Samsung’s Galaxy S7 smartphones contain a microchip security flaw, uncovered earlier this year, that has put tens of millions of devices at risk to hackers looking to spy on their users, researchers told Reuters.
The Galaxy S7 and other smartphones made by Samsung Electronics Co Ltd were previously thought to be immune to a security vulnerability known as Meltdown, which researchers said earlier this year was present in most of the world’s PCs, smartphones and other computing devices.
But researchers from Austria’s Graz Technical University told Reuters they have figured out a way to exploit the Meltdown vulnerability to attack Galaxy S7 handsets.
Samsung said it rolled out security patches to protect Galaxy S7 handsets from Meltdown in January, followed by a further software update in July.
“Samsung takes security very seriously and our products and services are designed with security as a priority,” the company said in a statement.
The Graz team plans to release its findings on Thursday at the Black Hat security conference in Las Vegas. It is looking in to Meltdown’s impact on other makes and models of smartphones and expects to uncover more vulnerable devices in the near future, researcher Michael Schwarz told Reuters.
“There are potentially even more phones affected that we don’t know about yet,” he said. “There are potentially hundreds of million of phones out there that are affected by Meltdown and may not be patched because the vendors themselves do not know.”
The Galaxy S7 is used by some 30 million people worldwide, according to research firm Strategy Analytics. Samsung has released two new versions of its flagship Galaxy line of smartphones since the S7 debuted in 2016.
A Samsung spokeswoman did not comment on how many Galaxy S7 smartphones had been sold. She said there were no reported cases where Meltdown had been exploited to attack an S7 handset and that no other Samsung phones were known to be vulnerable.
Meltdown, and a second vulnerability known as Spectre, can be used to reveal the contents of a computer device’s central processing unit – designed to be a secure inner sanctum – either bypassing hardware barriers or tricking applications into giving up secret information such as passwords or banking details.
There are no known cases of hackers exploiting either vulnerability in a real-world attack, but disclosure of the widespread hardware flaws has rocked the computer industry, forcing chipmakers and device manufacturers to scramble to contain the fallout.