Massive Security Flaw Puts 600 Million Samsung Smartphones at Risk
A huge vulnerability in software that comes pre-installed on Samsung phones is reportedly putting as many as 600 million mobile device users at risk of being hacked. Mobile security firm NowSecure’s Ryan Welton uncovered an issue in the SwiftKey keyboard that comes bundled with Samsung phones, including the Galaxy S3, S4, S5, S6, and Galaxy Note 3 and 4.
SwiftKey bills itself as having an “autocorrect that actually works.” The software lets you slide from letter to letter rather than tap the keys. But there may be a price to pay for Samsung users looking for a more productive way to type out messages because the keyboard allows an attacker to remotely execute code as a privileged system user, according to Welton.
“It’s unfortunate but typical for OEMs and carriers to pre-install third-party applications to a device. In some cases these applications are run from a privileged context,” Welton said. “The Swift keyboard comes pre-installed on Samsung devices and cannot be disabled or uninstalled. Even when it is not used as the default keyboard, it can still be exploited.”
A Notch Short of Root Access
Essentially, the code reveals that the keyboard was signed with Samsung’s private signing key and runs in one of the most privileged contexts on the device -- system user. That’s just a notch short of being root. The good news is not just any novice attacker can tap the vulnerability.
“The attack vector for this vulnerability requires an attacker capable of modifying upstream traffic,” Welton said. “The vulnerability is triggered automatically -- no human interaction -- on reboot as well as randomly when the application decides to update.”
The vulnerability opens the door to geographically proximate attacks -- such as rogue Wi-Fi access points or cellular base stations -- or attacks from local users on a network, including ARP poisoning. Welton said fully remote attacks are also feasible via DNS Hijacking, packet injection, a rogue router or ISP.
“Unfortunately, the flawed keyboard app can’t be uninstalled or disabled. Also, it isn’t easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update,” Welton said. “To reduce your risk, avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing.”
Making Matters Worse
We asked Lane Thames, security researcher at advanced persistent threat protection firm Tripwire, for his reaction to the vulnerability. He told us it’s irritating because most users will not be able to uninstall the vulnerable software and, to make matters worse, most carriers are currently not shipping patches at this time.
“There are many good keyboards available for the Samsung device so a simple solution is to just remove the vulnerable keyboard,” Thames said. “Unfortunately, neither Samsung nor most wireless carriers want you to do that, usually for the same reasons they sell locked phones.”
On the plus side for the end user, this vulnerability requires a bit of effort to successfully exploit, according to the technical details that have been released, Thames said. Specifically, it requires a man-in-the-middle attack infrastructure where a vulnerable keyboard application initiates a language pack download or update.
“From the details, this update-download initiation occurs after boot and periodically during normal use,” Thames said. “To minimize risk until a patch is available, users should refrain from rebooting their device if connected to a Wi-Fi network and should refrain connecting to unknown or insecure Wi-Fi networks.”
Thames noted that this includes all public Wi-Fi networks at coffee shops and hotels. SwiftKey could be exploited over the cellular network, but that's harder technically -- only the most experienced attackers would have the skills to exploit it there, he said.
Posted: 2015-06-27 @ 8:33pm PT
Very disturbing. Second recent type articles. First on their preloaded Internet browser, which can't be deleted either, but forcibly disabled. Forwarded article to T Mobile & Lookout. Thank you.
Posted: 2015-06-25 @ 8:06pm PT
When will Samsung post an OS update for S3 users regarding the Swiftkey language update security flaw?
Posted: 2015-06-25 @ 7:06am PT
Not surprising but scary for the enterprise since -- in most organizations -- mobile security and IT security are handled by different departments.
--Karen J. Bannan, commenting on behalf of IDG and FireEye.
Posted: 2015-06-25 @ 3:04am PT
This was a vulnerability caused by the Samsung original implementation rather than the Swiftkey software.
Posted: 2015-06-18 @ 2:20am PT