At the recent Black Hat Mobile Security Summit in London, England, NowSecure researcher Ryan Welton warned of a significant security issue affecting more than 600 million users of Samsung mobile devices, including the Samsung Galaxy S4 and S5, and the recently released Samsung Galaxy S6.
A NowSecure statement on the vulnerability explains that the risk comes from a pre-installed keyboard that could allow attackers to remotely execute code; access sensors and resources like GPS, camera and microphone; install malware without the user knowing; tamper with how apps work or how the phone works; eavesdrop on incoming and outgoing messages and voice calls; and attempt to access sensitive personal data like pictures and text messages.
Although Samsung was alerted to the flaw in December 2014 and began providing a patch to mobile network operators in early 2015, it isn't clear if all carriers have provided the patch to devices on their networks, and it's difficult to determine how many mobile devices remain vulnerable at this point. It's also difficult for a user to determine if their carrier has patch their device.
The pre-installed keyboard in question uses technology from SwiftKey, but is unique to Samsung devices, comes pre-installed on the phones, and can't be disabled or uninstalled.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"The attack vector for this vulnerability requires an attacker capable of modifying upstream traffic," Welton wrote in a blog post detailing the issue. "The vulnerability is triggered automatically (no human interaction) on reboot as well as randomly when the application decides to update."
"This can include geographically proximate attacks such as rogue Wi-Fi access points or cellular base stations, or attacks from local users on a network, including ARP poisoning," Welton added. "Fully remote attacks are also feasible via DNS Hijacking, packet injection, a rogue router or ISP, etc."
In a statement, SwiftKey noted that the vulnerability is specific to Samsung devices, and does not affect the SwiftKey consumer apps on Google Play and the Apple App Store. "We supply Samsung with the core technology that powers the word predictions in their keyboard," the company stated. "It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability."
Sooner after, Samsung added the following statement: "Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security. Samsung KNOX has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days."
Rapid7 security engineering manager Tod Beardsley told eSecurity Planet by email that using Samsung KNOX to roll out the updates is a good move on Samsung's part. "KNOX allows Samsung to bypass the often very slow over-the-air (OTA) OS update process," he said. "It's unclear from Samsung's statements, however, if this strategy will cover only KNOX enterprise users, or through the personal My KNOX platform. We'll know for sure in the coming days."
Regardless, Beardsley said, the vulnerability is difficult to exploit -- the attacker has to have control over the wireless network the target is on, or have thorough access to the target's service provider. "Yes, the vulnerability provides a path to system-level access for an adversary, which can ultimately compromise all personal data on a phone, including login passwords, stored files, and other personal information," he said. "That said, it’s not simply a matter of blasting out millions of phishing e-mails or texts and pointing victims to an evil download or website."
"So, while the vulnerability is absolutely real, the threat of exploit is fairly low," Beardsley added.