Samsung shipped millions of Galaxy devices with flawed encryption

By Mike Peterson

Samsung has reportedly shipped at least 100 million Android smartphones with a security flaw that could have allowed attackers to extract sensitive and encrypted information from the devices.

Some of the affected devices in the Galaxy S21 lineup. Credit: Samsung

The flaw, discovered by researchers at Tel Aviv University, is a specific problem with the way that certain Samsung Galaxy devices store cryptographic keys in the ARM TrustZone system. It affects Galaxy S8, Galaxy S9, Galaxy S10, Galaxy S20, and Galaxy S21 models.

TrustZone is a technology used to protect sensitive information by hardware isolating it from the primary operating system. On Samsung devices, TrustZone Operating System (TZOS) runs alongside Android and performs sensitive security tasks and cryptographic functions that are kept separate from normal applications.

The vulnerability has wide-ranging implications for users. An attacker could use the flaw to extract sensitive information that would normally be encrypted, such as passwords stored on a device. The Tel Aviv University researchers also leveraged the issue to bypass hardware-based two-factor authentication.

The researchers, however, reported the vulnerability to Samsung in May 2021. The South Korean smartphone maker patched the flaw in August 2021, meaning it should no longer affect Galaxy devices that are running the latest operating system.

However, because of the severity of the encryption flaw, Android users who have one of the affected devices and who haven't updated their phones recently should do so as soon as possible.

The researchers plan to disclose their findings in a paper at the Real World Crypto and USENIX Security conferences in 2022.