Passwords insecure? More than 100 million Samsung devices affected

2 min read 2 min 1 Comment 1

Feb 25, 2022, 11:57 AM

Artem Oleshko shutterstock 781107184 — © Artem Oleshko / Shutterstock.com

Dustin Porth Working student

Read in other languages:

Samsung usually provides regular security updates for the Galaxy smartphones. However, such updates only take effect when the corresponding bugs are known. According to a recent report from Tel Aviv University, Samsung has released numerous phones with a critical security leak from the factory.

TL;DR

According to a report, Samsung released Galaxy smartphones with a serious security vulnerability.
More than 100 million devices are said to be affected.
Storage of cryptographic keys faulty.

Ever since the release of the Samsung Galaxy S8, there has been a security problem with the smartphones from the South Korean manufacture that no one had any idea about until now. This bug ensured that the smartphones did not store cryptographic keys correctly. This allowed third parties to retrieve the keys without you noticing anything.

Such an exploit means that your passwords are not secure. The error occurred in the "Trust Zone OperatingSystem (TZOS)", which is responsible for important security functions. The implementation of cryptographic functions in this system had flaws that made it possible to output passwords as plain text.

Countless devices affected

Since this bug has been around since the Samsung Galaxy S8 and impacts the S8, S9, S10, S20 and S21 series models, it could affect more than 100 million devices. Since no one knew about the exploit, no exact case number is known. You can read everything about the security leak in the researchers' report.

We reversed-engineered and provide a detailed description of the cryptographic design and code structure, and we unveil severe design flaws. We present an IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material, and a downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack. - Alon Shakevsky and Eyal Ronen and Avishai Wool, University of Tel Aviv

In the meantime, Samsung has reacted and fixed the bug with two updates. However, it is not known whether there are other undetected errors. We can only hope that our passwords will be secure in the future.

What do you think about this bug? Do you think there could be more such bugs hidden? Let us know in the comments!

Via: The Register Source: University of Tel Aviv

Choosing the Right Samsung Foldable

	Fold 2023	Fold 2022	Fold 2021	Flip-Phone 2023	Flip-Phone 2022	Flip-Phone 2021
Product	Samsung Galaxy Z Fold 5	Samsung Galaxy Z Fold 4	Samsung Galaxy Z Fold 3	Samsung Galaxy Z Flip 5	Samsung Galaxy Z Flip 4	Samsung Galaxy Z Flip 3
Image
Review	Review: Samsung Galaxy Z Fold 5	Review: Samsung Galaxy Z Fold 4	Review: Samsung Galaxy Z Fold 3	Review: Samsung Galaxy Z Flip 5	Review: Samsung Galaxy Z Flip 4	Review: Samsung Galaxy Z Flip 3
Offer*	Check offer (Samsung) * $1000-off w/ trade (T-Mobile) * Find on Amazon (Amazon) *	Check offer $599.64 (Amazon - new) * Check offer (Samsung) * Check offer (Walmart) *	Check offer $647.24 (Amazon - used) * Check offer (AT&T) * Find on eBay (eBay) *	Check offer $799.97 (128GB - new) * Check offer (Samsung) * Free w/ trade-in (T-Mobile) *	Check offer $325.00 (Amazon - new) * Check offer (Samsung) * Check offer (Walmart) *	$600-off w/ line (T-Mobile) * Find on Amazon (Amazon) * Find on eBay (eBay) *

1 Comment

Hai Karate Feb 25, 2022 Link to comment

Super click-baity article here. Samsung patched this last summer, yet there's no mention of that fix in the "TL;DR" section. It seems to me that would be something of an important point to make rather than to tuck it away with almost a passing mention in a single sentence in the last paragraph that's followed up with the completely inane "However, it is not known whether there are other undetected errors." If the errors were known, they wouldn't be undetected, would they?