More than 600 million Samsung mobile devices, including the Galaxy S6, are vulnerable to a security breach that could enable hackers to take over the device. According to a report from mobile security firm NowSecure, the risk originates with the preinstalled Swift keyboard that enables a hacker to remotely execute code as a privileged user.
According to NowSecure’s technical blog post, the Swift keyboard can’t be disabled or uninstalled, and even when it isn’t used as the default keyboard, it can still be exploited via the security flaw. On Samsung devices, the keyboard was built around the Swift SDK, which makes the Samsung keyboard app, named SamsungIME, distinctly different from the Swift keyboard that’s available in the Play store.
The version of the keyboard in the Play store is also susceptible to a remote arbitrary file write, but because it doesn’t run as a privileged user, and is unaffected by the vulnerability. The post notes, “It’s unfortunate but typical for OEMs and carriers to preinstall third-party applications to a device. In some cases these applications are run from a privileged context. This is the case with the Swift keyboard on Samsung.”
The flaw was discovered by NowSecure researcher Ryan Welton, and the firm notified Samsung of the glitch in December 2014. Because of the magnitude of the issue, the firm also notified the CERT division of the federally-funded Software Engineering Institute at Carnegie Mellon University and informed the Google Android security team. The report explains that if the flaw in the keyboard is exploited, a hacker could remotely access sensors like a phone’s GPS, camera, or microphone; secretly install malicious apps; tamper with how apps work or how the phone itself works; eavesdrop on incoming and outgoing messages and calls; or attempt to access personal data like photos and text messages.
NowSecure reports that while Samsung has begun providing a patch to mobile network providers, it’s unclear whether carriers have deployed the patch to the devices on their networks. It’s also difficult to determine how many users remain vulnerable, given the high number of device models and the count of network operators globally. Despite those challenges, Now Secure has compiled a list of mobile devices known to be impacted as of June 16.
The flaw affects devices on both U.S. networks and on international networks, because Samsung uses “what SwiftKey refers to as the ‘Samsung stock keyboard using the SwiftKey SDK.'” While customers of domestic carriers can check whether they’re affected below, NowSecure suggests “contacting local carriers for more specific detail on device vulnerability and patches” because carriers need to work with Samsung to obtain a patch for the devices on their networks.
So if your device is affected by the security risk, what you should you do? As mentioned above, the flawed keyboard app can’t be uninstalled, and devices dating back to the Galaxy and Galaxy Note S3 have SwiftKey’s word prediction software. It also isn’t easy for you, as a user of a Samsung mobile device, to tell definitively if your carrier has patched the problem with a software update. But the security firm says that there are a few precautions you can, and should, take to reduce your risk of the flaw being exploited on your device.
First, it recommends avoiding insecure WiFi networks. It also recommends that you switch to using a different mobile device temporarily — a possibility if you’re one of the many users who saves an old handset in case of emergencies. Additionally, you should contact your carrier for information about the patch and the timing of when it will be deployed.
Jacob Bogage reports for The Washington Post that researchers from NowSecure were able to successfully seize control of GPS tracking data, microphones, and cameras from Samsung devices. They also intercepted incoming and outgoing calls and messages and installed apps. NowSecure chief executive Andrew Hoog told the Post, “These types of things are well within the capability of other organizations, and I think it’s very naive to think other people haven’t found this or haven’t used this.”
Because hackers using insecure WiFi networks can dupe the word prediction software as it searches for automatic updates to gain control of the entire device, the flaw is a big liability for users. As Bogage notes, many users routinely log on to WiFi networks that they aren’t entirely sure about. He writes, “Is that WiFi at the coffee shop safe, or is the cagey guy in the corner broadcasting a false signal in a ploy to sap your data? Who knows?”
While Samsung says that it has been rolling out the fixes through wireless cellphone providers since March, it’s unclear how many Samsung phones have actually received the patch. Hoog says that the company is not moving quickly enough. “I suspect there are many, many phones that will never get updated,” he tells the Post. “And that’s why we have to raise this visibility.”