What Experts Have To Say On Samsung Shipped 100 Mil+ Phones With Flawed Encryption

By   ISBuzz Team
Writer , Information Security Buzz | Feb 28, 2022 11:20 am PST

The Register is reporting Samsung shipped ‘100 million’ phones with flawed encryption. Researchers at TelAviv University demonstrated a method that could compromise the hardware security of over 100 million Samsung phones. Android-based Samsung phones had been shipped with design flaws that could allow the extraction of cryptographic keys.

… Samsung failed to implement Keymaster TA properly in its Galaxy S8, S9, S10, S20, and S21 phones. The researchers reverse engineered the Keymaster app and showed they could conduct an Initialization Vector (IV) reuse attack to obtain the keys from the hardware-protected key blobs.

The weak crypto was also used by the researchers to bypass FIDO2 WebAuthn, a way to use public-key cryptography, instead of passwords, to register for and authenticate to websites.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Damon Ebanks
Damon Ebanks , VP Marketing
February 28, 2022 7:20 pm

It’s important to understand the gravity of the situation because, if the researchers hadn’t uncovered this, Samsung’s users were facing a severe threat. If successful, malicious actors might gain access to the device\’s Normal World sector and install malware, as well as grant root rights to any programs. In addition, rather than running malware in the Android kernel, the attacker might just run code in the Android user mode.

However, it is a piece of good news that Samsung has created a patch for the affected devices and removed a legacy blob from s10, s20, and s21 devices.

Last edited 2 years ago by Damon Ebanks
Nasser Fattah
Nasser Fattah , Executive Advisor
February 28, 2022 7:18 pm

Often it is either an incorrectness with security implementation or misconfiguration that introduces vulnerabilities. Thus, it’s important to have an ongoing verification process, ideally an automated one that continuously checks for the expected security outcome(s), when installing and configuring security controls. Additionally, important to follow best practices, including using the latest commercially acceptable encryption algorithms, when implementing security controls. Anything less presents an opportunity for a bad actor to exploit.

Last edited 2 years ago by Nasser Fattah

Recent Posts

Would love your thoughts, please comment.x