Samsung shipped millions of Galaxy devices with flawed encryption

article thumbnail

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

Samsung has reportedly shipped at least 100 million Android smartphones with a security flaw that could have allowed attackers to extract sensitive and encrypted information from the devices.

The flaw, discovered by researchers at Tel Aviv University, is a specific problem with the way that certain Samsung Galaxy devices store cryptographic keys in the ARM TrustZone system. It affects Galaxy S8, Galaxy S9, Galaxy S10, Galaxy S20, and Galaxy S21 models.

TrustZone is a technology used to protect sensitive information by hardware isolating it from the primary operating system. On Samsung devices, TrustZone Operating System (TZOS) runs alongside Android and performs sensitive security tasks and cryptographic functions that are kept separate from normal applications.

The vulnerability has wide-ranging implications for users. An attacker could use the flaw to extract sensitive information that would normally be encrypted, such as passwords stored on a device. The Tel Aviv University researchers also leveraged the issue to bypass hardware-based two-factor authentication.

The researchers, however, reported the vulnerability to Samsung in May 2021. The South Korean smartphone maker patched the flaw in August 2021, meaning it should no longer affect Galaxy devices that are running the latest operating system.

However, because of the severity of the encryption flaw, Android users who have one of the affected devices and who haven't updated their phones recently should do so as soon as possible.

The researchers plan to disclose their findings in a paper at the Real World Crypto and USENIX Security conferences in 2022.