Hundreds of millions of Samsung's higher-end Galaxy devices - including the latest flagship - are vulnerable to hackers, thanks to the devices' native keyboard, which cannot be uninstalled.
The pre-installed keyboard, by SwiftKey, comes with the Samsung Galaxy S4 and S4 Mini, Galaxy S5 and S6, and cannot be deleted or uninstalled. The flaw - which revolves around SwiftKey's update mechanism - was discovered by a researcher from mobile security company NowSecure, Ryan Welton. Some 600 million people worldwide own devices with SwiftKey installed, according to NowSecure.
Local security expert, Cobus Mentz, from Wolfpack Information Risk, explains the vulnerability allows an attacker to intercept and manipulate communications between the SwiftKey application and the server from which it gets updates. "The attacker, due to this vulnerability, is able to replace the SwiftKey update file and trick the Samsung phone into thinking it comes from the SwiftKey update server.
"Once the file is on your phone, it can basically do whatever it wants to do because it has very high access rights (permissions), meaning there are little or no restrictions to what it can do (think of it as having 'top secret' clearance). What the file then does depends on what the attacker wants to achieve; for example, tracking the user by turning on the GPS."
Samsung was notified about the vulnerability - which Mentz says is both complex and serious - in December last year, although parties in the know have kept it under wraps while the company tried to come up with a patch.
Risk factor
Samsung assured users yesterday the likelihood of the said vulnerability being exploited was low.
"There have been no reported customer cases of Galaxy devices being compromised through these keyboard updates. But, as the reports indicate, the risk does exist and Samsung will roll-out a security policy update in the coming days.
"In addition to the security policy update, we will continue to work with related parties such as SwiftKey to address potential risks going forward."
Mentz says, while the likelihood of hackers exploiting the vulnerability are low - with news of the flaw being fresh - Samsung users should be concerned. In time, he says, the likelihood of attacks will only increase, should the issue not be resolved.
NowSecure has published a proof of concept for the exploit, as well as a YouTube video that shows it in action. The security company says Samsung users can lower their risk by avoiding insecure WiFi networks or using a different mobile device in the meantime. "And contact your carrier for patch information and timing."
In SA, says Mentz, most WiFi points are "secure", in that users need a password to connect to them and the communication within the network is encrypted. "Company networks are typically secure; however, users should avoid using free open WiFi spots or WiFi networks that make use of insecure encryption methods such as WEP [wired equivalent privacy]."
User turnoff
While BlackBerry and Nokia have in the past dominated smartphone use in SA, Samsung is steadily climbing the local ladder - overtaking BlackBerry in August last year as SA's smartphone of choice, although the majority of the devices in use are in the low- to mid-range.
The Galaxy S6 has been available in SA since April and is expected to rise to the top of the high-end, thanks to what experts say is a "substantial leap in technology and design".
World Wide Worx MD Arthur Goldstuck says the SwiftKey security flaw is unlikely to dent Samsung's reputation among South Africans. Apart from the fact that users will move on after a patch for the flaw is released, Goldstuck says most people will assume it does not affect them.
He points out security bugs have been discovered in various other devices - most notably Lenovo laptops - but as long as there has been transparency and a swift effort to plug the holes, such events have quickly been forgotten. "Reputational damage only follows when there is either a catastrophic breach or an attempt to cover up or evade responsibility."
BMI-TechKnowledge director Brian Neilson says security concerns impact consumer decisions, to the extent that people are aware of them - and most people are "blissfully unaware" of the risks to which they are exposed.
"[They] may also attribute blame to something or someone else rather than the handset manufacturer - in this case, for example, they may blame the 'software' rather than Samsung, and there may be a perception that anyone can be compromised."
Share