Tel Aviv University researchers and Samsung are advising users to make sure they have updated their Galaxy series phones after a loophole was found that could expose user data.
TAU researchers identified the loophole last year and contacted Samsung in May 2021, which released a software update to fix the problem in October. The researchers’ work in identifying the loophole, which would have given hackers the ability to steal sensitive information, will be presented in August at the USENIX conference. It has already been published as a preprint on the International Association for Cryptologic Research (IACR) website—released in coordination with Samsung to ensure that hackers could not take advantage of their research.
“In protecting smartphones using the Android system, there is a special component called TrustZone,” said professor Avishai Wool of TAU’s School of Electrical Engineering, who led the study. “This component is a combination of hardware and software, and its job is to protect our most sensitive information—the encryption and identification keys. We found an error in the implementation of Samsung’s TrustZone code, which allowed hackers to extract encryption keys and access secure information.”
Phone companies like Samsung go to enormous lengths to secure their phones, according to Eyal Ronen, who also worked on the study. He said TrueZone is meant to be like an “internal safe” so that even the most sophisticated hacking technology cannot access a person’s most sensitive information.
“If I approve a bank transfer using a fingerprint, the fingerprint enters the phone’s TrustZone, and hackers will have no way to use the fingerprint to carry out transactions in my bank account,” said Ronen. “In our article, we showed that failures in Samsung’s code also allowed access to these sensitive cryptographic keys.”
Alon Shakevsky, a master’s degree student, worked for months on extracting the code from the device so that the team could investigate it. But a few weeks ago, hackers broke into Samsung’s database and leaked its code, said Wool.
“The information that was previously confidential is today available to everyone, including researchers like us,” he said. “Therefore, the lesson for phone companies should be to publish the code in advance. Let the experts and researchers check the architecture, and not rely too much on the code’s secrecy. A secret code never guarantees longevity, because it will eventually leak. In the end, we helped Samsung.”
