From Samsung Galaxy S8 to Samsung Galaxy S21 phones, nearly 100 million devices are at risk from a “severe” security vulnerability that can lead to loss of money via use of Google Pay and Samsung Pay. The issue has been found by researchers from Tel Aviv University, Israel. Security experts have demonstrated two real-world attacks that could be carried out taking advantage of these issues, reported Express. Matthew Green, the associate professor of computer science at the Johns Hopkins Information Security Institute, has shared the info through a tweet. He wrote, "Ugh god. Serious flaws in the way Samsung phones encrypt key material in TrustZone and it’s embarrassingly bad. They used a single key and allowed IV re-use."
Paul Ducklin, principal research scientist at Sophos, has told ThreatPost that Samsung coders had committed a "cardinal cryptographic sin". In the test, researchers found that stealing sensitive information from Samsung devices which are supposedly protected at hardware-level itself.
The security glitch not only allows cybercriminals to steal cryptographic keys stored on the device but they also allow attackers to bypass security standards such as FIDO2 authentication to gain access to passwords.
Mike Parkin, from Vulcan Cyber, called the cryptography complex and stated that the number of people who can do proper analysis are limited. "A properly designed and implemented encryption scheme relies on the keys and remains secure even if an attacker knows the math and how it was coded, as long as they don’t have the key," says Parkin.
Read the Tweet by Matthew Green below
Ugh god. Serious flaws in the way Samsung phones encrypt key material in TrustZone and it’s embarrassingly bad. They used a single key and
Read more on tech.hindustantimes.com