SwiftKey Security Flaw Impacting "600 Million+" Samsung Phones Is Probably Nothing To Worry About

  • 16 June 2015
  • 5 replies
  • 10 views

Userlevel 7
Badge +54
16th June 2015  By David Ruddock
 
http://www.androidpolice.com/wp-content/themes/ap2/ap_resize/ap_resize.php?src=http%3A%2F%2Fwww.androidpolice.com%2Fwp-content%2Fuploads%2F2015%2F06%2Fnexus2cee_DSC08462_thumb.jpg&w=728
 
This morning, a company called NowSecure published an exploit claiming to affect SwiftKey on Samsung devices that they claim could impact "600 million+" devices. Except that's almost certainly not true.
 
While we cannot verify the true seriousness of the security flaw were an attacker to successfully manage to exploit it, we were able to verify something substantially more important to end user safety - it does not affect the SwiftKey app. We reached out to SwiftKey this morning and they confirmed that the versions of SwiftKey shipping on the Google Play Store (and the Apple App Store, if you care) are not vulnerable to the alleged flaw.
 
The app in question is not SwiftKey itself, but rather the Samsung IME keyboard that SwiftKey develops for Samsung.
 
Full Article

5 replies

Userlevel 7
Badge +54

As many as 600 million phones vulnerable to remote code execution attack.

by Dan Goodin (US) - Jun 17, 2015
 
As many as 600 million Samsung phones may be vulnerable to attacks that allow hackers to surreptitiously monitor the camera and microphone, read incoming and outgoing text messages, and install malicious apps, a security researcher said.
 
The vulnerability is in the update mechanism for a Samsung-customized version of SwiftKey, available on the Samsung Galaxy S6, S5, and several other Galaxy models. When downloading updates, the Samsung devices don't encrypt the executable file, making it possible for attackers in a position to modify upstream traffic—such as those on the same Wi-Fi network—to replace the legitimate file with a malicious payload. The exploit was demonstrated Tuesday at the Blackhat security conference in London by Ryan Welton, a researcher with security firm NowSecure. A video of his exploit is here.
 
 

 
Full Article
Userlevel 7

Posted on 17 June 2015.A vulnerability in the Swift keyboard, which comes pre-installed on Samsung mobile devices, can be exploited by remote attackers to secretly install malicious apps, access the device's camera and microphone and more, claims NowSecure security researcher Ryan Welton.

He also says that over 600 million Samsung mobile device users are at risk due to this flaw.

"It’s unfortunate but typical for OEMs and carriers to preinstall third-party applications to a device. In some cases these applications are run from a privileged context. This is the case with the Swift keyboard on Samsung," he explained.

The vulnerability resides in the fact that when the app looks for and receives updates, it does so over an unencrypted connection. This can be exploited by an attacker capable of modifying upstream traffic to deliver malicious security updates. full article
Userlevel 7
Badge +54
17th June 2015  By Phil Nickinson
 
                                                               http://www.androidcentral.com/sites/androidcentral.com/files/styles/larger_wm_brw/public/article_images/2015/06/galaxy-keyboard.jpg?itok=TpGLGLgM

 
 
Samsung today in an official statement has said that it's prepping an update that should close a potential-but-obscure avenue for exploit in its custom keyboard on a number of its most popular phones.
The update will come by way of the security policy update mechanism in Samsung Knox and not with a full system update, samsung said in its statement. (And that begs the question why that wasn't done in the first place, if indeed we'd been waiting on U.S. operators to push out a fix.)
 
Here's what's up. In a statement given to Android Central, Samsung says:
 
Full Article
Userlevel 7
Badge +54

We'll fix this problem that isn't actually a problem, no problem

 


19 Jun 2015 at 10:32, John Leyden
 
Samsung has promised to push out updates to resolve a serious mobile keyboard snooping bug, with security policy updates rolling out in the coming days, Sammy said in a blog post on Thursday — which simultaneously acknowledged and played down the issue.
 
As previously reported, researchers at security firm NowSecure warned that a problem involving the keyboard pre-installed with Samsung devices created a spying risk.
 
The risk arises from a design decision which meant updates were made over an unsecured, unencrypted HTTP connection, rather than HTTPS.
 
Full Article
Userlevel 7

http://images.techhive.com/images/article/2014/10/galaxy_s4-100509069-primary.idge.jpg

The vulnerability was found in the SwiftKey keyboard, which comes preloaded on the devices

 
By Zach Miners
 
Samsung will update the security software on its Galaxy smartphones to address a flaw that researchers warned could let attackers access people's devices.
Earlier in the week, researchers at NowSecure, a mobile security company, identified the flaw in SwiftKey, a keyboard application that comes preloaded on Galaxy smartphones. The flaw could be exploited even when SwiftKey was not used as the default keyboard, NowSecure said.
On Thursday, Samsung said it would issue a fix that would roll out over the coming days to owners of the Galaxy S4, released in 2013, and later models. Those devices have Samsung's Knox security platform installed by default and can receive over-the-air security policy updates. Users must have automatic updates activated in their phone's settings, Samsung said on its website.
For earlier Galaxy phones that don't come with Knox, Samsung said it was working on an expedited firmware update. Availability will vary depending on the model, region and service carrier..
 
full article

Reply