TAU researchers identify Samsung Galaxy smartphone security flaw

The researchers said Android users who haven't updated the operating system since October 2021 are vulnerable to a security loophole that could allow hackers to steal personal information.

A Samsung employee poses with the new Samsung Galaxy S10 5G smartphone at a press event in London, Britain February 20, 2019. (photo credit: HENRY NICHOLLS/REUTERS)
A Samsung employee poses with the new Samsung Galaxy S10 5G smartphone at a press event in London, Britain February 20, 2019.
(photo credit: HENRY NICHOLLS/REUTERS)

Researchers at Tel Aviv University identified a security flaw in Samsung Galaxy smartphones and the company fixed the issue in a software update after the team informed them.

The researchers said Android users who haven't updated the operating system since October 2021 are vulnerable to a security loophole that could allow hackers to steal personal information and should update their phones as soon as possible.

The study that found the security issue, a non-peer-reviewed preprint, was conducted by Prof. Avishai Wool from the School of Electrical Engineering, Dr. Eyal Ronen from the Blavatnik School of Computer Science and graduate student Alon Shakevsky and will be presented at the USENIX conference in August 2022.

Prof. Avishai Wool of the Tel Aviv University School of Electrical Engineering (credit: TEL AVIV UNIVERSITY)Prof. Avishai Wool of the Tel Aviv University School of Electrical Engineering (credit: TEL AVIV UNIVERSITY)

“In protecting smartphones using the Android system, there is a special component called TrustZone,” Wool said. “This component is a combination of hardware and software, and its job is to protect our most sensitive information – the encryption and identification keys. We found an error in the implementation of Samsung's TrustZone code, which allowed hackers to extract encryption keys and access secure information.”

Ronen said that "It should be understood that phone companies like Samsung go to enormous lengths to secure their phones, and yet we still hear about attacks, for example in the case of the NSO spyware. TrustZone is designed to be the last layer of protection, the internal safe. So, even if NSO managed to hack into my phone, it still wouldn’t be able to access the encryption keys. For example, if I approve a bank transfer using a fingerprint, the fingerprint enters the phone's TrustZone, and hackers will have no way to use the fingerprint to carry out transactions in my bank account. In our article, we showed that failures in Samsung's code also allowed access to these sensitive cryptographic keys."