Security News > 2022 > February > Samsung Shattered Encryption on 100M Phones

Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year's Galaxy S21. Researchers at Tel Aviv University found what they called "Severe" cryptographic design flaws that could have let attackers siphon the devices' hardware-based cryptographic keys: keys that unlock the treasure trove of security-critical data that's found in smartphones.

In a paper entitled "Trust Dies in Darkness: Shedding Light on Samsung's TrustZone Keymaster Design" - written by by Alon Shakevsky, Eyal Ronen and Avishai Wool - the academics explain that nowadays, smartphones control data that includes sensitive messages, images and files; cryptographic key management; FIDO2 web authentication; digital rights management data; data for mobile payment services such as Samsung Pay; and enterprise identity management.

Matthew Green, associate professor of computer science at the Johns Hopkins Information Security Institute, explained on Twitter that Samsung incorporated "Serious flaws" in the way its phones encrypt key material in TrustZone, calling it "Embarrassingly bad.".

According to The Register, as of the researchers' disclosure of the flaws to Samsung in May 2021, nearly 100 million Samsung Galaxy phones were jeopardized.

Samsung issued another patch - to address CVE-2021-25490 - that remoged the legacy blob implementation from devices including Samsung's Galaxy S10, S20 and S21 phones.

"Vendors including Samsung and Qualcomm maintain secrecy around their implementation and design of TZOSs and TAs," they wrote in their paper's conclusion.

News URL

https://threatpost.com/samsung-shattered-encryption-on-100m-phones/178606/