Security researcher finds vulnerabilities in Samsung Galaxy S10 S-boot (Secure Boot) which give root access
Samsung has always prided on its Knox and (S-boot) Secure Boot to keep its Samsung Galaxy S series smartphones safe and secure. The Samsung Knox works by keeping business and personal data compartmentalized and secure on supported Samsung Galaxy S series Android smartphones. If you are using a Samsung Galaxy S series Android smartphone, you would have noticed the Knox secure folder. Samsung Knox is comprised of three components:
- Hardware (Samsung Knox-compatible devices)
- Software (My Knox, found on the Google Play Store)
- Service (Knox-compatible mobile management server)
Samsung Knox increases the security of Samsung Galaxy S Series Android smartphones through:
- Real-time Kernel Protection (RKP)
- DM-Verity malware checks
- Trusted Boot or S-boot or Secure boot.
A security research team from TeamT5 comprising of Cheng-Yu Chao, Hung Chi Su, Che-Yang Wu have found vulnerabilities in the S-boot or Security boot of Samsung Galaxy S series smartphones. They tested their attack on Samsung Galaxy S10 Android smartphone which was released last year in September and has S-Boot or Secure Boot.
The researchers have found they could manipulate the way Samsung Knox handles USB requests and gain root access to the smartphone despite it being locked. They could then use the root access for remote code execution. Potential hackers could use the vulnerability to infect the Samsung Galaxy S 10 with malware, spyware, and listen to all the communications that happen on the victim’s smartphone.
How does S-Boot or Secure Boot work?
When we restart the Samsung Galaxy S series Android smartphone, by default the smartphone conducts a series of protection measures through the Samsung Knox to ensure security. During the booting process, Samsung uses S-boot (Secure Boot) to make sure it can only boot a stocked image. If the Samsung Galaxy S10 has a custom image instead of the stock ROM, it trips a one-time programmable e-fuse a.k.a Samsung Knox.
Once a trust zone app (trustlet) detects that the Samsung Knox has been tripped, it will delete the encryption key for the sensitive data to prevent unauthorized data access to the locked phone. In effect it lets the hacker full access to the Samsung smartphone including the Secure Folder that Samsung prides on.
The researchers found that the Samsung S series smartphone booting sequence can be manipulated using the way the S-boot handles USB requests. The researchers found out that they not only can make the Samsung smartphone boot with a custom ROM without tripping the Knox fuse, they can also retrieve sensitive data from a locked device.
Thankfully, Samsung’s latest smartphone, the Samsung Galaxy S 20 isn’t affected by this particular vulnerability as it will use a new Quantum security chip for the booting instead of S-Boot and Samsung Knox. However, all the other Samsung Galaxy S series smartphones which use the S-Boot and Samsung Knox are vulnerable to this type of attack.
The TeamT5 will demonstrate the Proof-of-Concept (PoC) via satellite link during the upcoming Blackhat conference to be held in August 2020.
We are reaching out to Samsung for comments.