Published in News

Samsung botched encryption

by on25 February 2022

From the 2017 Galaxy S8 on up to last year's Galaxy S21

Samsung apparently shipped more than 100 million of its smartphones with the encryption borked.

Models ranging from the 2017 Galaxy S8 on up to last year's Galaxy S21 were shipped with design flaws which could have let attackers siphon the devices' hardware-based cryptographic keys.

The flaws were spotted by boffins at Tel Aviv University found what they called "severe" cryptographic design flaws that could have let attackers siphon the devices' hardware-based cryptographic keys: keys that unlock the treasure trove of security-critical data that's found in smartphones.

The cyber attackers could even exploit Samsung's cryptographic missteps -- since addressed in multiple CVEs -- to downgrade a device's security protocols. That would set up a phone to be vulnerable to future attacks: a practice known as IV (initialisation vector) reuse attacks. IV reuse attacks screw with the encryption randomization that ensures that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts will each be distinct.

The design flaws ironically were in devices that use ARM's TrustZone technology which is hardware support provided by ARM-based Android smartphones for a Trusted Execution Environment (TEE) to implement security-sensitive functions.

Matthew Green, associate professor of computer science at the Johns Hopkins Information Security Institute, explained on Twitter that Samsung incorporated "serious flaws" in the way its phones encrypt key material in TrustZone, calling it "embarrassingly bad."

"They used a single key and allowed IV re-use. So they could have derived a different key-wrapping key for each key they protect," he continued. "But instead Samsung basically doesn't. Then they allow the app-layer code to pick encryption IVs." The design decision allows for "trivial decryption," Green  said.

Samsung responded to the academics' disclosure by issuing a patch for affected devices that addressed CVE-2021-25444: an IV reuse vulnerability in the Keymaster Trusted Application (TA) that runs in the TrustZone.
Keymaster TA carries out cryptographic operations in the Secure world via hardware, including a cryptographic engine. The Keymaster TA uses blobs, which are keys "wrapped" (encrypted) via AES-GCM. The vulnerability allowed for decryption of custom key blobs.

Then, in July 2021, the researchers revealed a downgrade attack -- one that lets attacker trigger IV reuse vulnerability with privileged process. Samsung issued another patch -- to address CVE-2021-25490 -- that changed the legacy blob implementation from devices including Samsung's Galaxy S10, S20 and S21 phones.


Last modified on 27 February 2022
Rate this item
(1 Vote)

Read more about: