Google Project Zero Specialist Jann Horn studied the Android kernel provided by Samsung with its Galaxy A50 phones, and declaredthat security mechanisms added by Samsung engineers to the kernel not only do not provide full protection, but also create additional vectors for attacks.
Horn notes that he did not test the kernel in other Samsung devices, but believes that modifications specific to this manufacturer may generally create vulnerabilities and make it difficult to counter attacks. Even worse, this practice is generally common among smartphone manufacturers: they often add something controversial to the Linux kernel code, and upstream developers do not consider and cannot control these changes.
In particular, the Samsung core includes a feature that protects user data from being read or modified by attackers. But Horn found that this function not only does not cope with its task, but also has vulnerabilities that can be used to execute arbitrary code. The issue affected Samsung's additional security subsystem called PROCA or Process Authenticator.
Researcher's PoC exploit demonstrates that an attacker can gain access to an account database containing confidential authentication tokens.
The exploitation of this problem is also fraught with an old vulnerability – a disclosure bug in the Linux kernel, which has an identifier CVE-2018-17972. This problem has long been fixed in the Linux kernel and the Android kernel, but, as it turned out, not in the Android kernel, which Samsung uses for its phones.
“Samsung’s defense mechanisms do not provide complete protection against intruders trying to hack your phone, they only block the simplest root tools that are not customized for Samsung devices. I believe that such modifications are not worth the cost, since they make it difficult to switch to a new kernel (which should happen more often than now) and add additional space for attack, ”writes Horn.
He notes that the PROCA mechanism is designed to limit an attacker who, in fact, has already gained read and write permissions to the kernel. And, according to Horn, Samsung could create a more effective defense by directing its resources to ensure that the attacker did not get such access at all.
Samsung developers have already fixed these and other vulnerabilities (including CVE-2018-17972) as part of February Tuesday updates.