Samsung shipped '100 million' phones with flawed encryption

2022-02-23 01:36

Academics at Tel Aviv University in Israel have found that recent Android-based Samsung phones shipped with design flaws that allow the extraction of secret cryptographic keys.

These TEEs run their own operating system, TrustZone Operating System, and it's up to vendors to implement the cryptographic functions within TZOS. The Android Keystore, the researchers explain, offers hardware-backed cryptographic key management via the Keymaster Hardware Abstraction Layer.

Samsung implemented the HAL through a Trusted Application running in the TrustZone called Keymaster TA, to carry out cryptographic operations like key generation, encryption, attestation, and signature creation in a secure environment.

The Keymaster TA stores cryptographic keys as blobs - the keys are wrapped so they can be stored in the file system of the Android environment.

"Surprisingly, we discovered that the Android client is allowed to set the IV when generating or importing a key," the paper stated.

What's more, they also managed to bypass Google's Secure Key Import, designed to let servers share keys securely with Android devices.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/02/23/samsung_encryption_phones/

#encryption #phone #samsung

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Samsung		1715	164	351	239	86	840