100M Samsung Phones Produced Between 2017 and 2021 Have a Fatal Encryption Flaw

by | Mar 3, 2022

If you have a Galaxy series phone made in the last five years or so and you are diligent about keeping up with your security patches, you don’t have much to worry about. But if you’re the type to endlessly put off security updates, you’ll want to ensure that you’re caught up to at least August 2021 right away. Samsung phones produced between 2017 and 2021 have a severe encryption flaw that can open up the entire device to an attacker without much effort.

As a recent study out of Tel Aviv University points out, the encryption flaw is at the hardware level of these devices and enables access to the cryptographic keys that are at the core of all of the security functions. Samsung phones in the Galaxy series from S8 to S21, all of the phones in that series released between early 2017 and early 2021, are vulnerable.

Flagship Samsung phones require immediate patching

Samsung phones have had their security issues in recent years, but this is the most serious by far. The good news is that the researchers responsibly disclosed the encryption issue to Samsung well ahead of making their findings public, and it has already long since been patched out of these devices. The impacted phone models will need to have security updates installed up to at least the August 2021 releases to be protected, and the phones must also be running Android 9 at minimum.

Encryption compromise makes entire phone vulnerable to an attacker

The incident highlights a long-running issue with encryption implementation on phones. The functions embedded in processors are closely guarded by phone manufacturers, sometimes leaving phone designers guessing at how to implement them at the user end. In this case, it appears the Galaxy developers allowed cryptographic keys to pass through an unsafe “zone” of the phone’s architecture, such that it is not overly difficult for a knowledgeable attacker to capture them.

An attacker would have to execute code on the phone, for example by passing a malicious link via text message or email. But once they did, they would have access to any encrypted information on the phone. In addition, the vulnerability allows for bypass of various online security measures that communicate with the phone. For example, the report cites Google Secure Key Import and virtual wallets such as Samsung Mobile Pay as features that would be compromised due to this vulnerability.

More details about the vulnerability are scheduled to be made available at the USENIX Security 2022 symposium in August, but for now it is enough to know that it can cause a total core-level compromise of the phone. Samsung’s Galaxy S8, S9, S10, S20, and S21 phones appear to be the only ones impacted; other lines such as the Note use different architecture and are not subject to the same vulnerability. It is not yet known to have been exploited in the wild, but attacks on the impacted Samsung phones should be expected after the full details are published later in the year.

How can we help?

2 + 15 =