Photo credit: Wikimedia/Samsung Galaxy Note 10 and Google
Researchers from Tel Aviv University have discovered a serious security flaw in Samsung’s flagship Galaxy series. Researchers contacted Samsung in May 2021, and in October the company released a software update that fixed the flaw.
According to the researchers, users who have not updated their Android software since October are urged to do so as soon as possible, as the results of the study (which will be presented at the prestigious USENIX conference in August 2022) have already been published in preprint on the International Association for Cryptological Research (IACR) website.
Hackers could take advantage of the flaw to hack Galaxy series smartphones and steal sensitive information, such as that protecting Bitcoin wallets.
The study was conducted by Professor Avishai Wool from the School of Electrical Engineering, Dr. Eyal Ronen from the Blavatnik School of Computing and graduate student Alon Shakevsky.
“In the protection of smartphones using the Android system, there is a special component called TrustZone,” explains Professor Wool.
“This component is a combination of hardware and software, and its job is to protect our most sensitive information – the encryption and identification keys. We found an error in the implementation of Samsung’s TrustZone code, which allowed hackers to extract encryption keys and access secure information.
“You have to understand that phone companies like Samsung go to great lengths to secure their phones, yet we still hear about attacks, for example in the case of NSO spyware,” adds Dr Ronen.
“TrustZone is designed to be the last layer of protection, the internal vault. So even if NSO managed to hack into my phone, it still couldn’t access the encryption keys.
“For example, if I approve a bank transfer using a fingerprint, the fingerprint enters the phone’s TrustZone and hackers will have no way to use the fingerprint to make transactions. in my bank account. In our article, we showed that failures in Samsung’s code also allow access to these sensitive cryptographic keys.
In May 2021, researchers from Tel Aviv University contacted Samsung and presented their findings.
In October 2021, Samsung released an Android operating software update that fixed the major flaw in approximately 100 million Galaxy phones. Of course, the company and the researchers coordinated the release date of the results and the date of the update to prevent hackers from taking advantage of the flaw.
“Masters student Alon Shakevsky worked for months to extract the code from the device so that we could investigate it,” says Professor Wool, “and two weeks ago hackers broke into the company databases and leaked the code to Samsung.
“Information that used to be confidential is now available to everyone, including researchers like us. Therefore, the lesson for telcos should be to release the code in advance, let experts and researchers verify the architecture, and not rely too heavily on code secrecy. A secret code never guarantees longevity because it will eventually leak. In the end, we helped Samsung.
“In order to protect ourselves,” concludes Dr. Ronen, “we encourage all owners of Samsung Galaxy devices to update their software.”