Skip to main content

Samsung pledges to fix keyboard security vulnerability within days

Samsung Galaxy S6 Camera
Jeffrey Van Camp/Digital Trends
If you’re rocking a Samsung smartphone, you could be vulnerable to hackers — thanks to a preinstalled keyboard on your device.

The vulnerability was discovered by Ryan Welton from mobile security specialists NowSecure. The issue is with the preinstalled Swift keyboard which looks for language pack updates over an unencrypted line. Welton found that a hacker could create a spoof proxy server and send a fake update to the device with malicious code. The hacker could then exploit the device by eavesdropping on incoming and outgoing messages or voice calls, access personal data such as pictures or text messages, tamper with apps, and even install other malicious apps.

Updated on 06-17-2015 by Robert Nazarian: Added in statements from SwiftKey and Samsung, clarified that the SwiftKey keyboard app is not vulnerable, and added news that Samsung will fix the issue soon.

SwiftKey is not a fault

After yesterday’s report, SwiftKey reached out to us to with the following statement to ease the mind of SwiftKey users worldwide: “We’ve seen reports of a security issue related to the Samsung stock keyboard that uses the SwiftKey SDK. We can confirm that the SwiftKey Keyboard app available via Google Play or the Apple App Store is not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.”

swiftkey-android-app-on-google-play
Image used with permission by copyright holder

It appears that SwiftKey only supplies the technology that powers the word prediction for the Samsung keyboard. Unfortunately, Samsung’s method of integrating SwiftyKey’s technology with its own keyboard is what caused the vulnerability, and users of the SwiftKey app on non-Samsung devices shouldn’t worry.

Samsung will issue security policy update through Samsung Knox

Yesterday’s report indicated that carriers needed to release updates to fix the keyboard security flaw, but it appears Samsung can do it much quicker through Samsung Knox.

“Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security,” a Samsung spokesperson told us. “Samsung Knox has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days. In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.”

This is great news, but this leaves us wondering why Samsung didn’t use this method before.

A security researcher found the flaw in late 2014

Welton first discovered the flaw last year and subsequently notified Samsung in December 2014. Samsung immediately worked on a patch and sent updates to various carriers for devices running Android 4.2 or higher in March 2015. However, it’s unknown whether these patches have made their way to devices. Carriers are notorious for taking their time with updates due to their so-called rigorous testing for bugs.

Chances are very slim that a hacker who knows about this security flaw will be at your local Starbucks at the same exact time as you.

Unfortunately, there is no other fix because users can’t simply uninstall the Swift app — one of the not so joyous benefits of carrier bloatware. Users are still vulnerable even when Swift isn’t set as the default keyboard.

What’s even scarier about this vulnerability is it even affects the Galaxy S6, which was released in April. Welton detailed this security flaw earlier today at the Blackhat Security Summit in London. He stated that he was able to hack into a Galaxy S6 running on Verizon Wireless. “We can confirm that we have found the flaw still unpatched on the Galaxy S6 for the Verizon and Sprint networks, in off the shelf tests we did over the past couple of days,” a NowSecure spokesperson confirmed.

According to the NowSecure website, it’s likely that the Galaxy S4 Mini, Galaxy S4, Galaxy S5, and Galaxy S6 are all affected, but it’s unclear which carrier-specific models received updates. The site only mentions U.S. carriers, so we aren’t sure if owners of international variants need to be worried.

Now before everyone with a Samsung phone goes into a panic attack, we need to point out that chances are rare that your device will be attacked through this vulnerability. A hacker can only use this method via a public Wi-Fi network, like those found at a coffee shop, hotel, or other public spaces. More importantly, a hacker has to have knowledge of this exploit and has to be on the same network as you. Chances are very slim that a hacker who knows about this security flaw will be at your local Starbucks at the same exact time as you.

Nevertheless, a security flaw should never be taken lightly, so NowSecure recommends staying away from public Wi-Fi networks if you have one of these Samsung devices. That might be easier said then done, though, especially for those who are on capped data plans and don’t want to use their carrier’s mobile network all day. The other thing you can do is contact your carrier and demand that your phone gets updated with the patch if it hasn’t already.

Robert Nazarian
Former Digital Trends Contributor
Robert Nazarian became a technology enthusiast when his parents bought him a Radio Shack TRS-80 Color. Now his biggest…
10 big things you missed from Samsung Unpacked 2023
Samsung Galaxy Z Fold 5 and Galaxy Z Flip 5 next to each other on a white table.

Samsung’s midyear Unpacked event has just concluded, and it featured the usual slate of big foldable and wearable announcements. As expected, we saw Samsung unveil the Galaxy Z Flip 5 and Galaxy Z Fold 5, a new Galaxy Tab S9 lineup, and a pair of Galaxy Watch 6 models representing a comeback for the much-loved Galaxy Watch Classic style.

Needless to say, there was a lot to take in today, and some details can easily get glossed over in the midst of all the big tentpole product announcements. While Samsung’s new product lineup is undoubtedly exciting, the upgrades over last year’s models are more iterative — and in some cases even lateral — but Samsung still had a few surprises for us.
The Galaxy Z Flip 5 gets a nice storage boost

Read more
Samsung just gave us 3 big Galaxy Unpacked teasers
Samsung Galaxy Z Fold 4 and Galaxy Z Flip 4.

Samsung's next Galaxy Unpacked is almost here, and in typical Samsung fashion, the company is offering a small glimpse of what we can expect from the festivities next week.

TM Roh, the current head of Samsung's Mobile division, just shared his pre-Unpacked letter. While it's mostly marketing hype to get Samsung fans excited about next week's Unpacked event, there are a few teases that give us a small glimpse of what to expect.
Samsung's foldables are getting lighter

Read more
Here’s everything we expect from Samsung’s next Unpacked event
Official invite for Samsung's July 2023 Unpacked event.

It’s official — Samsung’s next Galaxy Unpacked event will be on July 26, 2023, in Seoul, Korea. And boy, this will be a jam-packed event. We’re going to see the next generation of Samsung's foldables, smartwatches, and tablets.  So, let’s break it all down.

Here’s everything we’re expecting to see at the Samsung Galaxy Unpacked July 2023 event — from the Galaxy Z Fold 5, new Galaxy Watch 6, and everything in between.
Samsung Galaxy Z Fold 5

Read more