'Samsung Encryption Flaw
Researchers have found a major encryption flaw in 100 million Samsung
Galaxy phones.'

<https://www.schneier.com/blog/archives/2022/03/samsung-encryption-flaw.html>

Funny that Google didn't publicize it, hmmm?

On 03/04/2022 08:50 PM, Alan wrote:
> 'Samsung Encryption Flaw
> Researchers have found a major encryption flaw in 100 million Samsung
> Galaxy phones.'
>
> <https://www.schneier.com/blog/archives/2022/03/samsung-encryption-flaw.html>
>
> Funny that Google didn't publicize it, hmmm?

And they only guarantee their stuff for a year. I'll never buy another
Samsung device again.

--
Cheers, Bev
"If anyone disagrees with anything I say, I am quite prepared
not only to retract it, but also to deny under oath that I
ever said it." -- T. Lehrer

Alan wrote:

> 'Samsung Encryption Flaw
> Researchers have found a major encryption flaw in 100 million Samsung
> Galaxy phones.'
>
> <https://www.schneier.com/blog/archives/2022/03/samsung-encryption-flaw.html>
>
> Funny that Google didn't publicize it, hmmm?

Instead of the newsfeed blog, the actual referenced article is at:

https://threatpost.com/samsung-shattered-encryption-on-100m-phones/178606/

I hate going to someone's newsfeed choice to only see a small part of
the referenced article.

From the article:

Ducklin’s admonishment: “Simply put, when it comes to using proper
encryption properly: Read The Full Manual!”

Reminds of "You really should've stolen the whole book because the
warnings come /after/ the spells."
("Doctor Strange", https://youtu.be/S8r8RAkLuz0?t=224)

“there is no security in obscurity”

Yet that style of /security/ is implemented all the time. Hide a gun
under the pillow. Oh, that's secure, uh huh.

Alan wrote:

> <https://www.schneier.com/blog/archives/2022/03/samsung-encryption-flaw.html>
> Funny that Google didn't publicize it, hmmm?

Provided Samsung respond in a reasonable timescale to a properly reported
vulnerability, why publicise the weakness before there was a fix rolled-out?

<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25444>
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25490>

Andy Burns wrote:

> Alan wrote:
>
>> <https://www.schneier.com/blog/archives/2022/03/samsung-encryption-flaw.html>
>> Funny that Google didn't publicize it, hmmm?
>
> Provided Samsung respond in a reasonable timescale to a properly reported
> vulnerability, why publicise the weakness before there was a fix rolled-out?
>
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25444>
dated 2021-01-19
Ref: https://nvd.nist.gov/vuln/detail/CVE-2021-25444
Pub date: 2021-08-05
Last modified: 2021-08-12

> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25490>
dated 2021-01-19
Ref: https://nvd.nist.gov/vuln/detail/CVE-2021-25490
Pub date: 2021-10-06
Last modified: 2021-10-13

The CVEs were registered 13 and 8 months ago.

The ThreatPost article links to:

https://eprint.iacr.org/2022/208.pdf

which states:

1.2 Responsible Disclosure
We reported our IV reuse attack on S9 to Samsung Mobile
Security in May 2021. In August 2021 Samsung assigned
CVE-2021-25444 with High severity to the issue and released
a patch that prevents malicious IV reuse by removing the
option to add a custom IV from the API. According to Sam-
sung [61], the list of patched devices includes: S9, J3 Top, J7
Top, J7 Duo, TabS4, Tab-A-S-Lite, A6 Plus, A9S.
We reported the downgrade attack on S10, S20 and S21 in
July 2021. In October 2021 Samsung assigned CVE-2021-
25490 with High severity to the downgrade attack and patched
models that were sold with Android P OS or later, including
S10, S20, and S21. The patch completely removes the legacy
key blob implementation.

Samsung fixed the vulnerabilities 3 months after notified, and those
patches were 8 months ago, or longer. The ThreatPost article makes it
appear the threat was new 10 days ago. Even the ThreatPost article
later notes the 2021 dates for reports and patches. Why is Lisa Vaas
reporting now as though new something that's over 8 months old and
fixed?

VanguardLH wrote:
> Andy Burns wrote:
>
>> Alan wrote:
>>
>>> <https://www.schneier.com/blog/archives/2022/03/samsung-encryption-flaw.html>
>>> Funny that Google didn't publicize it, hmmm?
>>
>> Provided Samsung respond in a reasonable timescale to a properly reported
>> vulnerability, why publicise the weakness before there was a fix rolled-out?
>>
>> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25444>
> dated 2021-01-19
> Ref: https://nvd.nist.gov/vuln/detail/CVE-2021-25444
> Pub date: 2021-08-05
> Last modified: 2021-08-12
>
>> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25490>
> dated 2021-01-19
> Ref: https://nvd.nist.gov/vuln/detail/CVE-2021-25490
> Pub date: 2021-10-06
> Last modified: 2021-10-13
>
> The CVEs were registered 13 and 8 months ago.
>
> The ThreatPost article links to:
>
> https://eprint.iacr.org/2022/208.pdf
>
> which states:
>
> 1.2 Responsible Disclosure
> We reported our IV reuse attack on S9 to Samsung Mobile
> Security in May 2021. In August 2021 Samsung assigned
> CVE-2021-25444 with High severity to the issue and released
> a patch that prevents malicious IV reuse by removing the
> option to add a custom IV from the API. According to Sam-
> sung [61], the list of patched devices includes: S9, J3 Top, J7
> Top, J7 Duo, TabS4, Tab-A-S-Lite, A6 Plus, A9S.
> We reported the downgrade attack on S10, S20 and S21 in
> July 2021. In October 2021 Samsung assigned CVE-2021-
> 25490 with High severity to the downgrade attack and patched
> models that were sold with Android P OS or later, including
> S10, S20, and S21. The patch completely removes the legacy
> key blob implementation.
>
> Samsung fixed the vulnerabilities 3 months after notified, and those
> patches were 8 months ago, or longer. The ThreatPost article makes it
> appear the threat was new 10 days ago. Even the ThreatPost article
> later notes the 2021 dates for reports and patches. Why is Lisa Vaas
> reporting now as though new something that's over 8 months old and
> fixed?

And I suppose that Samsung held their own internal inquiry as to how it
all happened. And relevant staff have been vetted and brushed.

Ed

In article <svurjc$am8$1@dont-email.me>, The Real Bev
<bashley101@gmail.com> wrote:

> On 03/04/2022 08:50 PM, Alan wrote:
> > 'Samsung Encryption Flaw
> > Researchers have found a major encryption flaw in 100 million Samsung
> > Galaxy phones.'
> >
> >
> > <https://www.schneier.com/blog/archives/2022/03/samsung-encryption-flaw.html>
> >
> >
> > Funny that Google didn't publicize it, hmmm?
>
> And they only guarantee their stuff for a year. I'll never buy another
> Samsung device again.

given that most consumer electronics has a one year warranty, your
options will be quite limited.

also, a security flaw is not something that's covered by a warranty
anyway. it's patched in a system update, regardless of status.

Andy Burns wrote:

>> <https://www.schneier.com/blog/archives/2022/03/samsung-encryption-flaw.html>
>> Funny that Google didn't publicize it, hmmm?
>
> Provided Samsung respond in a reasonable timescale to a properly reported
> vulnerability, why publicise the weakness before there was a fix rolled-out?
>
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25444>
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25490>

First off you have to realize who Alan Baker is, and you have to note that
he's one of the lowest IQ iKooks (if not the lowest) who derive a
substantial amount of their own self esteem (maybe all) from Apple products.

Most likely Alan saw the word "bug" and it was associated with Android, so,
hell, he didn't even _read_ the rest of the link before he posted it here.

Alan Baker is one of the few people I plonk (along with Rod Speed and Snit),
simply because there is absolutely no value to be gained from anything he
posts (even Jolly Roger, Joerg & Lewis post more value than does Alan).

Alan, to our knowledge, doesn't even _own_ an Android device, but if he
does, then he can prove it to us with a simple directed screenshot at my
request.

Given my assumptions above, Alan posts _only_ to gloat as he feels Apple is
superior to Android in terms of bugs (hehhehheh... how deluded they are).

Given Alan Baker's attempt to gloat, I'd like to see what his response is
when we tell him that Apple codes roughly about a zero-day hole a month, &,
more to Andy's point, Apple does _exactly_ what Google seems to have done.

In fact, to Andy's and Ed Cryer's _astute point_ that Samsung respond in
reasonable time, in early January we reported that researchers gave Apple
from July of 2021 to fix critical vulnerabilities which Apple didn't fix in
over six months, so they published it just to light a fire under Apple's ass
(and only _then_ did Apple fix the bug).

Funny thing, it was only in webkit (as I recall - we can doublecheck
easily), and yet Apple's primitive OS mechanism requires they update an
entirely new primitive monolithic operating system for even fixing a
_single_ line of iOS code.

To Ed Cryer's point:
> And I suppose that Samsung held their own internal inquiry as to how it
> all happened. And relevant staff have been vetted and brushed.

I didn't know this, but that's responsible, where, Alan Baker will be
"proud" to know that Apple has _multiple times_ shipped a bug in a later
version of iOS that they already had prior fixed in an earlier version.

I only bring up these facts because Alan Baker's sole intent was to gloat
that finally, for once, he could find a vulnerability in Android at a time
that there aren't widely publicized Apple zero-day holes to talk about.
--
People like Alan Baker have a low IQ, which is what makes them act like
kindergarten kids, which is fine, but they don't even realize what they are.