100 million Samsung phones sold with poor security
Samsung has sold about 100 million smartphones with bad encryption. This also includes models of the latest Galaxy S21. Researchers at Israel’s Tel Aviv University discovered serious encryption problems.
The researchers discovered that it was possible to loot cryptographic keys in the hardware of smartphones. If hackers get their hands on these, they gain access to all kinds of information about the security of smartphones. These cybercriminals could lower the security, making the phone extra vulnerable to an attack.
This method is also known as an ” IV reuse ” attack. IV here stands for ‘initialization vector’, or initialization vector in Dutch. Normally, the initialization vector causes a device to use a random set of numbers to encrypt messages. IV reuse attacks target the randomization process, so that text messages can still be read by outsiders.
Samsung commits cryptographic cardinal sin
Lead researcher at cybersecurity firm Sophos, Paul Ducklin, tells Threatpost that Samsung has committed a “cryptographic cardinal sin”. “They misused a good encryption algorithm (AES-GCM in this case).”
The AES-GCM algorithm requires a new set of randomly chosen data for each encryption, a so-called ‘nonce’. This stands for ‘Number Used Once’ in cryptographic jargon. Ducklin: “That’s not just a ‘nice to have functionality, it’s a requirement of the algorithm. In the language of internet programming, it’s a MUST, not a SHOULD.”
Samsung’s security system, however, did not see the use of the nonce as a hard requirement, but as an option. This made it possible to use applications outside the security area of the phone to manually choose the nonces within the security area. In this way, the Tel Aviv researchers, as well as hackers, were able to view and adapt the precise cryptographic code, although this should not be possible.
Matthew Green, professor of Computer Science at the American Johns Hopkins Information Security Institute, explained the vulnerability on Twitter. He called Samsung’s encryption “embarrassingly bad”.
Not just Samsung’s problem
The researchers emphasize that this is not just a problem of encryption implementation. They say it points to a bigger problem, which is that companies like Samsung keep their encryption methods secret. They also named Qualcomm, another major player in the information technology sector.
For example, the encryption system AES is publicly available. This means that researchers have been able to extensively test, verify and validate the system in recent years. It is not for nothing that it is an encryption system that is seen as the gold standard and is used for sharing state secrets.
Still, AES is often implemented incorrectly, as can now be seen at Samsung. Without transparency about the implementation, this can lead to disastrous consequences. For example, an audit of the entire system might have prevented the current problem.
Catch up on more articles here
Follow us on Twitter here