Samsung is thought to have shipped 100 million smartphones with flawed encryption, including models ranging from the 2017 Galaxy S8 to last year's Galaxy S21. Tel Aviv University researchers discovered "serious" cryptographic design defects that might have allowed attackers to steal the devices' hardware-based cryptographic keys, keys that unlock the vast trove of security-critical data present in smartphones.
To keep crucial security operations isolated from normal apps, Android devices, which almost all employ Arm-compatible silicon, rely on a Trusted Execution Environment (TEE) backed by Arm's TrustZone technology. TEEs use their own operating system, TrustZone Operating System (TZOS), and it is up to suppliers to integrate cryptographic features within TZOS.
According to the researchers, the Android Keystore provides hardware-backed cryptographic key management via the Keymaster Hardware Abstraction Layer (HAL). Samsung implemented the HAL with Keymaster TA, a Trusted Application running in the TrustZone that performs cryptographic activities such as key generation, encryption, attestation, and signature creation in a safe environment. The outcomes of these TEE crypto calculations can subsequently be used in apps that run in less secure Android environments.
The Keymaster TA saves cryptographic keys as blobs — the keys are wrapped (encrypted using AES-GCM) so that they may be saved in the Android file system. They should, in theory, only be readable within the TEE.
Samsung, on the other hand, failed to successfully deploy Keymaster TA in its Galaxy S8, S9, S10, S20, and S21 phones. The researchers reverse engineered the Keymaster application and demonstrated that they could use an Initialization Vector (IV) reuse attack to get keys from hardware-protected key blobs. The IV is supposed to be a unique number each time, ensuring that the AES-GCM encryption operation provides a different result even when the same plain text is encrypted multiple times.
According to the experts, the problem isn't simply with how Samsung handled encryption. According to the Tel Aviv University's study, these issues arise as a result of companies – specifically, Samsung and Qualcomm – keeping their cryptography designs close to the vest.
“Vendors including Samsung and Qualcomm maintain secrecy around their implementation and design of TZOSs and TAs,” they wrote in their paper. “As we have shown, there are dangerous pitfalls when dealing with cryptographic systems. The design and implementation details should be well audited and reviewed by independent researchers and should not rely on the difficulty of reverse engineering proprietary systems.”