Don’t use any Samsung smartphone launched from 2017 till 2021 (including S21): Flawed encryption could expose your confidential data

Cybersecurity specialists report the detection of what they defined as “a critical cryptographic design flaw” affecting more than 100 million Samsung Galaxy smartphones sold from 2017 to date. According to the report, the successful exploitation of these flaws would have allowed threat actors to divert these hardware-based keys from the devices to access all its stored information.

Threat actors could also exploit flaws to degrade security protocols on affected devices in order to make them vulnerable to other hacking variants, impacting models from Galaxy S8 to the recently released Galaxy S21.

Experts begin by explaining that today’s smartphones control all kinds of confidential messages, cryptographic keys, authentication methods, mobile payments and other functions based on various technological implementations. The reported flaws mainly affect devices that use ARM’s TrustZone technology, the hardware support for Android smartphones that allows creating a reliable execution environment for the implementation of advanced security features.

TrustZone divides a phone into two parts: 

  • Normal World: Running regular tasks, such as Android OS
  • Secure World: Management of the security subsystem and space for sensitive device resources. This segment is only accessible to trusted applications with sensitive security features, including encryption

Samsung made some serious mistakes in designing the way its smartphones encrypt material stored in TrustZone, employing a single key and allowing IV reuse, in what they see as a design that allows for a trivial decryption process for some potential attackers. The report also specifies that Samsung employs AES-GCM on its devices, a reliable encryption algorithm but is implemented incorrectly, as this algorithm requires a random dataset for each new encryption operation, something that does not happen on Galaxy devices.

During testing, exploiting these bugs made it possible to extract information from the Safe World in TrustZone, which Samsung devices should identify as confidential and which should be protected with a reliable encryption algorithm.

This attack not only allows information to be extracted from TrustZone, but also allowed researchers to evade security standards such as FIDO2, exposing hundreds to hundreds of millions of people who have used these smartphones over the past five years. The researchers tried to contact Samsung to come up with a more accurate estimate.

In this regard, the company issued a patch for this security issue, tracked as CVE-2021-25444. The problem lies with Keymaster Trusted Applications, which performs cryptographic operations on secure world through some hardware components. Subsequently, the company issued a patch to address CVE-2021-25490, whose exploitation would allow a degradation attack to be deployed on the affected devices.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.