If you have a Samsung Galaxy flagship smartphone from the S8 onwards, I have a serious security shock to impart: hackers found a way of extracting security keys and the most highly sensitive data protected by them from these flagship devices. In all, 100 million Samsung smartphones across five generations were impacted by a double-whammy of high-severity vulnerabilities determined to be exploitable by a team of security researchers.
Five generations of Samsung Galaxy smartphones found to be vulnerable to high-severity attack
I’ve written before about my patience running out with security updates taking too long to reach my Samsung Galaxy Note 10+. Indeed, that’s why I eventually jumped ship to the iPhone. Now delayed updates, and in my case that delay was often a month or two, have unsurprisingly been revealed to be a lot more than just annoying. Users of Samsung smartphones, including the S8, S9, S10, S20 and S21, have been warned that a high severity vulnerability could enable hackers to extract security keys and the highly sensitive data secured by them. To reiterate, that’s a total of 100 million devices in all, including an incredible five generations of flagship Galaxy smartphones.
Hacking Samsung’s Smartphone Trusted Execution Environment
In a newly published paper, as first reported by Anil G at SamMobile, researchers based at the Tel-Aviv University in Israel have detailed how they managed to extract cryptographic keys remotely, the keys to the Samsung secure kingdom, bypass FIDO2 authentication and ultimately access highly sensitive data such as passwords.
Security researchers reverse-engineer the ‘secure world’ of Samsung Galaxy flagship smartphones
“Trust Dies in Darkness: Shedding Light on Samsung’s TrustZone Keymaster Design,” reveals the methodology and outcomes in full technical glory. Security researchers Alon Shakevsky, Eyal Ronen and Avishai Wool, explain how they could reverse engineer the cryptographic design and code structure of the TrustZone Operating System (TZOS) which forms part of the security-sensitive Trusted Execution Environment (TEE) of Galaxy smartphones. By so doing, they were then able to construct an exploit, an initialization vector (IV) reuse attack to pull supposedly hardware-protected key material from the devices. But that wasn’t enough; they also went on to create another exploit, this time a ‘downgrade attack, that meant the latest Samsung devices (running Android 9 or later) were vulnerable to this as well.
Whether you understand the technical detail or not, this is somber stuff indeed. Why so? Because a threat actor could, under certain circumstances, which I’ll come to in a moment, extract secure payment keys and the FIDO2 authentication that replaces account passwords much of the time. Think of your smartphone as having two different operating systems: the normal world Android one that you see and where your apps run, and the fully isolated secure world where the most secure and device security-critical of trusted apps live. The secure world contains cryptographic keys protected using AES-GCM encryption in a Keystore environment. The critical takeaway here is that while apps in the normal world can access these keys, they can only do so through the Samsung Keystore, which is, or rather which is supposed to be, secured up the wazoo.
Explaining that “the implementation of the cryptographic functions within the TZOS is left to the device vendors, who create proprietary undocumented designs,” this is where the researchers found shockingly severe flaws through a process of reverse-engineering.
Is my Samsung Galaxy at risk from these exploits?
OK, earlier on, I mentioned that the vulnerabilities found, and the exploits created by the security researchers, could be executed under certain circumstances. They say good news arrives in threes, and this is where the first for owners of those five generations of Samsung Galaxy smartphones come in. There have been no known exploits in the wild concerning either of the issued high-severity CVEs: CVE-2021-25444 and CVE-2021-25490.
The good news part two is that to pull off an attack successfully, a threat actor would need root or kernel privileges of the device. This can, however, be achieved using malware, as the researchers point out. So, don’t get too complacent just yet. Indeed, don’t get complacent at all if you haven’t applied or can’t use because your device is no longer supported, security updates for a while.
The good news part three is that researchers reported their findings to Samsung, which issued a security patch for the IV reuse attack vulnerability, CVE-2021-2544, in August 2021. In addition, CVE-2021-25490, the one covering the downgrade attack for devices running Android 9 or later, was patched in October 2021.
What should I do now?
If you own a Samsung Galaxy from the last five years, basically anything from the S8 to S21, then check you have the latest security updates installed.
If you own a Samsung Galaxy from the last five years, basically anything from the S8 to S21, then … [+]
Head to Settings|About Phone|Software Information and scroll to the bottom of the screen. If the Android security patch level and security software versions are both dated August 2021 or later, chill as you are already protected.
If your update information is showing July 2021 or before, you need to rectify this now by … [+]
If your update information is showing July 2021 or before, you need to rectify this now by navigating to Settings|Software Update. Now Select the ‘Download and Install’ option. Your update will now start to download, which could take a wee while.
Your security patch update could take a while, so be patient
Once your Samsung Galaxy has restarted you will be protected from this particular security threat
Once it has finished downloading, you can initiate the install, and after a restart, your device will be fully patched.
I have reached out to Samsung for a statement regarding these findings and will update this article should one be forthcoming.