Phone

Keyboard vulnerability may have put millions of Samsung devices at risk

A security researcher has discovered a vulnerability in default keyboard software that could leave as many as 600 million Samsung mobile devices at risk of attackers, Ryan Welton from NowSecure detailed the vulnerability present on the SwiftKey keyboard pre-installed on millions of Samsung smartphones. The keyboard’s searches for language pack updates are not sent over encrypted lines rather they’re sent in plain text. Welton was thus able to exploit this vulnerability by creating a spoof proxy server and sending malicious security updates to affected devices coupled with validating data to ensure that the malicious code remained on the device. Once Welton got his foot in the proverbial door he could escalate the attack and continue to exploit the device without the user ever knowing about it.

If an attacker was exploiting this vulnerability they could potentially siphon sensitive data off the affected devices, data which may include text messages, contacts, passwords and bank logins not to mention that the vulnerability could also be used to remotely monitor users. Samsung was told about this issue back in November last year and it provided a fix for devices running Android 4.2 or higher earlier this year in March. However NowSecure is of the view that this exploit still exists, Welton demonstrated it today at the Blackhat Security Summit in London on a Verizon Galaxy S6 and claimed to have replicated it.

NowSecure CEO Andrew Hoog believes that this exploit affects some recent devices like the Galaxy Note 4, Note 3, Galaxy S3, S4, S5 as well as the Galaxy S6 and S6 edge. This is a dilemma for users because even if they don’t use SwiftKey as the default keyboard it can’t be uninstalled from the device and Welton says that it can still be exploited even when it’s not the default keyboard.

Until Samsung provides an official fix for this exploit Welton recommends that users be extra careful of using their handsets on networks that they’re not familiar with in order to limit the chances of a man-in-the-middle attack. Attackers have to be on the same wireless network as the device that they’re targeting, remote targeting is only possible by hijacking the DNS or comprising the router from another location which while possible, is not exactly an easy feat .

Samsung has so far not commented on the issue.

Via

7 Comments

Sign in »

7
Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

arhu74
arhu74

I prefer the view of Android Police, who figured that this exploit would take a lot of unlikely scenarios to take place at the same time for it to be exploitable

timec77
timec77

I use Google Keyboard because the haptic feedback don’t work with CPU power saving mode (issues on my Note 3 with lollipop).

kronicle
kronicle

You need to do more research on this topic concerning a tiny company that tests apps for developers to find vulnerabilities. With Swiftkey Keyboard now being available on iOS App Store, you know that the very same vulnerabilities are also present on iOS as well. I simply hate the way Apple works to spread FUD and Misinformation about their greatest competitor…. but isn’t willing to allow people to know things like this company with many Apple Shills known to be working there doesn’t let us know that it also affects their dearly beloved Backdoor Funding Liars at Apple’s iOS is… Read more »

rmahmud28
rmahmud28

Not all Samsung devices come with SwiftKey.

LeifS
LeifS

Although it’s possible to exploit it this doesn’t sound like a real problem to me.

The language packs for the Samsung/SwiftKey Keyboard don’t do auto-updates, so to abuse this the victim has to be in an untrusted network situation while he’s manually updating a language pack of the keyboard which is hidden deep in the settings.

The chance is really low that this will happen in a real world scenario.

NoteLove
NoteLove

More issues. PFFT . Starting to regret switching, great hardware and much better than Apple but support and updates to fix things like this take forever. Will the new security feature on S6 detect any malicious software and inform me if i run it?

People just surf the web wisely and do not DL from outside playstore. I know people like to scare monger with Samsung so Verge and BGR can have a nice day lol

mountainmanmike
mountainmanmike

Anything in the mobile world is hackable. I just hope that when the machines take over, we will still be able to hack them.