As many as 600 million Samsung mobile devices vulnerable to keyboard update flaw

Shawn Knight

Posts: 15,255   +192
Staff member

million samsung mobiles vulnerable keyboard cracking attack samsung keyboard vulnerability mobile devices swift keyboard ryan welton nowsecure

An estimated 600 million Samsung mobile devices maybe be impacted by a security flaw relating to a pre-installed keyboard.

The vulnerability was discovered by mobile security specialist Ryan Welton of NowSecure. As Welton points out, the pre-installed SwiftKey keyboard looks for language pack updates in an unencrypted, plaintext manner. Because of this, it’s possible for an attacker to intercept the update and insert malicious code without raising suspicion.

If exploited, an attacker could pull off a number of mischievous activities including accessing sensors and resources like the camera and microphone, installing other malicious software without detection, manipulating information and settings on a phone, eavesdrop text messages and voice calls and even potentially access pictures stored on the device.

It’s worth noting that the Swift keyboard that comes pre-installed can’t be disabled or uninstalled. Furthermore, a user does not have to explicitly choose to download a language pack update to trigger the exploit. Even if the keyboard isn’t the default keyboard, it can still be exploited.

Welton said he discovered the vulnerability late last year and notified Samsung. Given the magnitude of the issue, NowSecure reached out to CERT and also informed the Google Android security team.

NowSecure notes that Samsung began providing a patch to mobile network operators in early 2015. It’s unknown, however, if carriers have since provided the patch to devices on their network. It’s additionally difficult to determine exactly how many devices remain vulnerable due to the sheer number of susceptible devices worldwide as well as the wealth of different network operators operating around the globe.

Permalink to story.

 
My 1.9GHz Snapdragon 600 S4 didn't come with a Swift keyboard.
Says it has a 'Samsung Keyboard'.
 
My 1.9GHz Snapdragon 600 S4 didn't come with a Swift keyboard.
Says it has a 'Samsung Keyboard'.
By SwiftKey they mean the tech they use to predict your words (they licensed it from SwiftKey) and it has absolutely 0 to do with it. It is the Samsung keyboard that has the vulnerability and you have that. This does not affect the actual SwiftKey keyboard only the Samsung keyboard since Samsung did something stupid and gave their keyboard system level permissions.
 
Out of paranoia, on my Android Firewall I've always blocked internet connection to swiftkey keyboard and freeze/turn off any other keyboard
screw the updated language packs, I know how to type
 
If I was to worry about every security vulnerability or even take some of them seriously then I'd cut my data connection, throw away my smartphone, close all my online accounts and other accounts, draw all my money out of the bank and store it under my mattress then chuck my bank cards away and live like a recluse. I use Swiftkey on my Samsung device out of choice and I'm certainly not going to let this article change my mind.
 
By SwiftKey they mean the tech they use to predict your words (they licensed it from SwiftKey) and it has absolutely 0 to do with it. It is the Samsung keyboard that has the vulnerability and you have that. .
I have been reading into this and they say you have to download the SwiftKey keyboard to be eligible for its update vulnerability. They are not the same, and nowhere does it say anything about the Samsung Keyboard having issues, just Samsung devices.
 
By SwiftKey they mean the tech they use to predict your words (they licensed it from SwiftKey) and it has absolutely 0 to do with it. It is the Samsung keyboard that has the vulnerability and you have that. .
I have been reading into this and they say you have to download the SwiftKey keyboard to be eligible for its update vulnerability. They are not the same, and nowhere does it say anything about the Samsung Keyboard having issues, just Samsung devices.
https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/

Keep reading a bit more, that is the place that found the bug and it states that the SwiftKey keyboard from the Play store is not affected and ONLY the Samsung keyboard that uses the Swift SDK is. Also you can find videos of how this works and in every one you have to do a system update (not an update for the keyboard) for it to happen, pointing the finger at Samsung and not Swift.
 
Keep reading a bit more, that is the place that found the bug and it states that the SwiftKey keyboard from the Play store is not affected and ONLY the Samsung keyboard that uses the Swift SDK is. .
You are correct, issue has been resolved already and they are sending out a patch. Not a big deal for the most part anyways:
particular set of conditions need to be met before any damage could be done
http://slashdot.org/story/15/06/20/2213247/samsung-fixes-cellphone-keyboard-vulnerability
 
You are correct, issue has been resolved already and they are sending out a patch. Not a big deal for the most part anyways:
http://slashdot.org/story/15/06/20/2213247/samsung-fixes-cellphone-keyboard-vulnerability
Yes, it needs to be an unknown network and it has to be one that someone setup to take advantage of this bug AND you need to do a system update while on this network. Honestly the amount of people who would fall victim to this is extremely tiny but it is a good thing to bring attention and fix it now.
 
Back