100 million Samsung phones sold with poor security

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

100 million Samsung phones sold with poor security

Samsung has sold about 100 million smartphones with bad encryption. This also includes models of the latest Galaxy S21. Researchers at Israel’s Tel Aviv University discovered serious encryption problems.

The researchers discovered that it was possible to loot cryptographic keys in the hardware of smartphones. If hackers get their hands on these, they gain access to all kinds of information about the security of smartphones. These cybercriminals could lower the security, making the phone extra vulnerable to an attack.

This method is also known as an ” IV reuse ” attack. IV here stands for ‘initialization vector’, or initialization vector in Dutch. Normally, the initialization vector causes a device to use a random set of numbers to encrypt messages. IV reuse attacks target the randomization process, so that text messages can still be read by outsiders.

Samsung commits cryptographic cardinal sin

Lead researcher at cybersecurity firm Sophos, Paul Ducklin, tells Threatpost that Samsung has committed a “cryptographic cardinal sin”. “They misused a good encryption algorithm (AES-GCM in this case).”

The AES-GCM algorithm requires a new set of randomly chosen data for each encryption, a so-called ‘nonce’. This stands for ‘Number Used Once’ in cryptographic jargon. Ducklin: “That’s not just a ‘nice to have functionality, it’s a requirement of the algorithm. In the language of internet programming, it’s a MUST, not a SHOULD.”

Samsung’s security system, however, did not see the use of the nonce as a hard requirement, but as an option. This made it possible to use applications outside the security area of ​​the

Read more

Explore the site

More from the blog

Latest News