While Samsung offered reassurance that neither customer nor employee personal information had been compromised, that’s only one possible avenue for the hackers to take. The data that was taken, which the hackers’ claim includes biometric authentication algorithms and bootloader source code, could still be used in damaging ways. “Most high-profile breaches have resulted in the loss of personal data that has the potential to impact individuals,” said Purandar Das, CEO and co-founder of encryption-based data security solutions company Sotero, in an email to Lifewire, “Establishing a baseline that personal data wasn’t lost is more of a reflex response and not truly indicative of the adverse potential any data breach poses.”
Finding Cracks
A big concern security experts have about the Galaxy device source code leak is what that code could be used for. Granted, it’s not exactly a key to the proverbial city of Samsung devices; hackers aren’t going to be able to instantly compromise critical systems or anything like that. But they could use the data to find vulnerabilities that may not have been discovered yet, then figure out ways to exploit them. “While every software program and every device contain some vulnerabilities, the process of finding these bugs can be extremely time-consuming and difficult,” said Brian Contos, 25-year cybersecurity veteran and Chief Security Officer of Phosphorus Cybersecurity, in an email to Lifewire. “But if you have access to the full source code, it makes the process substantially easier.” Hackers have been finding and taking advantage of security vulnerabilities for as long as computers have existed, but it takes time and effort. In this situation, Samsung’s source code could be used as a sort of road map or blueprint that all but eliminates the need to search for weaknesses in the first place. “Any source code that is used to operate devices or serve as authentication services on devices poses a severe problem,” Das agrees, “The code can be used to devise alternate paths, force the capture of data, or override security controls. The code can also serve as an analysis framework for security controls that can then be overridden.”
Bootloader Worries
If the bootloader source code was also compromised, as the hacking group claims, that could create a substantial security risk. Unlike the system source code mentioned previously, the bootloader is like having the keys to the city. It’s the program required to boot up a piece of hardware—applications, the operating system—it all needs to boot up, and that’s the bootloader’s primary function. If a malicious party were able to exploit a device’s bootloader, they’d basically have free reign over the entire system—provided they had the tools and the know-how. Experts agree that, with 190GB of Samsung’s stolen data available to download by pretty much anyone, there is cause for concern. “A bootloader attack is particularly worrisome because it allows the attacker to get into the device below the operating system level, which means the hacker can bypass all the security on the device,” Contos stated, “A bootloader attack can also be used to steal the user’s credentials and potentially bypass device encryption.” Unfortunately, because the compromised information could be used to help hackers discover new ways to attack Galaxy devices, there isn’t much we can do on the user level. Just try to stay as current as possible with security updates, and avoid taking unnecessary risks online. Be wary of suspicious email attachments, pay close attention to the apps you download (and inspect the permissions list), and so on. “The resolution to this is in the hands of Samsung,” Das explained, “They would have to release a patch or patches that address any known or potential vulnerabilities.” “Samsung should also ramp up its own security analysis and review of its code, to try to find these problems first,” Contos added, “In the meantime, users should be extra careful when installing apps on their phone by making sure it is a well-known and trusted app, and does not require too many permissions on the phone. They should also be very careful about leaving their phones unattended, particularly if they travel outside the US. This is true even if the device is password- or biometric-protected.”