Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year’s Galaxy S21.
Researchers at Tel Aviv University found what they called “severe” cryptographic design flaws that could have let attackers siphon the devices’ hardware-based cryptographic keys: keys that unlock the treasure trove of security-critical data that’s found in smartphones.
What’s more, cyber attackers could even exploit Samsung’s cryptographic missteps – since addressed in multiple CVEs – to downgrade a device’s security protocols. That would set up a phone to be vulnerable to future attacks: a practice known as IV (initialization vector) reuse attacks. IV reuse attacks screw with the encryption randomization that ensures that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts will each be distinct.
Untrustworthy Implementation of TrustZone
In a paper (PDF) entitled “Trust Dies in Darkness: Shedding Light on Samsung’s TrustZone Keymaster Design” – written by by Alon Shakevsky, Eyal Ronen and Avishai Wool – the academics explain that nowadays, smartphones control data that includes sensitive messages, images and files; cryptographic key management; FIDO2 web authentication; digital rights management (DRM) data; data for mobile payment services such as Samsung Pay; and enterprise identity management.
The authors are due to give a detailed presentation of the vulnerabilities at the upcoming USENIX Security, 2022 symposium in August.
The design flaws primarily affect devices that use ARM’s TrustZone technology: the hardware support provided by ARM-based Android smartphones (which are the majority) for a Trusted Execution Environment (TEE) to implement security-sensitive functions.
TrustZone splits a phone into two portions, known as the Normal world (for running regular tasks, such as the Android OS) and the Secure world, which handles the security subsystem and where all sensitive resources reside. The Secure world is only accessible to trusted applications used for security-sensitive functions, including encryption.
Cryptography Experts Wince
Matthew Green, associate professor of computer science at the Johns Hopkins Information Security Institute, explained on Twitter that Samsung incorporated “serious flaws” in the way its phones encrypt key material in TrustZone, calling it “embarrassingly bad.”
“They used a single key and allowed IV re-use,” Green said.
“So they could have derived a different key-wrapping key for each key they protect,” he continued. “But instead Samsung basically doesn’t. Then they allow the app-layer code to pick encryption IVs.” The design decision allows for “trivial decryption,” he said.