More Than 100 Millions Samsung Flagship Smartphones Have A Serious Security Flaw

The Galaxy S is Samsung's flagship brand. Samsung phones using the branding name are the best Samsung can give at their time of launch.

But "best" is not perfect.

Academics at Tel Aviv University in Israel have found that Android-based Samsung phones were shipped with security design flaws.

According to the researchers' paper titled, "Trust Dies in Darkness: Shedding Light on Samsung's TrustZone Keymaster Design", the Samsung phones that include the Galaxy S8, Galaxy S9, Galaxy S10, Galaxy S20, and Galaxy S21, did not properly store their cryptographic keys properly.

Because of this, hackers could access information that contains sensitive data, like passwords, for example.

Making things worse, the vulnerability also gave malicious actors the ability to further exploit the bug by downgrading the phone’s security protocols.

Samsung
The TrustZone software and hardware isolation architecture. (Credit: Tel-Aviv University)

The report, written by Alon Shakevsky, Eyal Ronen and Avishai Wool, explained that modern smartphones control data that includes sensitive messages, images and files; cryptographic key management; FIDO2 web authentication; digital rights management (DRM) data; data for mobile payment services such as Samsung Pay; and enterprise identity management.

And the bug in question stemmed from the fact that most Android devices use Arm-compatible chips.

These chips rely on what it's called the Trusted Execution Environment (TEE). Supported by Arm's TrustZone technology, it is meant to keep sensitive security functions isolated from normal applications. These TEEs have their own operating system, called the TrustZone Operating System (TZOS), and it's up to vendors to implement the cryptographic functions within this operating system.

Then there is the Android Keystore, which offers hardware-backed cryptographic key management that can be used with the Keymaster Hardware Abstraction Layer (HAL).

Samsung implemented this HAL through a Trusted Application running in the TrustZone, called Keymaster TA, to carry out cryptographic operations like key generation, encryption, attestation, and signature creation in a secure environment.

Samsung however, failed to properly secure its Keymaster TA on its Galaxy S8, S9, S10, S20, and S21 phones.

The researchers managed to reverse engineered the Keymaster app and were capable of conducting an Initialization Vector (IV) reuse attack to obtain the keys.

These IV reuse attacks can screw with the encryption randomization. This makes the target not capable of generating distinct cyphertexts.

In total, the researchers estimated that there are at least 100 million Samsung devices vulnerable because of this.

[block:block=87]
Samsung
Simplified Secure Key Import: the “hacker” icons indicate the interception points used in the researchers' attack. (Credit: Tel-Aviv University)

The researchers responsibly disclosed their findings to Samsung back in May 2021.

Samsung fixed the issues by rolling out security patches to affected phones in July and October 2021.

According to Samsung, the list of patched devices also includes: S9, J3 Top, J7 Top, J7 Duo, Tab S4, Tab-A-S-Lite, A6 Plus, and A9S.

Samsung is considered among the largest smartphone makers in the world. The South Korean conglomerate company tends to be quick and vigilant when it comes to updating the security of its devices.

While Samsung Galaxy S series are among the most expensive phones in the market, and its security for phones on paper is solid, the findings suggest that no manufacturer is perfect.

Sometimes, bugs can be found, even after years.

Researchers warn that while the focus in this report is on the 100 million or so Samsung devices, what they found highlighted how important it is to keep operating systems and apps updated to their latest versions.

The researchers also highlight the need for proven and effective standards when it comes to distributing code for smartphone security.