ZeroBoot: New Flaw Bypasses Samsung Galaxy Encryption with Physical Access

A researcher known under the pseudonym Vulndisclosure has reported a vulnerability, dubbed ZeroBoot, that enables an attacker to bypass file-based encryption (FBE) on the Samsung Galaxy A25 5G and access user data without entering a password. According to the author, the flaw stems from a race condition during the device’s boot sequence and carries a CVSS score of 8.2, placing it firmly within the high-severity category.

The essence of the bug lies in a brief, roughly 736-millisecond window that appears under certain boot conditions, during which key system components fall out of sync. The lock screen has not yet appeared, but the MTP (USB file transfer) and ADB (USB debugging) services have already initialized and provide access to decrypted data without any password. This occurs because the lock-screen interface, encryption policies, and the Keyguard protection service are initialized in parallel yet complete their startup at different times.

Exploitation is possible only with physical access to the device and under a precise set of conditions. According to the researcher, a successful proof-of-concept was achieved when the device temperature was approximately 5°C, the battery was fully discharged (triggering an automatic shutdown), a pause of around 16 seconds was observed after power-off, the phone was then connected to a charger supplying roughly 1000 mA, and RAM usage was between 3.7 and 3.8 GB. Under these circumstances, the attack succeeded in roughly 87% of attempts.

In demonstrating ZeroBoot, the researcher showed that within this 736-millisecond interval, it is possible to copy user files, execute system commands without authentication, install a backdoor, or alter settings to maintain persistent access to the device. In the author’s view, the flaw poses particular risk to the corporate sector and to forensic investigations, as it circumvents protections intended to remain effective until the device owner enters a password.

The researcher also criticized the manufacturer’s response. According to him, the vendor attempted to attribute the issue to the presence of Magisk, despite the fact that this tool loads only after the kernel and does not affect the vulnerable portion of the boot chain. Moreover, correspondence published by the researcher indicates that Samsung allegedly recommended using a third-party website to download firmware and suggested testing an older Android version—even though the device is protected by anti-rollback mechanisms.

As mitigation, the researcher proposes synchronizing the initialization of SystemUI, encryption-state verification, and the lock-screen display, as well as adding checks for abnormal temperature and power conditions during boot. Although he initially planned to withhold details until an official patch was released, he ultimately published a full report with supporting evidence on GitHub.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy