TechSpot

As many as 600 million Samsung mobile devices vulnerable to keyboard update flaw

By Shawn Knight
Jun 18, 2015
Post New Reply
  1. million samsung mobiles vulnerable keyboard cracking attack samsung keyboard vulnerability mobile devices swift keyboard ryan welton nowsecure

    An estimated 600 million Samsung mobile devices maybe be impacted by a security flaw relating to a pre-installed keyboard.

    The vulnerability was discovered by mobile security specialist Ryan Welton of NowSecure. As Welton points out, the pre-installed SwiftKey keyboard looks for language pack updates in an unencrypted, plaintext manner. Because of this, it’s possible for an attacker to intercept the update and insert malicious code without raising suspicion.

    If exploited, an attacker could pull off a number of mischievous activities including accessing sensors and resources like the camera and microphone, installing other malicious software without detection, manipulating information and settings on a phone, eavesdrop text messages and voice calls and even potentially access pictures stored on the device.

    It’s worth noting that the Swift keyboard that comes pre-installed can’t be disabled or uninstalled. Furthermore, a user does not have to explicitly choose to download a language pack update to trigger the exploit. Even if the keyboard isn’t the default keyboard, it can still be exploited.

    Welton said he discovered the vulnerability late last year and notified Samsung. Given the magnitude of the issue, NowSecure reached out to CERT and also informed the Google Android security team.

    NowSecure notes that Samsung began providing a patch to mobile network operators in early 2015. It’s unknown, however, if carriers have since provided the patch to devices on their network. It’s additionally difficult to determine exactly how many devices remain vulnerable due to the sheer number of susceptible devices worldwide as well as the wealth of different network operators operating around the globe.

    Permalink to story.

     
  2. amstech

    amstech TechSpot Enthusiast Posts: 1,457   +606

    My 1.9GHz Snapdragon 600 S4 didn't come with a Swift keyboard.
    Says it has a 'Samsung Keyboard'.
     
  3. Camikazi

    Camikazi TS Maniac Posts: 817   +231

    By SwiftKey they mean the tech they use to predict your words (they licensed it from SwiftKey) and it has absolutely 0 to do with it. It is the Samsung keyboard that has the vulnerability and you have that. This does not affect the actual SwiftKey keyboard only the Samsung keyboard since Samsung did something stupid and gave their keyboard system level permissions.
     
  4. Good luck for everyone in getting an update.
     
  5. Out of paranoia, on my Android Firewall I've always blocked internet connection to swiftkey keyboard and freeze/turn off any other keyboard
    screw the updated language packs, I know how to type
     
  6. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 6,513   +2,057

    If I was to worry about every security vulnerability or even take some of them seriously then I'd cut my data connection, throw away my smartphone, close all my online accounts and other accounts, draw all my money out of the bank and store it under my mattress then chuck my bank cards away and live like a recluse. I use Swiftkey on my Samsung device out of choice and I'm certainly not going to let this article change my mind.
     
    RTsupErchargEr likes this.
  7. amstech

    amstech TechSpot Enthusiast Posts: 1,457   +606

    I have been reading into this and they say you have to download the SwiftKey keyboard to be eligible for its update vulnerability. They are not the same, and nowhere does it say anything about the Samsung Keyboard having issues, just Samsung devices.
     
  8. Camikazi

    Camikazi TS Maniac Posts: 817   +231

    https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/

    Keep reading a bit more, that is the place that found the bug and it states that the SwiftKey keyboard from the Play store is not affected and ONLY the Samsung keyboard that uses the Swift SDK is. Also you can find videos of how this works and in every one you have to do a system update (not an update for the keyboard) for it to happen, pointing the finger at Samsung and not Swift.
     
  9. MonsterZero

    MonsterZero TS Addict Posts: 229   +89

    Download google keyboard, the stock sammy keyboard is just terrible.
     
  10. amstech

    amstech TechSpot Enthusiast Posts: 1,457   +606

    You are correct, issue has been resolved already and they are sending out a patch. Not a big deal for the most part anyways:
    http://slashdot.org/story/15/06/20/2213247/samsung-fixes-cellphone-keyboard-vulnerability
     
  11. Camikazi

    Camikazi TS Maniac Posts: 817   +231

    Yes, it needs to be an unknown network and it has to be one that someone setup to take advantage of this bug AND you need to do a system update while on this network. Honestly the amount of people who would fall victim to this is extremely tiny but it is a good thing to bring attention and fix it now.
     
  12. Lightspeed

    Lightspeed TS Enthusiast Posts: 33

    Not true, Note 4 is the best. Numbers on top stock and all.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...