Samsung pledges to fix keyboard security vulnerability within days

Samsung Galaxy S6 Camera
Jeffrey Van Camp/Digital Trends
If you’re rocking a Samsung smartphone, you could be vulnerable to hackers — thanks to a preinstalled keyboard on your device.

The vulnerability was discovered by Ryan Welton from mobile security specialists NowSecure. The issue is with the preinstalled Swift keyboard which looks for language pack updates over an unencrypted line. Welton found that a hacker could create a spoof proxy server and send a fake update to the device with malicious code. The hacker could then exploit the device by eavesdropping on incoming and outgoing messages or voice calls, access personal data such as pictures or text messages, tamper with apps, and even install other malicious apps.

Updated on 06-17-2015 by Robert Nazarian: Added in statements from SwiftKey and Samsung, clarified that the SwiftKey keyboard app is not vulnerable, and added news that Samsung will fix the issue soon.

SwiftKey is not a fault

After yesterday’s report, SwiftKey reached out to us to with the following statement to ease the mind of SwiftKey users worldwide: “We’ve seen reports of a security issue related to the Samsung stock keyboard that uses the SwiftKey SDK. We can confirm that the SwiftKey Keyboard app available via Google Play or the Apple App Store is not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.”

swiftkey-android-app-on-google-play

It appears that SwiftKey only supplies the technology that powers the word prediction for the Samsung keyboard. Unfortunately, Samsung’s method of integrating SwiftyKey’s technology with its own keyboard is what caused the vulnerability, and users of the SwiftKey app on non-Samsung devices shouldn’t worry.

Samsung will issue security policy update through Samsung Knox

Yesterday’s report indicated that carriers needed to release updates to fix the keyboard security flaw, but it appears Samsung can do it much quicker through Samsung Knox.

“Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security,” a Samsung spokesperson told us. “Samsung Knox has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days. In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.”

This is great news, but this leaves us wondering why Samsung didn’t use this method before.

A security researcher found the flaw in late 2014

Welton first discovered the flaw last year and subsequently notified Samsung in December 2014. Samsung immediately worked on a patch and sent updates to various carriers for devices running Android 4.2 or higher in March 2015. However, it’s unknown whether these patches have made their way to devices. Carriers are notorious for taking their time with updates due to their so-called rigorous testing for bugs.

Chances are very slim that a hacker who knows about this security flaw will be at your local Starbucks at the same exact time as you.

Unfortunately, there is no other fix because users can’t simply uninstall the Swift app — one of the not so joyous benefits of carrier bloatware. Users are still vulnerable even when Swift isn’t set as the default keyboard.

What’s even scarier about this vulnerability is it even affects the Galaxy S6, which was released in April. Welton detailed this security flaw earlier today at the Blackhat Security Summit in London. He stated that he was able to hack into a Galaxy S6 running on Verizon Wireless. “We can confirm that we have found the flaw still unpatched on the Galaxy S6 for the Verizon and Sprint networks, in off the shelf tests we did over the past couple of days,” a NowSecure spokesperson confirmed.

According to the NowSecure website, it’s likely that the Galaxy S4 Mini, Galaxy S4, Galaxy S5, and Galaxy S6 are all affected, but it’s unclear which carrier-specific models received updates. The site only mentions U.S. carriers, so we aren’t sure if owners of international variants need to be worried.

Now before everyone with a Samsung phone goes into a panic attack, we need to point out that chances are rare that your device will be attacked through this vulnerability. A hacker can only use this method via a public Wi-Fi network, like those found at a coffee shop, hotel, or other public spaces. More importantly, a hacker has to have knowledge of this exploit and has to be on the same network as you. Chances are very slim that a hacker who knows about this security flaw will be at your local Starbucks at the same exact time as you.

Nevertheless, a security flaw should never be taken lightly, so NowSecure recommends staying away from public Wi-Fi networks if you have one of these Samsung devices. That might be easier said then done, though, especially for those who are on capped data plans and don’t want to use their carrier’s mobile network all day. The other thing you can do is contact your carrier and demand that your phone gets updated with the patch if it hasn’t already.

Mobile

Apple purchases Shazam and makes the app free of ads

Soon after Apple announced it was acquiring music-recognition service Shazam, it was revealed that the European Commission would be looking into the deal. The commission has now cleared the way for Apple's acquisition of Shazam.
Mobile

Apple iPhone XS Max vs. Samsung Galaxy Note 9: Powerhouse face-off

Can Apple's heavyweight smartphone beat Samsung's reigning champion? We decided the compare the iPhone XS Max to the Galaxy Note 9 in a few different categories to see which smartphone comes out on top.
Mobile

Here's the Samsung Galaxy S9's new Android 9.0 Pie interface

The Samsung Galaxy S9 and Galaxy S9 Plus are here. The flagship devices boast some awesome new features and a powerful new processor. Here's everything you need to know about these Samsung phones.
Mobile

Samsung exec confirms upcoming Galaxy S10 will sport 'very significant changes'

While we still may be months away from an announcement, there's no doubt about it: Samsung is working hard on its successor to the Galaxy S9. Here's everything we know about the upcoming Samsung Galaxy S10.
Mobile

Apple iPhone XS vs. Samsung Galaxy S9: 2018's biggest flagships clash

The iPhone XS has been revealed, and it's one of the best phones of the year. But even though it's Apple's latest and greatest, it's up against a lot of competition. Is the iPhone XS better than the Samsung Galaxy S9?
Music

Spotify vs. Pandora: Which music streaming service is better for you?

Which music streaming platform is best for you? We pit Spotify versus Pandora, two mighty streaming services with on-demand music and massive catalogs, comparing every facet of the two services to help you decide which is best.
Giveaways

Enter to win the new iPhone XS and three Speck Presidio cases

Excited about the new iPhone XS? You may be in luck: We've teamed up with Apple and Speck to give one lucky winner a brand new iPhone XS and Speck Presidio case bundle, a combined $1,120 value. Read on for more details and enter now for…
Mobile

The best iPhone XS Max screen protectors to safeguard that huge screen

If you love big screens, then the iPhone XS Max's huge 6.5-inch display is for you. But it won't fare well against concrete. Protect your display with the best iPhone XS Max screen protectors.
Mobile

From Android 1.0 to Android 9.0, here’s how Google’s OS evolved over a decade

It's hard to believe, but Android has been around for almost a decade now. From Android 1.0 to Android 9.0 Pie, here's the history of Android and the changes that came with each new software iteration.
Social Media

Snap, then shop? Snapchat’s camera will soon buy stuff from Amazon

Want to Snap that item and buy it for yourself? Snapchat is testing an option to shop on Amazon using the camera. The tool works similar to Shazaming a song inside Snapchat; users tap and hold on the screen inside the camera mode.
Mobile

Google Feed is now known as ‘Discover,’ will be available on mobile browsers

As part of its 20th anniversary, Google unveiled its plans to improve Search starting with its Google Feed. Now known as Discover, the update brings along a redesign to help you find content that aligns with your interests.
Mobile

Renders for Pixel 3 and Pixel 3 XL leak in black and white colors

Forget the Pixel 2: Google will announce its latest flagships, the Pixel 3 and Pixel 3 XL, on October 9 in New York City and Paris. Here's everything we know about the upcoming Google Pixel 3 and Pixel 3 XL.
Mobile

Leaked renders show upcoming Huawei Mate 20 Pro in three stunning colors

Huawei is no stranger when it comes to big phones. And this year it plans to go even bigger with the Huawei Mate 20 and Mate 20 Pro. Here's what we think we know about the new range.
Mobile

Mint Mobile is one of first prepaid carriers to offer the iPhone XS and XS Max

After months of rumors and speculation, Apple has finally taken the wraps off of the new iPhone XS, iPhone XS Max, and iPhone XR. Now that the phones are out, you might be wondering how you can get them for yourself.