A potentially crippling security flaw has been discovered on a variety of Samsung smartphones.
Taking advantage of the flaw, a hacker is able to access a phone’s camera, microphone and GPS; listen in on a person’s phone conversations and read their text messages; and access information like personal contacts and photos.
According to NowSecure, the company that discovered the flaw, the problem stems from the fact that the process used to update the keyboard software on a Samsung phone can be hijacked by a hacker.
“Over 600 million Samsung mobile device users have been affected by a significant security risk on leading Samsung models, including the recently released Galaxy S6,” says NowSecure. “The risk comes from a pre-installed keyboard that allows an attacker to remotely execute code as a privileged (system) user.”
According to The Wall Street Journal, NowSecure discovered the flaw late last year. It subsequently contacted Samsung in November, telling the company its intention to disclose what it had found out. On December 16, Samsung asked NowSecure to wait three months before publishing anything. Several weeks later, on December 31st, it asked the company to wait a full year.
NowSecure says it bought two Samsung Galaxy 6’s last week—one from Verizon and the other from Sprint—and found that both still had the same vulnerability.
SwiftKey, which provides the technology behind the autocorrect algorithms inside Samsung’s keyboard, issued a blog post defending itself.
“We supply Samsung with the core technology that powers the word predictions in their keyboard. It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability. We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this important security issue.
“The vulnerability in question is not easy to exploit: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”
Samsung said about the exploit, “Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security.
“Samsung KNOX has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days.
“In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.”
On its website, NowSecure lists whether the vulnerability has been patched on several different devices and carriers. Unfortunately, Canadian carriers and devices are not listed. We’ve contacted several Canadian carriers to find out whether they’ve rolled up the update to Samsung smartphones on their networks. We’ll update this story once we hear back from them.
[source]NowSecure, SwiftKey[/source][via]Wall Street Journal[/via]