Hacker pointing to code on a computer monitor in a dark room showing data breach and source code leak

Extortion Attempt on Samsung Leads to Data Breach, Leak of Bootloader and Authentication Source Code

A hacking group that recently attempted to extort Nvidia into making its GPUs perform cryptocurrency mining functions faster has now taken aim at Samsung, and the result is a massive data breach containing some troubling items: the source code for the bootloader for the company’s newer devices, all of the source code used in authorizing and authenticating accounts, and the algorithms for all of the company’s biometric unlocking operations.

The 190 GB collection of files is being passed around via torrent; the hacking group does not seem to have any particular financial demand or extortion plan, as it did with the Nvidia attack. Samsung says that no personal information was lost in the data breach and that it does not expect customers to be impacted.

Samsung data breach provides tools to access any locked device

The Lapsus$ hacking group is thought to be behind the data breach. Aside from the recent attempt on Nvidia, the group is known as an emerging and prominent ransomware group that burst onto the scene in the early part of 2022 with an attack on Portuguese media giant Impresa. The group has also been linked to a February attack on the Brazil Ministry of Health that saw data used for issuing Covid vaccination certificates destroyed.

Jack Chapman, VP of Threat Intelligence at Egress, points out that this is another reminder that advanced criminal hacking groups can get at just about anyone: “It’s concerning for an organization to have any data stolen by cybercriminals – but it will be the potential leak of confidential source code that’s keeping Samsung’s executives awake at night. The exposure of such highly confidential, strategic information could be devastating for Samsung and their security teams will be working to ascertain exactly what data was stolen – and whether there might be further leaks to come … As this incident shows, hackers can access even the largest conglomerates, which are likely to have robust security protections in place. In the current environment of heightened security risk, it’s imperative that organizations of all sizes heed the NCSC’s advice and prioritize cybersecurity preparedness.”

The leaked source code is most useful to an attacker with physical possession of a phone looking to break through its lock screen, but there are other elements of interest to remote attackers. In addition to the source code for Samsung’s activation servers, there is also source code from the Qualcomm chips that power Samsung’s devices. The company’s “TrustZone” environment, which controls the fundamental encryption and security functions on each device, is also once again in the news for the worst possible reasons. Lapsus$ apparently also exfiltrated source code for every one of the environment’s trusted applets. TrustZone was just recently revealed to have fundamental and critical problems with its encryption algorithm, requiring security patching to avoid leaving recent Samsung phones wide open to attackers.

The prior issues with TrustZone created the possibility of a remote attack that could obtain full access to a phone, but an end user would still have to be tricked into executing code (for example via a phishing email or message). The information from the Lapsus$ data breach creates the possibility of a “zero click” attack similar to the method used by the Pegasus spyware to breach iPhones last year (in which the end user could be compromised simply by receiving a tainted iMessage). Samsung patched out the prior issues with TrustZone last year, well before security researchers disclosed the issue to the public, but will now have to scramble to catch up to a sudden public reveal by a threat group.

Source code theft could create devastating loss for Samsung

Samsung is struggling with a string of data breaches and bad publicity now dating back several years, and mostly centered on its flagship line of Galaxy phones. Aside from the encryption issue with these models, the most recent problem has been the discovery that the “Game Optimizing Service” is throttling the performance of some 10,000 popular apps (including TikTok and Instagram). Samsung says that the feature is meant to “balance performance and cooling” and has pledged to push out a software update that allows users to control the performance of these apps.

Oliver Pinson-Roxburgh, CEO at Bulletproof and Defense.com, points out that though Lapsus$ is an emerging new name it looks as if they used a tried and true technique to gain access to Samsung: “It seems that Lapsus$ managed to gain access to this information by using what is called a double extortion method of operation. This specific method of extortion originates following a traditional phishing attack/compromising a user, and snowballs into machine system encryption, finally holding the acquired data to ransom. 83% of cyber incidents are phishing attacks, and it still represents the most pressing threat to businesses decades after the method was first used … Businesses should advise their users to reset their Samsung accounts and enable the MFA functionality that exists in the Samsung online accounts as it will no doubt be leaked. Training users to ensure that they do not reuse passwords is crucial exactly because of threats like this.”

The data breach does not necessarily present an immediate threat to Samsung Galaxy users, but the source code is likely to eventually be put to use in developing rootkits and other types of attacks. Keeping on top of security patching will be more important than ever for owners of these phones, and those that lose support may become dangerously vulnerable as soon as patching stops. Samsung’s policy with the S20 series is generally three to four years of updates after release, though they can receive security patches for a longer period. Support for the S8 (released in 2017) stopped in mid-2021; the S9 no longer receives Android updates but still receives security patches at this time. Exceptions are sometimes made for older phones when there is a very serious security issue, however, and attacks that stem from this data breach would appear to be good candidates.

At the very least, Galaxy users should consider the default Samsung Pass password storage to be at risk and consider an alternative with a good reputation. There also may be something of a silver lining to this data breach, at least to tinkerers and hackers that like to install custom operating systems and modernize older devices; with the source code available this could now be a much easier prospect for Galaxy phones, which are known for tripping a hardware fuse that bricks the device when attempts are made.