The Register is reporting Samsung shipped ‘100 million’ phones with flawed encryption. Researchers at TelAviv University demonstrated a method that could compromise the hardware security of over 100 million Samsung phones. Android-based Samsung phones had been shipped with design flaws that could allow the extraction of cryptographic keys.
… Samsung failed to implement Keymaster TA properly in its Galaxy S8, S9, S10, S20, and S21 phones. The researchers reverse engineered the Keymaster app and showed they could conduct an Initialization Vector (IV) reuse attack to obtain the keys from the hardware-protected key blobs.
The weak crypto was also used by the researchers to bypass FIDO2 WebAuthn, a way to use public-key cryptography, instead of passwords, to register for and authenticate to websites.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
