An estimated 100 million Samsung smartphones were left vulnerable to a design flaw in their hardware's encryption implementation, allowing for the extraction of sensitive information to anyone with privileged access to the phone's hardware.
The Galaxy S8,S9,S10,S20 and S21 were each issued security updates back in August and October of 2021 to address this, though it was only recently that researchers at Tel Aviv University released a paper detailing their discovery of this design flaw.
The paper describes how Samsung's Trusted Execution Environment could allow users with root access to extract (supposedly hardware protected) material from the device through exposed APIs in the form of a keymaster trusted application.
This could have potentially left malware affected devices unprotected from having their passwords and payment information extracted. The researchers also made the overarching point that large companies like Samsung and Qualcomm would benefit from allowing independent researchers to audit their cryptographic implementations rather than relying on the reverse engineering of proprietary systems. If you own a Samsung S8, S9, S10, S20 or S21, be sure to check that all recent updates have been applied in order to stay protected.
Source:
https://www.sammobile.com/news/over-100-million-samsung-smartphones-shipped-fatal-security-flaw/
