(UPDATE: In a June 18 blog posting, Samsung acknowledged the flaw with the SwiftKey integration and said it would be pushing out a security update "in a few days." Because the update will use Samsung's Knox security platform, installed on all Galaxy devices beginning with the S4, it will bypass the carriers and go directly to the phones.)
Chicago-based mobile-security firm NowSecure has found a flaw that could give hackers nearly complete control over Samsung's Galaxy S6, S5, S4 and S4 Mini devices, including the phones' cameras and microphones. The vulnerability, which may affect up to 600 million handsets, stems from Samsung's pre-installed version of the popular SwiftKey keyboard; Samsung does not encrypt the executable files it transmits as updates to users.
The flaw was made public only yesterday (June 16) at the Black Hat London security conference, but NowSecure says it notified Samsung in December 2014, and that the handset maker distributed a patch to cellular network operators earlier this year.
However, there appears to be no way in which an end user can confirm that his or her device has been patched by the carrier, nor any available method of user mitigation. NowSecure advises that Samsung Galaxy users should consider switching to a different brand of phone for the time being. (Samsung did not immediately respond to a request for comment from Tom's Guide.)
Malicious hackers could exploit the flaw to conduct man-in-the-middle attacks on Samsung devices operating on an unsecured Wifi network, or set up fake cellular base stations to do the same. The attacker would prompt the Samsung keyboard app to accept and install a malicious update file.
Because the keyboard app (which is separate from the stand-alone SwiftKey app available in the Google Play store) runs as a privileged user, it has much more access to the Android operating system than a regular app would, and a malicious update would turn the keyboard app into super-malware capable of almost anything. An attacker could peep through your camera, listen to your microphone (your calls, for example), access your GPS transceiver to track your location, install more malicious apps and access photos stored on your device.
Updating the stand-alone SwiftKey app is pointless, since it is separate from the built-in Samsung keyboard (which cannot be uninstalled), as is switching to another default keyboard, since the Samsung keyboard will continue to run in the background.
Since a patch does exist for this specific vulnerability, and the exploit is so far only a proof of concept, it may all seem like not much to worry about. Unfortunately, there is plenty of opportunity for copycat hacks, as NowSecure has posted the code behind its exploit. Furthermore, mobile network operators are notoriously slow at pushing out updates, and not informing end users of what's being fixed when updates are pushed out.
According to NowSecure, as of July 16, the following devices have not received that patch from their mobile network providers:
- Samsung Galaxy S6 on Verizon
- Samsung Galaxy S6 on Sprint
- Samsung Galaxy S5 on T-Mobile
- Samsung Galaxy S4 Mini on AT&T
As for an additional dozen Galaxy devices on the major carriers that may be vulnerable, the firm has yet to test them. But in its technical report, NowSecure does have some very blunt advice for all owners of Samsung Galaxy S6, S5, S4 and S4 Mini smartphones: "Avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing."
- 12 Computer Security Mistakes You’re Probably Making
- Your Router's Security Stinks: Here's How to Fix It
- What to Do After a Data Breach