100 million Samsung Galaxy devices vulnerable to cryptographic key hack

Getty Photographs

Researchers have observed “severe” security flaws in a extensive line of flagship smartphones created by Samsung whereby attackers can lift cryptographic keys.

Likely affecting all-around 100 million Samsung products including the Galaxy S21, Galaxy S20, and some others courting again to the Galaxy S8, attackers can remotely raise cryptographic keys to bypass security authentication benchmarks this kind of as FIDO2.

True-globe apps of the vulnerabilities could see attackers extracting keys utilized for protected payments this kind of as these built as a result of Google Pay, and bypassing FIDO2 authentication which is often made use of in put of account passwords.

The researchers from Tel-Aviv College shown how two possible actual-planet attacks can be executed on even the most up-to-date Samsung products. Reported attacks permitted the researchers to extract cryptographic keys from hardware-safeguarded things of the unit, and downgrade devices so that they’re vulnerable to these attacks, recognized as IV reuse attacks.

They discussed how ARM equipment use TrustZone technology which primarily splits a product into two areas: the ‘Normal World’ the place standard purposes on an working procedure (OS) like Android can run and the ‘Secure World’ which is fundamentally an isolated ecosystem in which only trustworthy apps, like those critical to device security, are supposedly capable to run.

The Android Keystore gives components-backed cryptographic critical management via the Keymaster Hardware Abstraction Layer (HAL) and this is executed in the Safe Globe of the TrustZone, the place procedures are not supposed to be accessed from the outside.

Cryptographic keys are guarded here utilizing the AES-GCM encryption conventional, but Samsung’s implementation of Keystore, which will allow keys to be retrieved and stored (even though wrapped by an encrypted layer) from the Safe Earth by apps functioning in the Usual Planet, is flawed.

This lets an attacker to predictably attain the cryptographic keys if they know the contents of just one plaintext sample encrypted employing AES-GCM. The encryption regular shields goods utilizing the similar critical and relies on special initialization vectors (IVs) by no means remaining reused. 

The researchers were capable to display how Samsung products had been vulnerable to the IV reuse attack, permitting attackers to assign IVs as component of the essential parameters.

In approaching the analysis, the teachers assumed an attacker could thoroughly compromise the Typical Entire world via mechanisms this kind of as malware granting root privileges. The attacker would not have to have to be ready to operate code in the Android kernel, just be able to execute code in the Android consumer method.

The researchers disclosed their findings to Samsung in August 2021 and the manufacturer addressed the issues by publishing the flaws to the Prevalent Vulnerabilities and Exposures (CVE) sign-up.

The original IV reuse attack is tracked as CVE-2021-25444 with a ‘high’ severity ranking, and patched in August 2021. 

The downgrade attack which permitted more recent products, this kind of as the Samsung Galaxy S20 and S21, to come to be susceptible to the IV reuse attack, was patched in October 2021 after its CVE (CVE-2021-25490) dealt with the issue for all equipment operating Android 9 or afterwards.

Although Samsung’s latest Galaxy S22 products are also dependent on ARM architecture, they will not ship with OS variations in advance of Android 9 as normal and as these will theoretically not be vulnerable to the researcher’s attack.

IT Pro has contacted Samsung for even more remark but it did not reply at the time of publication.

Some areas of this write-up are sourced from:
www.itpro.co.uk