There is a lot of information floating around the internet right now about a critical security flaw in the keyboard on Samsung phones. Specifically we’re talking about Samsung’s IME keyboard on the Galaxy S6, Galaxy S5 and Galaxy S4 (including the S4 Mini and Active to my understanding). So for starters, if your device isn’t listed you are free and clear of this issue but feel free to read on.
Many of these stories by “journalists” are ill informed for the most part and outright irresponsible in some cases; one headline I readย this morning:
“If you have a Samsung phone, turn it off now”
Reading that absolutely turned my stomach, it’s click bait and does nothing more than sensationalise what is in reality (not denying for a moment this is an issue!) a storm in a teacup.
The information brought to light by Now Secure is very well described in their article; outlining exactly what the vulnerability is, how you become vulnerable and highlighting the fact that there are estimated over 600 Million devices around the world that areย potentiallyย susceptibleย toย this issue. The numbers are staggering, in fact large enough to be frightening but doesn’t take into account the factors required for you to actually be at risk.
In a blog post which Swiftkey has since deleted,ย Swiftkey noted that their keyboard is not affected:
We supply Samsung with the core technology that powers the word predictions in their keyboard. It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability.
They also commented that
The vulnerability in question poses a low risk: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.
Just to reiterate, the vulnerability is scary and as you can see from the video below if exploited; the attacker pretty much has complete access to anything and everything on your device and I mean everything! Attackers can not only look through your photos, they can activate your camera, listen to the microphone on your device, read your text messages and (perhaps most dangerously/concerning of all) install apps.
A number of users on some forums and social media are suggesting, as I thought initially, that simply changing keyboards would protect you from this however that is not the case. The installed keyboard is tied to the system meaning it cannot be disabled, nor can it be uninstalled. The fact you can’t disable or uninstall the keyboard to prevent exploitation of the flaw aside, there are a number of ways to protect yourself but first lets look at how you could potentially fall victim.
The first thing that needs to occur for you to be at risk is you need to be on an insecure (ie. no password required to connect) WiFi network and not using a VPN. If you’re looking for a VPN, our buddies at Pure VPN can certainly look after you. Connecting to insecure WiFi without the protection of a VPN is asking for trouble, regardless of any potential security flaws that may or may not be present on your device.
Being connected to an insecure network doesn’t immediately mean you will fall victim, because the second occurrence that is a must for your device to be compromised is the Samsung keyboard needs to update its language packs (as it will do from time to time) while on the unsecured WiFi network.
Finally, someone who knows about this flaw and how to exploit it needs to be on the same insecure network as you “sniffing” around, with the right information and right tools to find your device, exploit the security flaw and have you remain there for a few minutes at least to actually make you vulnerable. That’s a lot of factors to line up for you to fall victim to this, essentially theoretical security flaw.
Now Secure close their piece with a responsible approach to public notification of a security issue with mobile devices
Unfortunately, the flawed keyboard app canโt be uninstalled or disabled. Also, it isn’t easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update. To reduce your risk, avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing.
So it’s appropriate we do the same thing, and advise you to control your risks: ideally, don’t use insecure WiFi… EVER, and if you must use the network make sure you’re on a VPN and if you still hold concern about this flaw and your device, contact your carrier or place of purchase to find out more about the patch availability for your phone.
We have confirmed via Android Central that Samsung are preparing an update to close the security loop hole in their Keyboard Language update process.
In a statement given to Android Central, Samsung says:
Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security. Samsung Knox has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days. In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.
It is unclear whether this Knox-powered fix will require carrier intervention, or whether Samsung can (and will) push it directly. We’re awaiting confirmation of this from Samsung Australia as noted below.
I hope the explanation of this along with the assurance that Samsung are already working on a fix has set your mind at ease if you’re potentially at risk, if that is not enough – Ausdroid have contacted Samsung Australia for information on the flaw and received the following statement:
Samsung Electronics Australia takes security threats very seriously. We are committed to providing the latest mobile security and we are working quickly to investigate and resolve the matter. We will provide further information as it becomes available.
Once more information becomes available, information on patches or other important information on the flaw Ausdroid will keep you informed.
As much as I dislike and avoid Samsung devices, I must say I appreciate the depth and research this article was written with.
Note: it doesn’t _require_ an insecure wifi network. This is just the most likely place you could be attacked. If you and an attacker are both on a secure wifi network, they can attack you.
It would also be good to hear from the carriers on this. The Vodafone response in Australia and New Zealand seems to be a paraphrase from what Samsung said.