Samsung Galaxy Phones Vulnerable to Keyboard Bug
The Swift keyboard built into some of Samsung's latest phones allows an attacker to remotely execute code, according to NowSecure, which uncovered and reported the bug late last year.
"The attack vector for this vulnerability requires an attacker capable of modifying upstream traffic," NowSecure said in a Tuesday blog post. "The vulnerability is triggered automatically (no human interaction) on reboot as well as randomly when the application decides to update."
According to the Wall Street Journal, Samsung sent a fix to wireless carriers in March. But three months later, when NowSecure tested two new Galaxy S6 handsets from Verizon and Sprint, the vulnerability was still there.
"Samsung takes emerging security threats very seriously," a company spokeswoman told PCMag in a statement. "We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security."
"Samsung Knox has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue," she continued. "The security policy updates will begin rolling out in a few days. [W]e are also working with Swiftkey to address potential risks going forward."
Swift, meanwhile, said the bug does not affect the SwiftKey apps on Google Play or the iTunes App Store.
"We supply Samsung with the core technology that powers the word predictions in their keyboard," Swift said in a blog post. "It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability."
The company said it only learned of the flaw on Tuesday, via the Journal article, and claims it "is not easy to exploit." A user must be connected to a compromised network, and access is possible only if the user's keyboard is conducting a language update.
If used, however, the flaw allows an attacker to remotely execute code as a system user. In other words, a hacker could access your phone's GPS, camera, and microphone, secretly install malicious apps, eavesdrop on messages or voice calls, and access personal data like pictures and texts.
The bug can be found in the Galaxy S4, S4 mini, S5, and new flagship Galaxy S6. NowSecure has a "patch status" list of phones that have and have not received a fix from their carrier.
"We are aware of a possible security risk associated with the keyboard technology on Samsung devices and are actively partnering with Samsung to address any potential impact to our customers as quickly as possible," a T-Mobile spokeswoman told PCMag.
AT&T did not immediately respond to a request for comment.
The keyboard app cannot be uninstalled. If you're concerned, NowSecure suggested avoiding insecure Wi-Fi networks, using a different phone, or contacting carriers for patch information.
According to the Journal, NowSecure CEO Andrew Hoog does not know of any incidents where hackers have exploited the flaw.
No comments:
Post a Comment