Recently, Samsung vulnerability testing specialists announced that they would implement a number of modifications to Android kernel code, in an attempt to prevent some common attack variants against users of Galaxy devices.
Despite these efforts, Google Project Zero experts revealed that these modifications ended up exposing the devices to more security issues, so they have asked Samsung and other smart device manufacturers to use the security features already existing, because they don’t have control over the failures that can arise due to these kernel modifications.
According to Jann Horn, a vulnerability testing
specialist member of Project Zero, this error (common among smart devices developers)
is related to the adding of code to the downstream Linux kernel that upstream
kernel developers have not revised.
While these modifications are geared towards
device security, developers at manufacturer companies do not consider failures
that these slight alterations could cause elsewhere in the system. In the case
of Samsung, the modifications caused a memory corruption flaw in the security
subsystem called Process Authenticator. This bug was reported to Google and
fixed in the Galaxy device update for February.
Galaxy updates for February also included
security patches to fix a security flaw affecting devices with Trusted Execution Environment (TEE), an
isolated security area on each device’s processor. It has not yet been
determined whether there is a link between the modifications made by Samsung
and the presence of this flaw.
In their report, Project Zero vulnerability testing
specialists claim that most of Samsung’s kernel modifications are unnecessary
and would not affect the operation of Galaxy devices if they were removed.
The International Institute of Cyber Security (IICS)
mentions that kernel modifications could be better implemented if they are updated
or moved to user space controllers, where they can be implemented in more
programming languages secure or in isolated environments, plus they would no
longer be inconvenient for later kernel versions.