Samsung normally provides security updates for the Galaxy smartphones on a regular basis. However, such updates only take effect if the corresponding errors are known. According to a recent report by Tel Aviv University, Samsung has released numerous phones with a critical security leak from the factory.
- According to a report, Samsung released Galaxy smartphones with a serious security vulnerability.
- More than 100 million devices are said to be affected.
- Storage of cryptographic keys incorrect.
Since the release of the Samsung Galaxy S8, there has been a security problem with smartphones from South Korea that nobody suspected until now. This error caused the smartphones to not save cryptographic keys correctly. This allowed third parties to retrieve the keys without you noticing.
Such an exploit will result in your passwords being insecure. The error occurred in the “Trust Zone Operating System (TZOS)”, which is responsible for important security functions. The implementation of the cryptographic functions in this system had bugs that made it possible to output passwords as plain text.
Countless devices affected
Since this bug has existed since the Samsung Galaxy S8 and affects the models of the S8, S9, S10, S20 and S21 series, the bug could affect more than 100 million devices. Since nobody knew anything about the exploit, no exact number of cases is known. You can read all about the security breach in the researchers’ report.
Through our analysis we unveiled severe cryptographic design flaws. We identified an IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material, and a downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack – Alon Shakevsky and Eyal Ronen and Avishai Wool, University of Tel Aviv
In the meantime, however, Samsung has reacted and fixed the error with two updates. However, it is not known whether there are other undetected errors. So we can only hope that our passwords will be safe in the future.
What do you think of the error? Do you think there could be more bugs like this hidden? Let us know in the comments!