A team comprising Tel Aviv University’s academics disclosed details of a severe design flaw found in Samsung devices in mid-2021, which the company patched by October 2021. However, the details of it were only been shared last week according to which the flaw might have risked roughly 100 million Samsung’s Android-based smartphones.
According to Tel Aviv University’s researchers, Alon Shakevsky, Eyal Ronen, and Avishai Wool, some Samsung Galaxy smartphones contained a major security flaw that exposed encrypted keys and let attackers perform “trivial decryption.”
The vulnerabilities were established as CVE-2021-25444 and CVE-2021-25490. The devices found to be at-risk were the company’s flagship models, including Samsung Galaxy S1 and S20, and some of its old smartphones, such as the S8, S9, and S10.
What was the Issue?
The flaw was detected in the encryption hardware feature of Samsung Galaxy smartphones, and it could have allowed threat actors to extract secret cryptographic keys. The flaws originated from the cryptographic design and how it was implemented on the hardware-backed Keystore in the abovementioned Samsung Galaxy models.
On Android devices, this Keystore is a system that allows the creation and storing of cryptographic keys within the Trusted Execution Environments or TEEs. TEEs are secure