Samsung Shattered Encryption on 100M Phones

One cryptography expert said that ‘serious flaws’ in the way Samsung phones encrypt sensitive material, as revealed by academics, are ’embarrassingly bad.’

Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year’s Galaxy S21.

Researchers at Tel Aviv University found what they called “severe” cryptographic design flaws that could have let attackers siphon the devices’ hardware-based cryptographic keys: keys that unlock the treasure trove of security-critical data that’s found in smartphones.

What’s more, cyber attackers could even exploit Samsung’s cryptographic missteps – since addressed in multiple CVEs – to downgrade a device’s security protocols. That would set up a phone to be vulnerable to future attacks: a practice known as IV (initialization vector) reuse attacks. IV reuse attacks screw with the encryption randomization that ensures that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts will each be distinct.

Untrustworthy Implementation of TrustZone

In a paper (PDF) entitled “Trust Dies in Darkness: Shedding Light on Samsung’s TrustZone Keymaster Design” – written by by Alon Shakevsky, Eyal Ronen and Avishai Wool – the academics explain that nowadays, smartphones control data that includes sensitive messages, images and files; cryptographic key management; FIDO2 web authentication; digital rights management (DRM) data; data for mobile payment services such as Samsung Pay; and enterprise identity management.

The authors are due to give a detailed presentation of the vulnerabilities at the upcoming USENIX Security, 2022 symposium in August.

The design flaws primarily affect devices that use ARM’s TrustZone technology: the hardware support provided by ARM-based Android smartphones (which are the majority) for a Trusted Execution Environment (TEE) to implement security-sensitive functions.

TrustZone splits a phone into two portions, known as the Normal world (for running regular tasks, such as the Android OS) and the Secure world, which handles the security subsystem and where all sensitive resources reside. The Secure world is only accessible to trusted applications used for security-sensitive functions, including encryption.

Cryptography Experts Wince

Matthew Green, associate professor of computer science at the Johns Hopkins Information Security Institute, explained on Twitter that Samsung incorporated “serious flaws” in the way its phones encrypt key material in TrustZone, calling it “embarrassingly bad.”

“They used a single key and allowed IV re-use,” Green said.

“So they could have derived a different key-wrapping key for each key they protect,” he continued. “But instead Samsung basically doesn’t. Then they allow the app-layer code to pick encryption IVs.” The design decision allows for “trivial decryption,” he said.

Paul Ducklin, principal research scientist for Sophos, called out Samsung coders for committing “a cardinal cryptographic sin.” Namely, “They used a proper encryption algorithm (in this case, AES-GCM) improperly,” he explained to Threatpost via email on Thursday.

“Loosely speaking, AES-GCM needs a fresh burst of securely chosen random data for every new encryption operation – that’s not just a ‘nice-to-have’ feature, it’s an algorithmic requirement. In internet standards language, it’s a MUST, not a SHOULD,” Ducklin emphasized. “That fresh-every-time randomness (12 bytes’ worth at least for the AES-GCM cipher mode) is known as a ‘nonce,’ short for Number Used Once – a jargon word that cryptographic programmers should treat as an *command*, not merely as a noun.”

Unfortunately, Samsung’s supposedly secure cryptographic code didn’t enforce that requirement, Ducklin explained. “Indeed, it allowed an app running outside the secure encryption hardware component not only to influence the nonces used inside it, but even to choose those nonces exactly, deliberately and malevolently, repeating them as often as the app’s creator wanted.”

By exploiting this loophole, the researchers were able to pull off a feat that’s “supposed to be impossible, or as close to impossible as possible,” he continued. Namely, the team were able to “extract cryptographic secrets from *inside* the secure hardware.”

So much for all the encryption security that the special hardware is supposed to enforce, Ducklin mused, as demonstrated by the researchers’ multiple proof-of-concept security bypass attacks.

Ducklin’s admonishment: “Simply put, when it comes to using proper encryption properly: Read The Full Manual!”

Flaws Enable Security Standards Bypass

The security flaws not only allow cybercriminals to steal cryptographic keys stored on the device: They also let attackers bypass security standards such as FIDO2.

According to The Register, as of the researchers’ disclosure of the flaws to Samsung in May 2021, nearly 100 million Samsung Galaxy phones were jeopardized. Threatpost has reached out to Samsung to verify that estimate.

Samsung responded to the academics’ disclosure by issuing a patch for affected devices that addressed CVE-2021-25444: an IV reuse vulnerability in the Keymaster Trusted Application (TA) that runs in the TrustZone. Keymaster TA carries out cryptographic operations in the Secure world via hardware, including a cryptographic engine. The Keymaster TA uses blobs, which are keys “wrapped” (encrypted) via AES-GCM. The vulnerability allowed for decryption of custom key blobs.

Then, in July 2021, the researchers revealed a downgrade attack – one that lets attacker trigger IV reuse vulnerability with privileged process. Samsung issued another patch – to address CVE-2021-25490 – that remoged the legacy blob implementation from devices including Samsung’s Galaxy S10, S20 and S21 phones.