Samsung reportedly shipped 100 million smartphones containing botched encryption, including models ranging from the 2017 Galaxy S8 to last year’s Galaxy S21. The incident was reportedly by researchers at Tel Aviv University, who confirmed that they found severe cryptographic design flaws that could allow attackers to siphon the devices’ hardware based cryptographic keys. If obtained, the keys unlock troves of critical security data found in smartphones. In addition, cyber attackers could exploit the missteps as they have been addressed in multiple CVEs and use this information to downgrade a device’s security protocols. This would render the phone to be vulnerable to future attacks.
One such process is known as an initialization vector reuse attack, in which threat actors screw with encryption to ensure that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts will be distinct. Researchers Alon Shakevsky, Eyal Ronen and Avishai Wool recently released a paper titled “Trust Dies in Darkness: Shedding Light on Samsung’s TrustZone Keymaster Design” that sheds light on the security incident as well as explains how smartphones control data such as sensitive messages, images, files, web authentication, digital rights management, mobile payment services, and more.
Read More: Samsung Shattered Encryption on 100M Phones