Passwords insecure? More than 100 million Samsung devices affected

Since the release of the Samsung Galaxy S8, there has been a security problem with smartphones from South Korea that nobody suspected until now. This error caused the smartphones to not save cryptographic keys correctly. This allowed third parties to retrieve the keys without you noticing.

Such an exploit will result in your passwords being insecure. The error occurred in the “Trust Zone Operating System (TZOS)”, which is responsible for important security functions. The implementation of the cryptographic functions in this system had bugs that made it possible to output passwords as plain text.

Countless devices affected

Since this bug has existed since the Samsung Galaxy S8 and affects the models of the S8, S9, S10, S20 and S21 series, the bug could affect more than 100 million devices. Since nobody knew anything about the exploit, no exact number of cases is known. You can read all about the security breach in the researchers’ report.

Through our analysis we unveiled severe cryptographic design flaws. We identified an IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material, and a downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack – Alon Shakevsky and Eyal Ronen and Avishai Wool, University of Tel Aviv

In the meantime, however, Samsung has reacted and fixed the error with two updates. However, it is not known whether there are other undetected errors. So we can only hope that our passwords will be safe in the future.

What do you think of the error? Do you think there could be more bugs like this hidden? Let us know in the comments!