Tel Aviv University researchers have discovered a serious security flaw in Samsung’s flagship Galaxy series. The study was conducted by Prof. Avishai Wool of TAU’s School of Electrical Engineering, Dr. Eyal Ronen of the Blavatnik School of Computer Science, and graduate student Alon Shakevsky.
The researchers contacted Samsung in May 2021, and in October the company released a software update that fixed the loophole. According to the researchers, users who have not updated their Android software since October are urged to do so as soon as possible, as hackers could take advantage of the loophole found to hack into the Galaxy smartphones in the series and steal sensitive information.
And apparently, some hackers have already done so. Two weeks ago, say the researchers, hackers broke into the company’s databases and leaked Samsung’s code. The information that was previously confidential is today available to everyone. “Therefore, the lesson for phone companies,” say the researchers, “should be to publish the code in advance, let the experts and researchers check the architecture, and not to rely too much on the code’s secrecy. A secret code never guarantees longevity, because it will eventually leak. In the end, we helped Samsung.”
Will you offer us a hand? Every gift, regardless of size, fuels our future.
Your critical contribution enables us to maintain our independence from shareholders or wealthy owners, allowing us to keep up reporting without bias. It means we can continue to make Jewish Business News available to everyone.
You can support us for as little as $1 via PayPal at firstname.lastname@example.org.
In protecting smartphones using the Android system, there is a special component called TrustZone, ”explains Prof. Wool. “This component is a combination of hardware and software, and its job is to protect our most sensitive information – the encryption and identification keys. We found an error in the implementation of Samsung’s TrustZone code, which allowed hackers to extract encryption keys and access secure information.”
“It should be understood that phone companies like Samsung go to enormous lengths to secure their phones, and yet we still hear about attacks, for example in the case of the NSO spyware,” Dr Ronen adds. “TrustZone is designed to be the last layer of protection, the internal safe. So, even if NSO managed to hack into my phone, it still wouldn’t be able to access the encryption keys. For example, if I approve a bank transfer using a fingerprint, the fingerprint enters the phone’s TrustZone, and hackers will have no way to use the fingerprint to carry out transactions in my bank account. In our article, we showed that failures in Samsung’s code also allowed access to these sensitive cryptographic keys.”