SECURITY experts have issued a warning to Android users after a Google Pay security flaw put millions of Samsung phones at risk.
An estimated 100 million Samsung Galaxy devices, from S8 phones to S21 phones, are at risk of a “critical” security vulnerability.
This vulnerability could allow hackers to steal keys used for secure payments made through Google Pay and Samsung Pay.
Matthew Green, associate professor of computer science at the Johns Hopkins Information Security Institute, say on Twitter: “Oops. Serious flaw in the way Samsung phones encrypt important documents in TrustZone and that sucks. They used a unique key and allowed the IV to be reused.”
Paul Ducklin, principal research scientist at Sophos, told ThreatPost that Samsung programmers committed a “fundamental cryptographic sin”.
The problem remained undetected for years, until researchers from Tel-Aviv University identified the vulnerability.
Israeli security experts have demonstrated two real-world attacks that can be carried out by exploiting the vulnerability.
In testing, researchers were able to steal highly sensitive information from Samsung devices that were supposed to be protected at the hardware level.
Professionals can also bypass FIDO2 authentication to gain access to passwords.
Researchers from the university informed Samsung of the threat last year, with the necessary fixes released in August 2021.
A Samsung spokesperson said: “Samsung takes the security of Galaxy devices very seriously. We are constantly looking for ways to enhance the security of our products and welcome any input from us. The reported issue has been acknowledged and has been resolved through security updates since August 2021. We recommend that users update their devices to the latest software. their devices to enjoy a secure and convenient Galaxy mobile experience.”
Mike Parkin, from Vulcan Cyber, said: “Nature is complex and the number of people who can do the right analysis, the real experts in the field, is very limited.
“A properly designed and implemented encryption program relies on keys and remains secure even if an attacker knows the math and how it’s encrypted, as long as they don’t have the key.”
We pay for your stories!
Do you have a story for the American team The Sun?
https://www.the-sun.com/money/4783370/android-samsung-security-warning-google-pay/ Android alert due to Google Pay security flaw puts millions of Samsung phones at risk