Apple’s iPhone and Samsung’s Galaxy series have been neck and neck in the race for the most popular smartphone in the world. But they are no invincible. After Tel Aviv University (TAU) researchers contacted the South Korean company in May 2021, it released a software update that fixed the loophole.
The flaw was discovered by Prof. Avishai Wool of TAU’s School of Electrical Engineering, Dr. Eyal Ronen of the Blavatnik School of Computer Science and graduate student Alon Shakevsky.
Users who have not updated their Android software since October are urged to do so as soon as possible, as the results of the study, which was published have already been published as a preprint on the International Association for Cryptologic Research (IACR) website under the title “Trust Dies in Darkness: Shedding Light on Samsung’s TrustZone Keymaster Design.” It will also be presented at the prestigious USENIX conference this August. In that event, hackers could take advantage of the loophole the Israeli found to hack into the Galaxy smartphones in the series and steal sensitive information — for example, that which protects Bitcoin wallets.
“In protecting smartphones using the Android system, there is a special component called TrustZone,” explained Wool. “This component is a combination of hardware and software, and its job is to protect our most sensitive information – the encryption and identification keys. We found an error in the implementation of Samsung’s TrustZone code, which allowed hackers to extract encryption keys and access secure information.”
“Smartphone companies like Samsung go to enormous lengths to secure their phones, and yet we still hear about attacks, for example in the case of the NSO spyware,” Ronen added.
“TrustZone is designed to be the last layer of protection, the internal safe. So even if NSO managed to hack into my phone, it still wouldn’t be able to access the encryption keys. For example, if I approve a bank transfer using a fingerprint, the fingerprint enters the phone’s TrustZone, and hackers will have no way to use the fingerprint to carry out transactions in my bank account. In our article, we showed that failures in Samsung’s code also allowed access to these sensitive cryptographic keys,” Ronen continued. “To protect ourselves, we encourage all owners of Samsung Galaxy devices to update their software.”
Samsung released the update to the Android operating software that fixed the major loophole in about 100 million Galaxy phones. The company and the researchers coordinated the date of the publication of the findings and the date of the update in order to prevent hackers from taking advantage the loophole.
“Master’s student Alon Shakevsky worked for months on extracting the code from the device so that we could investigate it,” said Wool, “and two weeks ago, hackers broke into the company’s databases and leaked Samsung’s code. The information that was previously confidential is today available to everyone, including researchers like us. Therefore, the lesson for phone companies should be to publish the code in advance, let the experts and researchers check the architecture, and not to rely too much on the code’s secrecy. A secret code never guarantees longevity, because it will eventually leak. In the end, we helped Samsung.”