IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

100 million Samsung Galaxy devices vulnerable to cryptographic key hack

Widespread flaws in hardware-backed key management could enable hackers to bypass FIDO2 authentication

Researchers have found “severe” security flaws in a long line of flagship smartphones made by Samsung whereby attackers can lift cryptographic keys.

Potentially affecting around 100 million Samsung devices including the Galaxy S21, Galaxy S20, and others dating back to the Galaxy S8, attackers can remotely lift cryptographic keys to bypass security authentication standards such as FIDO2.

Real-world applications of the vulnerabilities could see attackers extracting keys used for secure payments such as those made through Google Pay, and bypassing FIDO2 authentication which is often used in place of account passwords.

The researchers from Tel-Aviv University demonstrated how two feasible real-world attacks can be performed on even the latest Samsung devices. Said attacks allowed the researchers to extract cryptographic keys from hardware-protected elements of the device, and downgrade devices so that they’re vulnerable to these attacks, known as IV reuse attacks.

They explained how ARM devices use TrustZone technology which essentially splits a device into two parts: the ‘Normal World’ where normal applications on an operating system (OS) like Android can run; and the ‘Secure World’ which is essentially an isolated environment in which only trusted applications, like those critical to device security, are supposedly able to run.

The Android Keystore provides hardware-backed cryptographic key management via the Keymaster Hardware Abstraction Layer (HAL) and this is implemented in the Secure World of the TrustZone, where processes are not supposed to be accessed from the outside.

Cryptographic keys are protected here using the AES-GCM encryption standard, but Samsung’s implementation of Keystore, which allows keys to be retrieved and stored (while wrapped by an encrypted layer) from the Secure World by apps operating in the Normal World, is flawed.

This allows an attacker to predictably obtain the cryptographic keys if they know the contents of one plaintext sample encrypted using AES-GCM. The encryption standard protects items using the same key and relies on unique initialization vectors (IVs) never being reused. 

The researchers were able to show how Samsung devices were vulnerable to the IV reuse attack, allowing attackers to assign IVs as part of the key parameters.

In approaching the research, the academics assumed an attacker could fully compromise the Normal World through mechanisms such as malware granting root privileges. The attacker would not need to be able to run code in the Android kernel, just be able to execute code in the Android user mode.

The researchers disclosed their findings to Samsung in August 2021 and the manufacturer addressed the issues by publishing the flaws to the Common Vulnerabilities and Exposures (CVE) register.

The initial IV reuse attack is tracked as CVE-2021-25444 with a ‘high’ severity rating, and patched in August 2021. 

The downgrade attack which allowed newer devices, such as the Samsung Galaxy S20 and S21, to become vulnerable to the IV reuse attack, was patched in October 2021 after its CVE (CVE-2021-25490) addressed the issue for all devices running Android 9 or later.

Although Samsung's latest Galaxy S22 devices are also based on ARM architecture, they will not ship with OS versions before Android 9 as standard and as such will theoretically not be vulnerable to the researcher's attack.

"Samsung takes the security of Galaxy devices seriously. We are constantly looking for ways to enhance the security of our products and welcome any input from research communities," the company told IT Pro.

"The reported issue was acknowledged and has been addressed through security updates since August 2021. We recommend our users to keep their devices updated with the latest software to enjoy safe and convenient Galaxy mobile experiences."

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Samsung Galaxy S22 Ultra review: A noteworthy flagship
Mobile Phones

Samsung Galaxy S22 Ultra review: A noteworthy flagship

18 May 2022
Best smartphone 2022: The top handsets from Apple, Samsung, Google and more
Mobile

Best smartphone 2022: The top handsets from Apple, Samsung, Google and more

8 Apr 2022
Samsung Galaxy Book Go review: A galactic disappointment
Laptops

Samsung Galaxy Book Go review: A galactic disappointment

8 Apr 2022
Samsung Galaxy Book2 Pro 360 hands-on review: 360 degrees of portability
Laptops

Samsung Galaxy Book2 Pro 360 hands-on review: 360 degrees of portability

28 Feb 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022