Samsung shipped ‘100 million’ Android phones with faulty encryption
Scholars from Tel Aviv University in Israel have discovered that recent Android-based Samsung phones have design flaws that allow the extraction of secret cryptographic keys.
The researchers – Alon Shakevsky, Eyal Ronen and Avishai Wool – describe their work in a document titled “Trust Dies in Darkness: Shedding Light on Samsung’s TrustZone Keymaster Design”, scheduled to be presented at Real World Crypto and USENIX Security, 2022.
Android smartphones, which almost all use Arm-compatible silicon, rely on a Trusted Execution Environment (TEE) supported by Arm’s TrustZone technology to keep sensitive security features isolated from normal applications. These TEEs run their own operating system, TrustZone Operating System (TZOS), and it is up to the vendors to implement the cryptographic functions in TZOS.
the Android keystore, the researchers explain, offers hardware-based cryptographic key management through the Keymaster Hardware Abstraction Layer (HAL). Samsung has implemented HAL through a trusted application running in the TrustZone called Keymaster TA, to perform cryptographic operations such as key generation, encryption, attestation, and signature creation in a secure environment. The results of these TEE cryptographic calculations can then be used in applications running in the less secure Android environment.
The Keymaster TA stores cryptographic keys as blobs – the keys are wrapped (encrypted via AES-GCM) so that they can be stored in the Android environment file system. In theory, they should only be readable in the TEE.
However, Samsung failed to properly implement Keymaster TA in its Galaxy S8, S9, S10, S20 and S21 phones. The researchers reverse-engineered the Keymaster app and showed they could perform a Initialization Vector (IV) Reuse Attack to get keys from hardware-protected key blobs.
The IV is meant to be a unique number each time, which ensures that the AES-GCM encryption operation produces a different result even when the same plain text is encrypted. But when the IV – which the researchers call “salt” – and the encryption key remain the same, the same output is generated. And that kind of predictability is the bane of encryption.
“So they could have derived a different key wrapper key for each key they protect,” observed Matthew Green, associate professor of computer science at the Johns Hopkins Information Security Institute in the United States, by Twitter. “But instead, Samsung doesn’t. Then they allow the application layer code to choose the encryption IVs. This allows for trivial decryption.”
Our boffins at Tel Aviv University found three blob formats used among Samsung phones – v15, v20-s9 and v20-s10. The first, v15, is the default for the Galaxy S8; v20-s9 is Galaxy S9; and v20-s10 was found in S10, S20 and S21.
In v15 and v20-s9 blobs, according to the researchers, salt is a deterministic function that relies on app ID, app data, and constant strings from the Android environment. Thus, for any given application, the corresponding key blobs will be protected by the same key wrapper key.
“Surprisingly, we discovered that the Android client is allowed to set the IV when generating or importing a key,” the log says. “All that is needed is to place an attacker-chosen IV as part of the key settings, and it is used by the Keymaster TA instead of a random IV.
“As the [Android environment] also controls Application ID and Application Data, this means an attacker can force the Keymaster TA to reuse the same key and IV that was previously used to encrypt other v15 or v20-s9 blobs. As AES-GCM is a stream cipher, the attacker can now recover hardware-protected keys from key blobs.”
Newer model Samsung devices with v20-s10 blobs are not normally vulnerable to IV reuse attacks, although researchers have found a way to carry out a downgrade attack by passing the Android environment a “version encryption” telling the device to use the vulnerable v15 blob format.
Weak cryptography has also been used by researchers to bypass FIDO2 WebAuthn, a way to use public-key cryptography, instead of passwords, to register and authenticate on websites. Their proof-of-concept attack allowed researchers to authenticate to a website protected by the StrongKey Android app. Moreover, they also managed to bypass Google Secure key importdesigned to allow servers to securely share keys with Android devices.
In total, the researchers estimate that 100 million Samsung devices were vulnerable when they identified the encryption flaw last year. However, they responsibly disclosed their findings to Samsung in May 2021, leading to the August 2021 assignment of CVE-2021-25444 to the vulnerability, and a fix for affected devices. In July 2021, they revealed their downgrade attack, which in October 2021 led to CVE-2021-25490 and a patch that removed the legacy blob implementation (v15) from devices including the S10, S20, and S21.
For the future, boffins argue that an encryption scheme other than AES-GCM, or a reuse-resistant version IV like AES-GCM-SIV, should be considered.
Samsung did not immediately respond to a request to confirm the researchers’ estimate of affected devices and an estimate of the number of affected devices, if any, unpatched. ®