Samsung Encryption Flaw

Researchers have found a major encryption flaw in 100 million Samsung Galaxy phones.

From the abstract:

In this work, we expose the cryptographic design and implementation of Android’s Hardware-Backed Keystore in Samsung’s Galaxy S8, S9, S10, S20, and S21 flagship devices. We reversed-engineered and provide a detailed description of the cryptographic design and code structure, and we unveil severe design flaws. We present an IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material, and a downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack. We demonstrate working key extraction attacks on the latest devices. We also show the implications of our attacks on two higher-level cryptographic protocols between the TrustZone and a remote server: we demonstrate a working FIDO2 WebAuthn login bypass and a compromise of Google’s Secure Key Import.

Here are the details:

As we discussed in Section 3, the wrapping key used to encrypt the key blobs (HDK) is derived using a salt value computed by the Keymaster TA. In v15 and v20-s9 blobs, the salt is a deterministic function that depends only on the application ID and application data (and constant strings), which the Normal World client fully controls. This means that for a given application, all key blobs will be encrypted using the same key. As the blobs are encrypted in AES-GCM mode-of-operation, the security of the resulting encryption scheme depends on its IV values never being reused.

Gadzooks. That’s a really embarrassing mistake. GSM needs a new nonce for every encryption. Samsung took a secure cipher mode and implemented it insecurely.

News article.

Tags: , , , , , , ,

Posted on March 4, 2022 at 6:19 AM10 Comments

Comments

Clive Robinson March 4, 2022 7:57 AM

@ Bruce,

Samsung took a secure cipher mode and implemented it insecurely.

You know this is going to get asked one way or another eventually,

“Was this insecure implementation by accident, design, or incompetence?”

Or to put it another blunter way,

“Is this a back door and was it deliberately done or not?”

With of course another dozen or so ways it’s going to get asked.

And yes, I know, it can only be answered by “balance of probability”. And I also know “nonce reuse” is an all to common mistake made by people reading but not understandying not just product specifications but crypto documentation…

But I guess at the end of the day, what ever the actual cause, people are going to see what they want to see as nobody likes “We don’t know” as an answer.

Ted March 4, 2022 8:29 AM

From the paper: “Although our specific attacks only apply to the ≈100 million devices made by Samsung…”

Is this tongue-in-cheek?

tim March 4, 2022 2:55 PM

@clive

“Is this a back door and was it deliberately done or not?”

“Never attribute to malice that which is adequately explained by stupidity”

But I guess at the end of the day, what ever the actual cause, people are going to see what they want to see as nobody likes “We don’t know” as an answer.

That explains so much of your commentary here

Clive Robinson March 4, 2022 4:06 PM

@ Ted,

Is this tongue-in-cheek?

Call it “sarcasm by observation”. In the paper they say which of the Samsung devices they have tested so far and found this fault in.

But they also observe that there are many other phones out there that they have not yet checked…

So that ~100milliom could be a lot lot higher.

Especially when you consider the issue I and no doubt many others have observed about nonces and IV’s and similar “use only once secrets”,

“I also know “nonce reuse” is an all to common mistake made by people reading but not understandying not just product specifications but crypto documentation…”

@ Tim, ALL,

That explains so much of your commentary here

And much of the behaviour of the human race… As a species we crave “certainty”, even though the implication of certainty is “No Free Will”.

As people find out –sometimes the hard way,– their boss does not want “probably” or “maybe” they want “definately” when they ask a subordinate a question that boils down to “Will this work”, because as you go up the chain, you get to that awkward little problem of “Shareholder Value”…

The Shareholders demand via hindsight “definately” the big bosses don’t get their huge “we guess right bonusses” if those down the chain do not give them the “certainty” the shareholders demand despite all logic (and why we had Enron and many to similar to name).

So the Big bosses have little bosses “on the up” to get thrown under the bus, and if they can save their skin by scapegoating you, guess what they will do.

Oh and remember there is no arguing against this… As Upton Sinclair observed nearly a century ago,

“It is difficult to get a man to understand something, when his salary depends upon his not understanding it!”

SpaceLifeForm March 4, 2022 4:15 PM

@ tim, Clive, ALL

“Never attribute to malice that which is adequately explained by stupidity”

Always assume malice that which can be explained away by stupidity.

That is how I’ve been looking at it for decades, and I am still waiting for proof that this view is incorrect.

Yes, I am waiting for Godot.

ResearcherZero March 4, 2022 11:48 PM

@SpaceLifeForm

I’ve been waiting for the “Golden Age” of “Sir” Joh Bjelke-Petersen, and I think it’s unfortunately arrived.

As Queensland sought its place on the world stage, Sir Joh was seeking trade deals with a controversial leader — Romanian communist leader Nicolae Ceausescu.

Sir Joh had proposed to swap Queensland coal in exchange for Romanian-built trains and oil.

The deal never got off the ground but Ceausescu did accept an invitation from Sir Joh for him and his wife Elena to come to Expo 88, but by then the premier had been ousted.

In December 1989, Nicolae and Elena Ceausescu were executed by firing squad at a military base in Romania after a short trial held by an Exceptional Military Tribunal.

The documents show the Queensland premier’s desire to have control over minor decisions, like hiring mid-level department staff and buying individual police vehicles.

He would also blindside fellow ministers by making oral submissions on cabinet items, giving them next to no time to research or consider their position.

Cabinet minutes showed he was absent during a meeting chaired by acting premier Bill Gunn, who made a secret recommendation for an investigation to probe allegations of police corruption.

That inquiry was chaired by Tony Fitzgerald QC.

His inquiry would lead to Sir Joh being charged with perjury, the jailing of police commissioner Terry Lewis, and the end of several other political careers.
https://www.abc.net.au/news/2018-01-01/sir-joh-bjelke-petersen-qld-30-year-cabinet-documents-released/9270744

“lower tax”, “smaller government” and “crush union power.”

He insists that adopting these maxims will return Australia to a “golden age” identified with some unspecified period in the past, not anticipating the needs or shape of the future.
https://www.brisbanetimes.com.au/politics/queensland/flashback-the-psychology-of-the-joh-phenomenon-20180807-p4zvz0.html

Bjelke-Petersen was Knighted in 1982 on the recommendation of the Queensland Government (His Government).

ResearcherZero March 5, 2022 9:08 PM

Fortunately this research was published before the Samsung leak, which also includes data from Qualcomm.

“there is no security in obscurity”

As the researchers said:

“Vendors including Samsung and Qualcomm maintain secrecy around their implementation and design of TZOSs and TAs,”

“As we have shown, there are dangerous pitfalls when dealing with cryptographic systems. The design and implementation details should be well audited and reviewed by independent researchers and should not rely on the difficulty of reverse engineering proprietary systems.”

John Brown March 6, 2022 7:36 PM

‘Embarassing’? Given the status of the South Korean regime as a puppet of the American empire, I hardly think so.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.