Security experts are warning that around 100million Samsung Galaxy devices, including S21 phones, are at risk from a “severe” security vulnerability. Samsung phones across five generations, which range from the Galaxy S8 to the S21, are allegedly at risk from the flaw which could let hackers steal keys used for secure payments made through systems like Google Pay and Samsung Pay. This flaw had remained undiscovered for years, until researchers from Tel-Aviv University found the vulnerability.
Security experts in Israel demonstrated two real-world attacks that could be carried out taking advantage of the flaw.
In the test researchers were able to steal highly sensitive information from Samsung devices that supposedly was protected at hardware-level itself.
Besides crucial data relating to payment systems, researchers were also able to bypass FIDO2 authentication to access passwords.
Thankfully, despite the risk this flaw poses in the years it’s existed bad actors did not discover it themselves.
Researchers from Tel-Aviv notified Samsung about the threat last year, with the necessary fixes released in August 2021.
In order to stay safe, if your Android phone is showing its security patch level as July 2021 or below then you need to install the latest updates ASAP.
Speaking about the researchers’ findings, a spokesperson for Samsung said: “Samsung takes the security of Galaxy devices seriously. We are constantly looking for ways to enhance the security of our products and welcome any input from research communities. The reported issue was acknowledged and has been addressed through security updates since August 2021. We recommend our users to keep their devices updated with the latest software to enjoy safe and convenient Galaxy mobile experiences.”
After the flaw was discovered one security expert described the news as “embarrassingly bad” for Samsung, while another said the South Korean tech giant had committed a “cardinal sin”.
Matthew Green, who is the associate professor of computer science at the Johns Hopkins Information Security Institute, on Twitter said: “Ugh god. Serious flaws in the way Samsung phones encrypt key material in TrustZone and it’s embarrassingly bad. They used a single key and allowed IV re-use.”
While Paul Ducklin, principal research scientist at Sophos, told ThreatPost that Samsung coders had committed a “cardinal cryptographic sin”.
Others said cryptography, which is the means used for secure communication in tech, is inherently complex.
Mike Parkin, from Vulcan Cyber, said: “It is by nature complex and the number of people who can do proper analysis, true experts in the field, is limited.
“A properly designed and implemented encryption scheme relies on the keys and remains secure even if an attacker knows the math and how it was coded, as long as they don’t have the key.”
Published at Sun, 27 Feb 2022 07:30:00 +0000