Industry News

Samsung Galaxy phones at risk from massive security flaw

Security researchers have gone public with details of a security flaw that, they say, could impact over 600 million Samsung mobile devices worldwide – including the recently released Galaxy S6.

The problem, claim researchers at security firm NowSecure, lies inside the SwiftKey keyboard pre-installed with Samsung devices.

swiftkey-kb

Source: robskinner.net

If successfully exploited, the vulnerability could lead to attackers remotely accessing your device to spy through its camera or microphone, track your physical location via GPS, install malicious apps without you knowing, steal information and even eavesdrop on your messages and voice calls.

Worst of all, the threat is compounded by the fact that the keyboard cannot be disabled or uninstalled, and even if the SwiftKey keyboard is not the default keyboard on your Samsung device, it can still be exploited.

In other words – it’s potentially a massive security risk.

So what precisely is the problem with the Swiftkey keyboard pre-installed on Samsung devices?

Well, Nowsecure researchers claim that the keyboard updates itself by downloading a ZIP archive of new files via an unsecured, unencrypted HTTP connection rather than HTTPS. The authenticity of the update is not checked, meaning that an attacker could potentially intercept the download – perhaps when a target is using a malicious WiFi hotspot – and send the phone malware instead, bundled inside the archive.

The update process has system-level access, giving the attackers the ability to overwrite files on the Samsung smartphone, injecting malware.

NowSecure says that it informed Samsung of the issue in late 2014, and has also informed the Google Android Security team.

And although Samsung is thought to have begun providing mobile operators with a patch for the so-called “Samsung stock keyboard using the SwiftKey SDK” in early 2015, it is difficult for mobile device users to know if their carrier has patched the problem and many customers could still be at risk:

“It is unknown if the carriers have provided the patch to the devices on their network. In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices models and number of network operators globally.”

swiftkey-logo

Source: swiftkey.com

SwiftKey has responded to the news reports of the vulnerability, putting the blame at Samsung’s door:

“We supply Samsung with the core technology that powers the word predictions in their keyboard. It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability. We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this important security issue.”

“The vulnerability in question is not easy to exploit: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”

SwiftKey says that its standalone keyboard apps, available in the Google Play and iOS App Store, are not affected by the vulnerability, but that is little consolation for the at-risk Samsung users. Sorry Samsung phone owners, but downloading a safe version of the app from the Google Play store won’t help you.

In the meantime, while you wait for confirmation from your mobile phone carrier as to whether you are protected or not, you might be wiser to always ensure that you are using a VPN to encrypt your internet connection. In fact, that’s probably a good idea regardless in this day and age.

For more details, check out the NowSecure blog where they list some of the Samsung devices known to be impacted, and its technical analysis of the vulnerability.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

3 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • So assuming someone were to filter a connection via a MITM attack they could easily brick a phone, or better yet access swift keys servers due to the low level security. Now they are pointing at each others faces for the blame? That’s preposterous honestly.

    Samsung should either update the phone to not use Swift, or Swift needs to update their crap… that sucks….

  • I think that there are probably some other creative ways to exploit this vulnerability. And I learned that Samsung is going to be able to patch this using KNOX somehow. But if it was that simple,then why did they not do it sooner? Samsung gave a statement to Android Central about this.