Samsung pledges to fix keyboard security vulnerability within days

Samsung Galaxy S6 Camera
Jeffrey Van Camp/Digital Trends
If you’re rocking a Samsung smartphone, you could be vulnerable to hackers — thanks to a preinstalled keyboard on your device.

The vulnerability was discovered by Ryan Welton from mobile security specialists NowSecure. The issue is with the preinstalled Swift keyboard which looks for language pack updates over an unencrypted line. Welton found that a hacker could create a spoof proxy server and send a fake update to the device with malicious code. The hacker could then exploit the device by eavesdropping on incoming and outgoing messages or voice calls, access personal data such as pictures or text messages, tamper with apps, and even install other malicious apps.

Updated on 06-17-2015 by Robert Nazarian: Added in statements from SwiftKey and Samsung, clarified that the SwiftKey keyboard app is not vulnerable, and added news that Samsung will fix the issue soon.

SwiftKey is not a fault

After yesterday’s report, SwiftKey reached out to us to with the following statement to ease the mind of SwiftKey users worldwide: “We’ve seen reports of a security issue related to the Samsung stock keyboard that uses the SwiftKey SDK. We can confirm that the SwiftKey Keyboard app available via Google Play or the Apple App Store is not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.”

swiftkey-android-app-on-google-play

It appears that SwiftKey only supplies the technology that powers the word prediction for the Samsung keyboard. Unfortunately, Samsung’s method of integrating SwiftyKey’s technology with its own keyboard is what caused the vulnerability, and users of the SwiftKey app on non-Samsung devices shouldn’t worry.

Samsung will issue security policy update through Samsung Knox

Yesterday’s report indicated that carriers needed to release updates to fix the keyboard security flaw, but it appears Samsung can do it much quicker through Samsung Knox.

“Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security,” a Samsung spokesperson told us. “Samsung Knox has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days. In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.”

This is great news, but this leaves us wondering why Samsung didn’t use this method before.

A security researcher found the flaw in late 2014

Welton first discovered the flaw last year and subsequently notified Samsung in December 2014. Samsung immediately worked on a patch and sent updates to various carriers for devices running Android 4.2 or higher in March 2015. However, it’s unknown whether these patches have made their way to devices. Carriers are notorious for taking their time with updates due to their so-called rigorous testing for bugs.

Chances are very slim that a hacker who knows about this security flaw will be at your local Starbucks at the same exact time as you.

Unfortunately, there is no other fix because users can’t simply uninstall the Swift app — one of the not so joyous benefits of carrier bloatware. Users are still vulnerable even when Swift isn’t set as the default keyboard.

What’s even scarier about this vulnerability is it even affects the Galaxy S6, which was released in April. Welton detailed this security flaw earlier today at the Blackhat Security Summit in London. He stated that he was able to hack into a Galaxy S6 running on Verizon Wireless. “We can confirm that we have found the flaw still unpatched on the Galaxy S6 for the Verizon and Sprint networks, in off the shelf tests we did over the past couple of days,” a NowSecure spokesperson confirmed.

According to the NowSecure website, it’s likely that the Galaxy S4 Mini, Galaxy S4, Galaxy S5, and Galaxy S6 are all affected, but it’s unclear which carrier-specific models received updates. The site only mentions U.S. carriers, so we aren’t sure if owners of international variants need to be worried.

Now before everyone with a Samsung phone goes into a panic attack, we need to point out that chances are rare that your device will be attacked through this vulnerability. A hacker can only use this method via a public Wi-Fi network, like those found at a coffee shop, hotel, or other public spaces. More importantly, a hacker has to have knowledge of this exploit and has to be on the same network as you. Chances are very slim that a hacker who knows about this security flaw will be at your local Starbucks at the same exact time as you.

Nevertheless, a security flaw should never be taken lightly, so NowSecure recommends staying away from public Wi-Fi networks if you have one of these Samsung devices. That might be easier said then done, though, especially for those who are on capped data plans and don’t want to use their carrier’s mobile network all day. The other thing you can do is contact your carrier and demand that your phone gets updated with the patch if it hasn’t already.

Product Review

Samsung's Galaxy Fold proves folding phones are the future

Samsung's Galaxy Fold is finally here -- it's the company's first foldable smartphone, with three screens, six cameras, and a dual-cell battery. What's it like to use? We spent some time with it to find out.
Mobile

Samsung Galaxy S10 update gives manual control of Bright Night mode

Samsung 2019 flagship smartphone lineup is here, and there aren't just two phones as usual — there are four. There's the Galaxy S10, S10 Plus, as well as a new entry called the S10e, as well as the Galaxy S10 5G.
Mobile

Breaking news: Samsung responds to reported Galaxy Fold display issues

The Samsung Galaxy Fold has arrived, and it goes on sale soon. Folding out from a 4.6-inch display to a tablet-sized 7.3-inch display, this unique device has six cameras, two batteries, and special software to help you use multiple apps.
Mobile

The Samsung Galaxy Fold won’t sell unlocked, but here’s where it’s available

The Samsung Galaxy Fold boasts top-tier specs in a groundbreaking and unique design, and as such it makes sense that you might want to get the phone for yourself. Here are all the places you can get the Galaxy Fold for yourself.
Mobile

The Best iPhone 7 battery cases to give your phone some extra juice

The iPhone 7 doesn't have terrible battery life, but you never know when you'll need to juice up on the go. To help, here are the best iPhone 7 battery cases that can keep your smartphone charged and ready for long-term use.
Digital Trends Live

Digital Trends Live: Samsung Galaxy Fold woes, zombie pigs, and more

Today's topics: Samsung Galaxy Fold, Facebook A.I. voice assistants, YouTube comes to Fire TV, facial recognition on airline flights, the SpaceX DART program, Yale's zombie pigs, and much more!
Deals

Apple iPads and iPad Pros get price cuts up to $150 on Amazon

In the market for a new iPad? Now might be the time to buy -- Amazon has discounted a range of iPad models, including the 10.5-inch, 11-inch, and 12.9-inch iPad Pro models, plus the standard iPad.
Deals

The excellent Moto G6 is just $99 from Google Fi for a limited time

Getting a cheap smartphone can be a great way to squeeze value out of your dollars. Motorola's Moto G-range has always been good value, but never better than this: Get the Moto G6 for just $99 from Google Fi.
Mobile

Keep your huge phone beautiful with the best iPhone XS Max cases

Apple's iPhone XS Max might be the best large phone the company has ever released. But a bigger OLED display and body means there's more glass to crack. Keep your massive phone safe with the best iPhone XS Max cases.
Deals

Ultra Wideband is here, and you can use it with the 5G Moto Mod (and save $150)

5G is rolling out in the U.S., and Motorola’s Moto Z3 is one of the few phones that can use it. Select people can take advantage of Verizon’s 5G service and enjoy a $150 discount with the purchase of a Moto Z3 and 5G Moto Mod bundle.
Deals

The best Amazon Prime Day 2019 deals: Everything you need to know

Amazon Prime Day 2019 is still a few months off, but it's never too early to start preparing. We've been taking a look at the best discounts from previous Prime Days to give you our predictions of what to expect this year.
Mobile

The 15 most stylish iPhone docks and charging stands for your device

The right iPhone dock does more than just hold your phone. If you’re looking for the perfect dock for your bedroom, or one to sit discretely on your office desk, there’s a good chance you’ll find it here.
Product Review

The Xperia 10 Plus feels great in your hand, but you'll still want to put it down

There has never been a better time to buy a smartphone with an unusual design, and one of the cheaper models out there vying for your attention is the Sony Xperia 10 Plus, with its 21:9 aspect ratio screen.
Trash

How to save yourself money by buying a refurbished iPhone

There’s a lot to consider when you’re looking for a new iPhone, and it can be very expensive. Save yourself some heartache and some money with our guide on how to buy a refurbished iPhone.