others mentioned Android derives the encryption key partly from your password, so at least in theory the phone doesn’t have the complete key anywhere on it in a BFU state to be extracted even if exploited. Assuming what they are describing is true, it could be an attack e.g. where the key is still resident in RAM after a reboot, and they are able to exploit the BFU OS to extract it from there. It seems likely not exactly this because attacking the “security chip” was mentioned, but it could something along those lines where the secrets are being improperly handled leading to being extractable. It’s hard to give a good answer without knowing what exactly the person you’re referencing was saying, though.
I’m not an Android security expert, just an enthusiast, so I could also be wrong.