Passwords insecure? More than 100 million Samsung devices affected

TL;DR

• According to a report, Samsung released Galaxy smartphones with a serious security vulnerability.
• More than 100 million devices are said to be affected.
• Storage of cryptographic keys faulty.

Ever since the release of the Samsung Galaxy S8, there has been a security problem with the smartphones from the South Korean manufacture that no one had any idea about until now. This bug ensured that the smartphones did not store cryptographic keys correctly. This allowed third parties to retrieve the keys without you noticing anything.

Such an exploit means that your passwords are not secure. The error occurred in the “Trust Zone OperatingSystem (TZOS)”, which is responsible for important security functions. The implementation of cryptographic functions in this system had flaws that made it possible to output passwords as plain text.

Countless devices affected

Since this bug has been around since the Samsung Galaxy S8 and impacts the S8, S9, S10, S20 and S21 series models, it could affect more than 100 million devices. Since no one knew about the exploit, no exact case number is known. You can read everything about the security leak in the researchers’ report.

We reversed-engineered and provide a detailed description of the cryptographic design and code structure, and we unveil severe design flaws. We present an IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material, and a downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack. – Alon Shakevsky and Eyal Ronen and Avishai Wool, University of Tel Aviv

In the meantime, Samsung has reacted and fixed the bug with two updates. However, it is not known whether there are other undetected errors. We can only hope that our passwords will be secure in the future.

What do you think about this bug? Do you think there could be more such bugs hidden? Let us know in the comments!