Samsung: 100 million cell phones shipped with faulty encryption

Using reverse engineering, experts were able to identify several weaknesses in the coding design and code structure. For example, problems with Samsung’s implementation of ARM TrustZone have been revealed. This security area, separate from traditional applications and software, is designed for particularly sensitive tasks. Among other things, to protect the lock screen or encryption keys. There is even an independent operating system running in this isolated area.

Respected crypto expert Matthew Green addressed the bug, calling the Samsung app “embarrassingly weak”. Data decryption is “trivial” and the promised additional protection is practically non-existent.

Oh my god, there are serious flaws in the way Samsung phones encrypt key material in TrustZone and it’s embarrassingly bad. They used one key and allowed the vein to be reused. https://t.co/XteB3kc8cH pic.twitter.com/4wxA6XBuN2

– Matthew Green (@matthew_d_green) February 22 2022

The full text of the tweet: “Oh my gosh. The way Samsung phones encrypt key stuff in TrustZone has serious flaws and embarrassingly bad. They used one key and re-used an IV (initialization vector) allowed.

So they could derive a different key for each key they protect. But instead, Samsung doesn’t. Then they let the application layer code choose to encode the IVs. This allows for a trivial decryption.”

According to security researchers, this app has bugs in many Samsung smartphones, specifically, Galaxy S8, S9, S10, S20 and S21 models are said to have been affected by improper implementation, with the number of affected devices reaching more than 100 million devices. .

The security update helps: Samsung was notified of this incorrect app last year and has since fixed the problems, at least on devices that are currently still in service. If you have installed all current security updates, you should not be affected by this issue anymore. (computer world)