Samsung has delivered its smartphones with flawed encryption for years: there was hardly any protection.
Security researchers Alon Shakevsky, Eyal Roen and Avishai Wool of Tel-Aviv University show that Samsung apparently shipped millions of its smartphones with flawed encryption.
Using reverse engineering, the experts were able to identify several vulnerabilities in the cryptographic design and code structure. For example, issues were discovered in Samsung’s implementation of ARM TrustZone. This security area, which is separate from conventional applications and programs, is designed for particularly sensitive tasks. Among other things, to protect the lock screen or for encryption keys. There is even a separate operating system running in this isolated zone.
Protection of Samsung smartphones “embarrassingly bad”
Respected crypto expert Mathew Green addressed this bug, calling Samsung’s implementation “embarrassingly poor.” Data decryption is “trivial” and the promised extra protection is practically non-existent.
So they could have derived a different key wrapper key for each key they protect. But instead, Samsung basically doesn’t. They then allow the application layer code to choose the encryption IVs. This allows trivial decryption. pic.twitter.com/fGHoY0YoZF
– Matthew Green (@matthew_d_green) February 22, 2022
Full text of the tweet:
“Oh my gosh. The way Samsung phones encrypt keys in TrustZone is seriously flawed and embarrassingly bad. They used a single key and reused IV (
initialization vector) allowed.
So they could have derived a different key for each key they protect. But instead, Samsung doesn’t do that. They then allow the application layer code to choose the encryption IVs. This allows trivial decryption.”
More than 100 million Samsung smartphones affected
According to security researchers, this implementation has errors in several Samsung smartphones, specifically, the Galaxy S8, S9, S10, S20 and S21 models would be affected by the incorrect implementation, with the number of affected devices exceeding 100 million. devices. .
A security update helps: Samsung was made aware of this incorrect implementation last year and has since fixed the issues, at least on devices that are currently still being patched. If you have installed all current security updates, you should no longer be affected by this issue.
Introvert. Beer guru. Communicator. Travel fanatic. Web advocate. Certified alcohol geek. Tv buff. Subtly charming internet aficionado.