Samsung, discovered (and corrected) critical flaw in over 100 million Galaxy S

Samsung sold over 100 million Galaxy smartphones with a critical software vulnerability: A group of researchers from Tel Aviv University found that several models of the Galaxy S8, S9, S10, S20 and S21 series did not store cryptographic keys correctly. A hacker with access to this data could have decrypted and subsequently stolen sensitive data, such as passwords and biometric information.

The report (link in SOURCE at the bottom of the article) makes it very clear that it is a complex and sophisticated attack, which is very unlikely to be relevant to the general public. It has to do with the implementation of the so-called TrustZone designed directly by Arm Holdings for its processors. Samsung has developed an environment called TZOS or TrustZone Operating System, which actually runs in parallel with Android and manages all the cryptographic functions of the system.

It’s one of those high-level espionage exploits, you know – governmental or otherwise, which it is anyway already been corrected by Samsung. A first mitigation was implemented with the August 2021 security patches, and a further fix came with those two months later. In short, everything solved? Let’s say yes: although the support window closed a long time ago, towards the end of December 2021 even the Galaxy S8 and S8 Plus received the November 2021 patches. The news was a bit of a surprise, but now we know that Samsung had very valid reasons, proving once again that among the Android manufacturers it remains the best in terms of updates and security.

The main problem highlighted by the researchers, however, is another: and that is the choice of manufacturers such as Samsung and Qualcomm’s keep the TrustZone implementations secret. “Details on designs and implementations should be carefully reviewed and verified by independent researchers and should not rely on the difficulty of reverse engineering on proprietary systems“.

(updated February 23, 2022, 13:47)