"Samsung Shattered Encryption on 100M Phones"

Security researchers at Tel Aviv University have stated that Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year's Galaxy S21.  The researchers found what they called "severe" cryptographic design flaws that could have let attackers siphon the devices' hardware-based cryptographic keys, which are keys that unlock the treasure trove of security-critical data that is found in smartphones.  The researchers stated that the design flaws primarily affect devices that use ARM's TrustZone technology.  ARM's TrustZone technology is the hardware support provided by ARM-based Android smartphones (which are the majority) for a Trusted Execution Environment (TEE) to implement security-sensitive functions.  The researchers noted that adversaries could exploit Samsung's cryptographic missteps to downgrade a device's security protocols.  Doing this would set up a phone to be vulnerable to future attacks, a practice known as IV (initialization vector) reuse attacks.  IV reuse attacks mess with the encryption randomization that ensures that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts will each be distinct.  The researchers published a paper regarding this research entitled "Trust Dies in Darkness: Shedding Light on Samsung's TrustZone Keymaster Design." The authors will give a detailed presentation of the vulnerabilities at the upcoming USENIX Security, 2022 symposium in August. 

Threatpost reports: "Samsung Shattered Encryption on 100M Phones"