Skip to main content

Samsung pledges to fix keyboard security vulnerability within days

Samsung Galaxy S6 Camera
Jeffrey Van Camp/Digital Trends
If you’re rocking a Samsung smartphone, you could be vulnerable to hackers — thanks to a preinstalled keyboard on your device.

The vulnerability was discovered by Ryan Welton from mobile security specialists NowSecure. The issue is with the preinstalled Swift keyboard which looks for language pack updates over an unencrypted line. Welton found that a hacker could create a spoof proxy server and send a fake update to the device with malicious code. The hacker could then exploit the device by eavesdropping on incoming and outgoing messages or voice calls, access personal data such as pictures or text messages, tamper with apps, and even install other malicious apps.

Updated on 06-17-2015 by Robert Nazarian: Added in statements from SwiftKey and Samsung, clarified that the SwiftKey keyboard app is not vulnerable, and added news that Samsung will fix the issue soon.

SwiftKey is not a fault

After yesterday’s report, SwiftKey reached out to us to with the following statement to ease the mind of SwiftKey users worldwide: “We’ve seen reports of a security issue related to the Samsung stock keyboard that uses the SwiftKey SDK. We can confirm that the SwiftKey Keyboard app available via Google Play or the Apple App Store is not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.”

swiftkey-android-app-on-google-play
Image used with permission by copyright holder

It appears that SwiftKey only supplies the technology that powers the word prediction for the Samsung keyboard. Unfortunately, Samsung’s method of integrating SwiftyKey’s technology with its own keyboard is what caused the vulnerability, and users of the SwiftKey app on non-Samsung devices shouldn’t worry.

Samsung will issue security policy update through Samsung Knox

Yesterday’s report indicated that carriers needed to release updates to fix the keyboard security flaw, but it appears Samsung can do it much quicker through Samsung Knox.

“Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security,” a Samsung spokesperson told us. “Samsung Knox has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days. In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.”

This is great news, but this leaves us wondering why Samsung didn’t use this method before.

A security researcher found the flaw in late 2014

Welton first discovered the flaw last year and subsequently notified Samsung in December 2014. Samsung immediately worked on a patch and sent updates to various carriers for devices running Android 4.2 or higher in March 2015. However, it’s unknown whether these patches have made their way to devices. Carriers are notorious for taking their time with updates due to their so-called rigorous testing for bugs.

Chances are very slim that a hacker who knows about this security flaw will be at your local Starbucks at the same exact time as you.

Unfortunately, there is no other fix because users can’t simply uninstall the Swift app — one of the not so joyous benefits of carrier bloatware. Users are still vulnerable even when Swift isn’t set as the default keyboard.

What’s even scarier about this vulnerability is it even affects the Galaxy S6, which was released in April. Welton detailed this security flaw earlier today at the Blackhat Security Summit in London. He stated that he was able to hack into a Galaxy S6 running on Verizon Wireless. “We can confirm that we have found the flaw still unpatched on the Galaxy S6 for the Verizon and Sprint networks, in off the shelf tests we did over the past couple of days,” a NowSecure spokesperson confirmed.

According to the NowSecure website, it’s likely that the Galaxy S4 Mini, Galaxy S4, Galaxy S5, and Galaxy S6 are all affected, but it’s unclear which carrier-specific models received updates. The site only mentions U.S. carriers, so we aren’t sure if owners of international variants need to be worried.

Now before everyone with a Samsung phone goes into a panic attack, we need to point out that chances are rare that your device will be attacked through this vulnerability. A hacker can only use this method via a public Wi-Fi network, like those found at a coffee shop, hotel, or other public spaces. More importantly, a hacker has to have knowledge of this exploit and has to be on the same network as you. Chances are very slim that a hacker who knows about this security flaw will be at your local Starbucks at the same exact time as you.

Nevertheless, a security flaw should never be taken lightly, so NowSecure recommends staying away from public Wi-Fi networks if you have one of these Samsung devices. That might be easier said then done, though, especially for those who are on capped data plans and don’t want to use their carrier’s mobile network all day. The other thing you can do is contact your carrier and demand that your phone gets updated with the patch if it hasn’t already.

Editors' Recommendations

Robert Nazarian
Former Digital Trends Contributor
Robert Nazarian became a technology enthusiast when his parents bought him a Radio Shack TRS-80 Color. Now his biggest…
Samsung saved your phone from a nasty security problem
Galaxy S22 Ultra and S21 Ultra camera modules.

Mobile security company Kryptowire published a blog post detailing a security breach it identified in Android 9, 10, 11, and 12 on Samsung smartphones earlier this year. The issue it found had serious consequences should a device be affected, and the company contacted Samsung. To its credit, Samsung reacted quickly to the problem and pushed its February 2022 security update out to remedy the issue.

Kryptowire's post detailing the problem is highly technical, but it serves as a good reminder of how important continued security updates are on Android devices. While most Samsung device owners have likely already protected themselves by downloading the security update, those without auto-updates turned on should make sure to bring their device up to date as soon as possible. On your Samsung phone, go to Settings>Software Update, and select Download and Install to check for any outstanding software updates. Then go back and turn Auto Download over Wi-Fi on.

Read more
Samsung Galaxy S21 FE 5G vs. Google Pixel 6 camera shootout
The Samsung Galaxy S21 FE 5G and the Pixel 6 go head to head in a photoshoot.

Over the last few years, midrange smartphone photography has taken huge leaps in quality. As long as your lighting is good and your subjects aren't moving, you could definitely snap some Instagram-worthy shots. Two solid contenders in this category are the Google Pixel 6, and the Samsung Galaxy S21 FE. Both of these phones sit at around the $600 price point, and both will give you some really outstanding results.

Naturally, I decided to pit these phones against each other in a camera shootout. Both bring really solid cameras to the table, so I wanted to see where the strengths and weaknesses were by looking at a number of different categories and lighting conditions. Here's what I found.
Hardware

Read more
We compared Samsung’s One UI 4 against Android 12 on the Google Pixel 6 Pro
One UI 4 and Android 12.

When it reached version 3, Samsung’s One UI become one of the best Android interfaces available, due to its coherent design, customization options, varied features, and impressive turn of speed. I enjoyed using it more than Android 11. However, now Android 12 is here, and it’s such a big step forward, it instantly made One UI 3 feel aged, a bit ugly, and slightly ponderous by comparison.

Samsung’s OneUI 4 is based on Android 12 and has now started to arrive on the Galaxy S21, the Galaxy S21 Plus, and the Galaxy S21 Ultra. With the update installed on the Galaxy S21 Ultra, I’ve been using it alongside the Pixel 6 Pro to see if Samsung’s new software can help bring back the phone’s luster, and keep it competing with Google's latest smartphone.
What do I want to see?
One UI 4 is never going to be identical to Android 12 on the Google Pixel, and that’s fine. Not only are there elements of the software that are exclusive to the Pixel, but Samsung will want to maintain its individuality and promote its own apps and services through its own interface. I don’t want it to be the same either. What I want is for Samsung to have selected some of the best parts of Android 12 and integrated them with OneUI 4, and then given the rest a typically polished Samsung spin.

Read more