According to researchers, Samsung made a mistake in implementing security mechanisms in its Galaxy S phones. These are therefore vulnerable to targeted attacks.
Samsung made a mistake in the security of its smartphones. This was discovered by researchers at Tel Aviv University. The Korean smartphone maker did not correctly implement security functionality in the processor. As a result, cryptographic keys are insufficiently secured. Hackers can figure out those keys when they access a device to steal sensitive data or falsely access websites.
Secure enclave
To perform sensitive functions, Android smartphones with Arm-compatible chips have a Trusted Execution Environment (TEE). That is an enclave on the chip that is shielded from the rest of the processor. The TEE runs on its own operating system: TrustZone Operating System (TZOS). It is up to phone manufacturers to properly integrate TZOS with their own version of Android.
If done correctly, the TEE takes care of encryption on the device, among other things. Cryptographic keys are stored on the phone’s memory, but are themselves extra encrypted so that they are only readable within the secure TEE environment. That extra encryption is done by Keymaster TA: an app that runs within TZOS on in the TEE.
Poor implementation
Samsung made an error in the implementation of Keymaster TA, which means the encryption of cryptographic keys is not foolproof. That fact can be exploited by attackers to gain access to the keys. That allows hackers to read secure data but also to bypass website security. The researchers showed how the bug allowed them to falsely log into a Web site protected with FIDO2 WebAuthn.
The problem initially affects older Samsung phones such as the Samsung Galaxy S8 and S9. The Galaxy S10, S20 and S21 use a better implementation, but the researchers were able to convince the Android operating system to still fall back on the older vulnerable version of the encryption, so those devices are also affected.
Patch
Scientists estimated that 100 million Samsung phones worldwide were vulnerable when they discovered the bug last year. However, they warned Samsung in May of 2021. The vulnerability was then labeled CVE-2021-25444. In July, they shared the downgrade attack (CVE-2021-25490), where Android still uses the older worse encryption. Samsung launched the necessary patches for the Galaxy S10, S20 and S21 in October. Those who have installed that patch basically have nothing more to worry about. It is unclear how many devices are currently still vulnerable.