Samsung has shipped hundreds of millions of Android smartphones with security flaws that could allow attackers to obtain sensitive and encrypted information from related devices.
The vulnerability, discovered by researchers at Tel Aviv University in Israel, is a specific problem with the way keys are stored in the ARM TrustZone system of Samsung’s Galaxy line of phones. The Galaxy S8, Galaxy S9, Galaxy S10, Galaxy S20, Galaxy S21 Samsung phones are affected, involving at least 100 million Android smartphones.
TrustZone is a technology that uses hardware to isolate sensitive information from the main operating system to protect sensitive information. The TrustZone Operating System (TZOS) on Samsung devices runs concurrently with Android and performs security tasks and encryption functions separate from the running of normal applications.
The vulnerability had widespread effects on users. An attacker could exploit the vulnerability to extract encrypted sensitive information, such as passwords stored on a user’s device. Tel Aviv University researchers also exploited the vulnerability to bypass hardware-based two-factor authentication.
Researchers reported the vulnerability to Samsung in May 2021. Samsung patched the vulnerability in August 2021, which means that Galaxy phones running the latest operating system will no longer be affected.
Given the severity of this security flaw, Android phone users with affected devices should update their operating systems as soon as possible. The researchers plan to present the findings in a paper at the 2022 security technology conference Real World Crypto and USENIX Security.