100 Million Samsung Phones Shipped With Flawed Encryption; Galaxy S8 to S21 Series Cryptographic Keys “Tri … – CPO Magazine

100 Million Samsung Phones Shipped With Flawed Encryption; Galaxy S8 to S21 Series Cryptographic Keys “Tri … – CPO Magazine

A recent study demonstrates a “severe” design flaw at the core of the cryptographic key structure of some 100 million Samsung phones, one that essentially “shatters” encryption on these devices.

The impacted phones are in the Samsung Galaxy series, beginning with the S8 (released in 2017) and ranging up to the S21 series released in early 2021. The study claims that the hardware-based cryptographic keys have an encryption process that is “trivial” to decode due to a predictable algorithm, and that it opens the door to attackers not just for theft of keys but for bypass of the fundamental security of the phone.

Samsung phones patched, but vulnerability reaches back years

The good news is that Samsung has issued a set of two patches for the impacted phones, well ahead of a planned presentation of the vulnerability at the upcoming USENIX Security 2022 symposium in August. The patches were apparently sent out in July 2021 after the researchers privately disclosed their findings. The scope of the vulnerability is massive, however, impacting Samsung’s line of flagship phones dating back just over five years.

“Trust Dies in Darkness: Shedding Light on Samsung’s TrustZone Keymaster Design”, published by a team of researchers from Tel Aviv University, details a means by which attackers can access the device’s hardware-based cryptographic keys that not only protect communications but also handle device security protocols (such as the FIDO2 web authentication standard and the data security for mobile payment services such as Samsung Pay). The researchers were additionally able to bypass Google’s Secure Key Import, which allows safe sharing of keys between servers and individual Android devices.

The issue is with the “TrustZone” technology employed in the ARM processor of Samsung phones. The researchers point out that the encryption algorithm is more than adequate, but the phone developers used it in an ineffective way. The impacted Samsung phones essentially make use of a single encryption key, but do not create a new “wrapping” for each new key instance. The code that generates encryption initialization vectors, the first step in the “randomization” process, is also chosen by an app layer that is not in TrustZone’s “secure area.”

This represents a fundamental failure in terms of how encryption is supposed to work. The hardware layer is supposed to be impenetrable in this way even with significant effort, much less through a “trivial” process. This essentially renders Samsung phones in the Galaxy line from 2017 to 2021 completely insecure (Galaxy S8, S9, S10, S20, and S21 phones), at least until they are updated to security patches from July 2021 and beyond. The vulnerability requires an attacker to run code on the target device, something that would generally be done via a malicious link or attachment in a phishing message or email.

It is also necessary for these Samsung phone models to be running Android 9 at minimum for the patches to work. Android 9 was released in mid-2018, after the Galaxy …….

Source: https://www.cpomagazine.com/cyber-security/100-million-samsung-phones-shipped-with-flawed-encryption-galaxy-s8-to-s21-series-cryptographic-keys-trivial-to-expose/