Feb 24, 2022 21:00:00

Why there was a security flaw in 100 million Samsung devices

by

Kārlis Dambrāns

It has been revealed that many Samsung smartphones that have already shipped have a design flaw that allows the extraction of encryption keys. This is explained by The Register, an overseas media.

Samsung shipped '100m' Android phones with flawed encryption • The Register
https://www.theregister.com/2022/02/23/samsung_encryption_phones/

Almost all Android smartphones use Arm-compatible silicon and rely on the Trusted Execution Environment (TEE) supported by Arm's TrustZone technology to separate sensitive security features from regular applications. I am protecting. The TEE of each smartphone is common in that it runs its own OS, TrustZone OS (TZOS), but it is up to each vendor to implement the encryption function within TZOS.

For Samsung, a Keymaster Hardware Abstraction Layer (HAL) that provides encryption key management is implemented via a trusted application called Keymaster TA running in TrustZone to generate and encrypt keys in a secure environment. It is said that it is performing encryption such as authentication and sign creation.

Keymaster TA stores the encryption key as a

blob . The key is encrypted via the block cipher AES-GCM and can be stored in the file system of the Android environment, but in theory it should only be readable within TEE.

Samsung's security flaws are related to this blob. Reverse-engineering the Keymaster app on the Galaxy S8, S9, S10, S20, and S21 to carry out code reuse attacks on initialization vectors, according to Alon Shakevsky and colleagues at Tel Aviv University, Israel, who investigated Samsung devices. It seems that it was possible to extract the key from the hardware protected BLOB.

The initialization vector is expected to be a unique number each time, so even if the same plaintext is encrypted, the AES-GCM encryption operation will produce different results. However, it has been revealed that if the initialization vector called 'salt' and the encryption key remain the same, the same output will be produced, and it is said that encryption is not performed properly from this point. ..

It is estimated that 100 million Samsung devices were under threat in 2021 when Shakevsky and colleagues discovered this vulnerability. However, Samsung began its investigation in May 2021 and released a patch in August of the same year.

Shakevsky and colleagues argued that cryptographic schemes other than AES-GCM, or versions that could withstand initialization vector reuse attacks such as AES-GCM-SIV, should be implemented, and the findings were written. The paper will be presented at the cryptographic research symposium 'Real World Crypto Symposium' in April 2022.