Hot topics

Passwords insecure? More than 100 million Samsung devices affected

Artem Oleshko shutterstock 781107184
© Artem Oleshko / Shutterstock.com

Read in other languages:

Samsung usually provides regular security updates for the Galaxy smartphones. However, such updates only take effect when the corresponding bugs are known. According to a recent report from Tel Aviv University, Samsung has released numerous phones with a critical security leak from the factory.


TL;DR

  • According to a report, Samsung released Galaxy smartphones with a serious security vulnerability.
  • More than 100 million devices are said to be affected.
  • Storage of cryptographic keys faulty.

Ever since the release of the Samsung Galaxy S8, there has been a security problem with the smartphones from the South Korean manufacture that no one had any idea about until now. This bug ensured that the smartphones did not store cryptographic keys correctly. This allowed third parties to retrieve the keys without you noticing anything.

Such an exploit means that your passwords are not secure. The error occurred in the "Trust Zone OperatingSystem (TZOS)", which is responsible for important security functions. The implementation of cryptographic functions in this system had flaws that made it possible to output passwords as plain text.

Countless devices affected

Since this bug has been around since the Samsung Galaxy S8 and impacts the S8, S9, S10, S20 and S21 series models, it could affect more than 100 million devices. Since no one knew about the exploit, no exact case number is known. You can read everything about the security leak in the researchers' report.

We reversed-engineered and provide a detailed description of the cryptographic design and code structure, and we unveil severe design flaws. We present an IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material, and a downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack. - Alon Shakevsky and Eyal Ronen and Avishai Wool, University of Tel Aviv

In the meantime, Samsung has reacted and fixed the bug with two updates. However, it is not known whether there are other undetected errors. We can only hope that our passwords will be secure in the future.

What do you think about this bug? Do you think there could be more such bugs hidden? Let us know in the comments!

  nextpit recommendation Price tip Luxury version with handle Price tip with handle For Garmin fans Mid-range tip
Product
Image Withings Body Smart Product Image Renpho Smart Body Fat Scale Product Image Withings Body Scan Product Image Lepulse Lescale P1 Product Image Garmin Index S2 Smart Scale Product Image eufy Smart Scale P3 Product Image
Deals*
nextpit receives a commission for purchases made via the marked links. This has no influence on the editorial content and there are no costs for you. You can find out more about how we make money on our transparency page.
Go to comment (1)
Dustin Porth

Dustin Porth
Editor

I started my studies to become a technology journalist in 2019. Besides writing a few articles for our student newspaper and for the university magazine "technikjournal", I also wrote IT articles for a blog and then joined tvfindr. There I learned to love writing reviews. I am a passionate gamer myself and am interested in everything that has even slightly to do with technology.

To the author profile
Liked this article? Share now!
Recommended articles
Latest articles
Push notification Next article
1 Comment
Write new comment:
All changes will be saved. No drafts are saved when editing
Write new comment:
All changes will be saved. No drafts are saved when editing

  • 4
    Hai Karate Feb 25, 2022 Link to comment

    Super click-baity article here. Samsung patched this last summer, yet there's no mention of that fix in the "TL;DR" section. It seems to me that would be something of an important point to make rather than to tuck it away with almost a passing mention in a single sentence in the last paragraph that's followed up with the completely inane "However, it is not known whether there are other undetected errors." If the errors were known, they wouldn't be undetected, would they?