Samsung quite often releases security updates for most of its devices, closing various security holes. However, it turned out that over the past few years, millions and millions of smartphones from the South Korean company have been in sale; with a critical security vulnerability that allows hackers to get valuable information from devices.
Researchers at the Tel Aviv University of Israel found that some Galaxy S8, Galaxy S9, Galaxy S10, Galaxy S20 and Galaxy S21 do not store cryptographic keys properly; allowing attackers to almost easily extract information stored in smartphone memory, including sensitive data such as passwords.
“ARM-based Android smartphones rely on the TrustZone hardware support for a Trusted Execution Environment (TEE) to implement security-sensitive functions. The TEE runs a separate, isolated, TrustZone Operating System (TZOS), in parallel to Android”.
Samsung shipped over 100 million smartphones with a critical security flaw
The full text of the report can be found here. The researchers described the ways in which they managed to bypass protection on Samsung devices. Most of the information is obscure to ordinary users who are not information security specialists. However, experts report that in most cases they should not be concerned.
“We expose the cryptographic design and implementation of Android’s Hardware-Backed Keystore in Samsung’s Galaxy S8, S9, S10, S20, and S21 flagship devices. We reversed-engineered and provide a detailed description of the cryptographic design and code structure, and we unveil severe design flaws. Also, we present an IV reuse attack on AESGCM that allows an attacker to extract hardware-protected key material, and a downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack. We demonstrate working key extraction attacks on the latest devices. We also show the implications of our attacks on two higher-level cryptographic protocols between the TrustZone and a remote server: we demonstrate a working FIDO2 WebAuthn login bypass and a compromise of Google’s Secure Key Import”.
All of the issues mentioned are known to have been fixed by Samsung; which was aware of the vulnerability shortly after its discovery. The first patch was available in August 2021, and the vulnerability had a final fix with a security patch in October.
However, users should check for the latest updates. So, if Samsung has already stopped supporting the device; experts say users should try installing a custom ROM with a security patch.
“We discuss multiple flaws in the design flow of TrustZone based protocols. Although our specific attacks only apply to the about 100 million devices made by Samsung; it raises the much more general requirement for open and proven standards for critical cryptographic and security designs”.