Samsung Electronics, the maker of the popular Galaxy line of smartphones and tablets, has acknowledged a data breach that included source code for its Galaxy devices.
The breach, announced March 7, reportedly included source code for some Samsung technologies and algorithms for biometric unlock operations.
However, the stolen data do not include the personal information of customers or employees, the company said in a statement. “Currently, we do not anticipate any impact to our business or customers,” the company said. “We have implemented measures to prevent further such incidents and will continue to serve our customers without disruption.”
Lapsus$, a hacking group that recently breached computer hardware maker Nvidia, claimed responsibility for the Samsung attack, although Samsung didn’t name the group. The hackers posted nearly 200 gigabytes of Samsung data online.
While Samsung’s statement said the breach wouldn’t disrupt its operations, the attack could create significant headaches for the company over the longer term, some cybersecurity professionals believe.
Lapsus$ can profit from the attack in many ways, said Chris Olson, CEO of digital security provider
The Media Trust
. The group can threaten to release more of Samsung’s data if conditions are not met, or it could exploit its knowledge of the source code to launch future attacks on the company’s devices. They could also “sell that code, or data acquired in future attacks, on dark web markets,” he told the Washington Examiner.
Users of Samsung devices have reason to be concerned, but they also expose themselves to hackers through the websites they visit and the apps they install, Olson said. Recently, a banking malware
called SharkBot
was discovered in apps distributed through the Google app store, he said.
He added that access to the source code could lead attackers to discover vulnerabilities in Samsung devices. And with access to biometric unlock operation, “the potential for consumer-directed attacks is practically unlimited,” Olson said. “Lapsus$ could steal any information on Samsung devices — including texts, personally identifiable information, or credit card details — and even authorize payments to themselves through the user’s mobile wallet.”
The breach of biometric unlock operations could lead to several problems, added David Nuti, senior vice president of
Nord Security
for North America. “Your smartphone may no longer recognize your face or fingerprint, locking you out of your own information,” he told the Washington Examiner. “If a bad actor can simulate an approved biometric access, they would have access to your information without the need to compromise a password.”
Not a lot is known about Lapsus$ and its motivations. Still, by sharing nearly 200GB of Samsung data, they enable other attackers, said Dave Stapleton, chief information security officer at cybersecurity provider
CyberGRX
.
“It is at least possible that they have obtained information that would make it possible to develop grievous attacks against Samsung Galaxy smartphones,” he said. “Whether or not that was the intent of their breach of Samsung is yet to be seen.”
However, Lapsus$ has posted Samsung data, “and it is being downloaded by any number of other threat actors as we speak,” Stapleton told the Washington Examiner. “So regardless of Lapsus$’s intent, significant damage has likely been done, and we should prepare for cyberattacks against Samsung Galaxy phones in the future.”
In the first days after the attack, he noted that the hacking group didn’t appear to make a ransom demand as many other hacking groups often do. “It is possible they have begun a campaign with the primary goal of increasing their notoriety and standing in the threat actor community,” he said. “In the case of Lapsus$, they are likely seeking future revenue opportunities and may want to use this campaign to disrupt, entice customers, identify potential partners, and attract talent.”
