Security News

Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year's Galaxy S21. Researchers at Tel Aviv University found what they called "Severe" cryptographic design flaws that could have let attackers siphon the devices' hardware-based cryptographic keys: keys that unlock the treasure trove of security-critical data that's found in smartphones. In a paper entitled "Trust Dies in Darkness: Shedding Light on Samsung's TrustZone Keymaster Design" - written by by Alon Shakevsky, Eyal Ronen and Avishai Wool - the academics explain that nowadays, smartphones control data that includes sensitive messages, images and files; cryptographic key management; FIDO2 web authentication; digital rights management data; data for mobile payment services such as Samsung Pay; and enterprise identity management.

Academics at Tel Aviv University in Israel have found that recent Android-based Samsung phones shipped with design flaws that allow the extraction of secret cryptographic keys. These TEEs run their own operating system, TrustZone Operating System, and it's up to vendors to implement the cryptographic functions within TZOS. The Android Keystore, the researchers explain, offers hardware-backed cryptographic key management via the Keymaster Hardware Abstraction Layer.

Croatian phone carrier 'A1 Hrvatska' has disclosed a data breach exposing the personal information of 10% of its customers, roughly 200,000 people. The announcement does not provide many details other than that they suffered a cybersecurity incident involving the unauthorized access of one of their user databases, which contained sensitive personal information.

Use a burner phone if you're traveling to the Olympics, the FBI warned on Tuesday, lest you come home with a nasty case of malware and/or snatched personal data. The FBI didn't mention specific threats, per se, but its alert warned those traveling to the February 2022 Beijing Winter Olympics and March 2022 Paralympics that we've seen this all before with the Olympics, where "Malicious cyber actors could use a broad range of cyber activities to disrupt these events."

Finland's Ministry for Foreign Affairs says devices of Finnish diplomats have been hacked and infected with NSO Group's Pegasus spyware in a cyber-espionage campaign. "Finnish diplomats have been targets of cyber espionage by means of the Pegasus spyware, developed by NSO Group Technologies, which has received wide publicity," the Ministry said in a statement published today.

An infosec pro fed up of having to follow tedious Twitter accounts to stay on top of cybersecurity developments has set up a website that phones you if there's a new vuln you really need to know about. Keeping up with fast-developing situations, such as the Log4j vuln and its iterations, is "Extraordinarily overwhelming," he told The Register - and he reckons relying on CVE number assignations is just too slow in this day and age.

Even when the mobile phone age arrived, the Chatter Phone retained its dial, its cheese-dish phone styling, and its sideways receiver. We don't how how or if you can dial the plus symbol for overseas calls, but many countries let you use a special digit sequence instead. So, the Chatter Telephone doesn't take a SIM card itself; instead, it pairs with a regular mobile phone and acts, if you like, as a sort of extension - a happy, smiley, cheerful, brightly coloured, child-like extension phone with an actual rotary dial.

A Bluetooth phone designed to evoke the carefree days of early childhood has been found to instead threaten the very adult prospect of being surveilled in your home. The phone is the Fisher Price Chatter Special Edition, a device that adds Bluetooth and a speaker to the smiling, brightly coloured, wheeled, rotary dial phone on which it's previously been possible to make calls only by using one's imagination.

You don't have to log into the network to use the phone - it happens in the background via the SIM. Moreover, the mobile subscriber identity is one of the most widely used forms of digital identity. Firstly, it merely proves the user has access to a phone number, potentially through social engineering, not possession of a physical security token / device.

Apple has warned at least nine US Department of State employees that their iPhones have been hacked by unknown attackers using an iOS exploit dubbed ForcedEntry to deploy Pegasus spyware developed by Israeli surveillance firm NSO Group. "On top of the independent investigation, NSO will cooperate with any relevant government authority and present the full information we will have," an NSO spokesperson separately told Motherboard.