Samsung has shipped around 100 million smartphones with faulty or weak encryption

The Galaxy S21 Ultra is reputed to be one of the affected devices. (Image source: Denis Cherkashin)

Reportedly, Samsung has sent out tens of millions of smartphones with weak or faulty encryption. Estimates for the number of affected smartphones could reach 100 million and include all Galaxy S smartphones from the Galaxy S8 onwards. Samsung was made aware of the security issues nearly a year ago.

Alex Alderson, Published 03/02/2022 🇫🇷 🇪🇸 ...

Samsung makes a big thing of including Knox security on its smartphones; it even has a dedicated website to the platform. Supposedly, Samsung builds every Knox device 'from the hardware chip up to isolate, encrypt, and secure your data'. However, a recent paper from security researchers at Tel-Aviv University suggests that Samsung's security platform may not be as secure as it claims. In fact, Samsung may have shipped up to 100 million smartphones with faulty or weak encryption.

As The Register reports, Android smartphones rely on a Trusted Execution Environment (TEE) that isolates security functionality from regular apps. Additionally, TEEs operate on TrustZone (TZOS), a dedicated operating system away from Android. Individual vendors implement TZOS' cryptographic functions, such as Samsung, Sony and Xiaomi.

In the paper, the researchers explain that Samsung failed to properly implement a Trusted Application that stores cryptographic keys in TZOS. For reference, Samsung uses Keymaster TA to handle cryptographic operations, which talks to Android Keystore's Keymaster Hardware Abstraction Layer (HAL). Keymaster TA stores cryptographic keys as blobs that it encrypts using AES-GCM.

Theoretically, these keys should only be readable within the TEE. Unfortunately for Samsung, the researchers reversed engineered Keymaster TA and demonstrated that they could the keys using an Initialization Vector (IV) reuse attack. According to the researchers, Samsung flagship Galaxy S smartphones from the Galaxy S8 onwards are affected, including last year's Galaxy S21 series.

The researchers add that Samsung's weak encryption allowed them to bypass Google Secure Key Import and FIDO2-WebAuthn. In short, the bypass allowed them authentication on a website protected by the Android StrongKey application. Apparently, Samsung has already responded to the researcher's work with security patches, having been informed about the issues as early as May 2021.

Purchase the Samsung Galaxy Buds Pro on Amazon

Source(s)

IACR.org via The Register & phoneArena, Denis Cherkashin - Image credit

TP-Link has been caught sending network traffic to Avira without permission. (Image source: Digi.no)

TP-Link routers and Deco Wi-Fi mesh systems caught sharing traffic with third-party vendors 03/15/2022

Samsung has admitted that source code used for its Galaxy devices was recently stolen. (Image source: Babak via Unsplash)

Samsung confirms hack while alleged bad actors leak 190GB of data from the breach 03/07/2022

The Galaxy S22, Galaxy S22+ and Galaxy S22 Ultra rarely offer their full performance in popular applications. (Image source: NotebookCheck)

Samsung comments on Game Optimizing Service that could be setting performance limits on over 10,000 applications 03/04/2022

The Samsung Galaxy A13 4G is one of many upcoming Galaxy A series smartphones. (Image source: Roland Quandt)

Samsung Galaxy A13 4G, Galaxy A33 5G and Galaxy A53 5G prices leak for European countries 03/03/2022

This looks to be software-related. (Source: Reddit)

Early Samsung Galaxy S22 Ultra units may be having a display problem 02/21/2022

The Galaxy S22 and Galaxy S22+ never had 10-120 Hz displays. (Image source: NotebookCheck)

Samsung comes clean about Galaxy S22 and Galaxy S22+ display refresh rates 02/16/2022

The Galaxy S22 and Galaxy S22 Plus cannot live up to Samsung's original specifications. (Image source: Samsung)

Samsung admits that the Galaxy S22 and Galaxy S22+ have nearly 5x higher minimum display refresh rates than advertised 02/13/2022

The Galaxy Tab S8 Ultra is expected to cost at least €1,040. (Image source: Samsung)

Samsung lets slip the design of the Galaxy Tab S8 Ultra in support page blunder 01/20/2022

The Snapdragon 8 Gen 1 is the more-desired choice for potential Galaxy S22 buyers in Europe. (Image source: Samsung/Qualcomm/@OnLeaks - edited)

Samsung Exynos 2200 vs Snapdragon 8 Gen 1: Poll shows overwhelming majority wants a Snapdragon-powered Galaxy S22 in Europe 01/14/2022

There has been no definitive reason given for the postponement of the Exynos 2200. (Image source: Samsung/Unsplash - edited)

Shocking Exynos 2200 postponement leads to claim that Europe will get Snapdragon-powered Samsung Galaxy S22 phones 01/11/2022

The Samsung Exynos 2200 is purportedly struggling to keep up with the competition. (Image source: Qualcomm/Samsung/Apple/MediaTek - edited)

The "worst flagship processor": Samsung Exynos 2200 with AMD RDNA 2 GPU gets no love from noted leaker in deleted tweets 01/09/2022

The Samsung Galaxy Tab S8 Ultra's notch is at least more subtle than the iPhone 13's notch. (Image source: Apple/@OnLeaks - edited)

Snarky iPhone 13 notch-related tweet from September comes back to haunt Samsung following recent Galaxy Tab S8 Ultra leak 10/24/2021

The thin and foldable glass screen of Samsung's Galaxy Z Flip 3 can apparently still break for no apparent reason (Image: 9to5google)

Galaxy Z Flip 3: Review claims the display glass of Samsung's new foldable can break for no apparent reason 10/09/2021

Read all 2 comments / answer

Loading Comments

Comment on this article

Apple stops selling all products in...

Oppo Air Glass: AR glasses to go on...

Alex Alderson - Senior Tech Writer - 9924 articles published on Notebookcheck since 2018

Prior to writing and translating for Notebookcheck, I worked for various companies including Apple and Neowin. I have a BA in International History and Politics from the University of Leeds, which I have since converted to a Law Degree. Happy to chat on Twitter or Notebookchat.

contact me via: @aldersonaj

Please share our article, every link counts!

> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2022 03 > Samsung has shipped around 100 million smartphones with faulty or weak encryption

Alex Alderson, 2022-03- 2 (Update: 2022-03- 2)

Samsung has shipped around 100 million smartphones with faulty or weak encryption

Source(s)

Related Articles