The researchers said Android users who haven't updated the operating system since October 2021 are vulnerable to a security loophole that could allow hackers to steal personal information and should update their phones as soon as possible.
The study that found the security issue, a non-peer-reviewed preprint, was conducted by Prof. Avishai Wool from the School of Electrical Engineering, Dr. Eyal Ronen from the Blavatnik School of Computer Science and graduate student Alon Shakevsky and will be presented at the USENIX conference in August 2022.
“In protecting smartphones using the Android system, there is a special component called TrustZone,” Wool said. “This component is a combination of hardware and software, and its job is to protect our most sensitive information – the encryption and identification keys. We found an error in the implementation of Samsung's TrustZone code, which allowed hackers to extract encryption keys and access secure information.”
Ronen said that "It should be understood that phone companies like Samsung go to enormous lengths to secure their phones, and yet we still hear about attacks, for example in the case of the NSO spyware. TrustZone is designed to be the last layer of protection, the internal safe. So, even if NSO managed to hack into my phone, it still wouldn’t be able to access the encryption keys. For example, if I approve a bank transfer using a fingerprint, the fingerprint enters the phone's TrustZone, and hackers will have no way to use the fingerprint to carry out transactions in my bank account. In our article, we showed that failures in Samsung's code also allowed access to these sensitive cryptographic keys."