Samsung Cellphone Keyboard Software Vulnerable To Attack

← Back to Stories (view on slashdot.org)

Samsung Cellphone Keyboard Software Vulnerable To Attack

Posted by Soulskill on Wednesday June 17, 2015 @01:05AM from the not-quite-under-their-thumb dept.

Adesso writes: A serious security problem in the default Samsung keyboard installed on many of the company's cellphones has been lurking since December 2014 (CVE-2015-2865). When the phone tries to update the keyboard, it fails to encrypt the executable file. This means attackers on the same network can replace the update file with a malicious one of their own. Affected devices include the Galaxy S6, S5, S4, and S4 mini — roughly 600 million of which are in use. There's no known fix at the moment, aside from avoiding insecure Wi-Fi networks or switching phones. The researcher who presented these findings at the Blackhat security conference says Samsung has provided a patch to carriers, but he can't find out if any of them have applied the patch. The bug is currently still active on the devices he tested.

104 comments

Min score:

Reason:

Sort:

That's stupid by ArcadeMan · 2015-06-17 01:08 · Score: 4, Insightful

Samsung has provided a patch to carriers
So if your carrier doesn't want to patch your phone to force you to buy yet another phone/switch to a costlier monthly package... well, you're screwed.
I prefer the Apple method: they make the phones, they make the OS and the basic software, they push the updates directly to you. Letting the carriers in charge of anything but the actual communications is just insane.

--
Get free satoshi (Bitcoin) and Dogecoins
1. Re:That's stupid by gstoddart · 2015-06-17 01:17 · Score: 1
  
  Yeah, no kidding. WTF are we trusting carriers for?
  They don't care about your security, they want to sell you phones which have their custom shit in it to maximize their profits.
  Trusting carriers to spend the time and effort applying updates is utterly insane, because they're lazy and greedy -- which means you likely won't get the update at all.
  But since they have nothing to lose and no liability for failing to push the updates, what do you think will change? The carriers simply don't give a damn.
  Android is a decent platform, but the splintering which takes place due to manufacturers and carriers means there's simply no way to know if what you have is safe at all -- because chances are the crap the carrier puts on isn't secure either.
  
  --
  Lost at C:>. Found at C.
2. Re:That's stupid by Anonymous Coward · 2015-06-17 01:17 · Score: 0
  
  And I prefer the Windows method: OS updates are provided by the OS vendor, Microsoft, not HP, Dell, ASUS or whoever built the machine. Android OS modification by smartphone makers or carriers is plain stupid.
3. Re:That's stupid by nate_in_ME · 2015-06-17 01:20 · Score: 3, Interesting
  
  HTC actually has come up with a good way to handle this. They've moved many of their "factory" apps into the Play Store, so they can push updates that way independent of the carriers. I've even received lock screen and Sense (their "home screen" for those unfamiliar with it) updates though this method. The only thing they can't push is updates to Android itself this way.
4. Re:That's stupid by Anonymous Coward · 2015-06-17 01:46 · Score: 0
  
  Imagine if computers were like cell phones, and you had to rely on Comcast or Time Warner for your updates. God damn, phones are in a terrible state.
5. Re:That's stupid by johnlcallaway · 2015-06-17 01:55 · Score: 0, Troll
  
  So .. you prefer to pay too much for a phone with few choices simply because you don't have the ability to keep off of unsecured or untrusted WiFi networks? Which you shouldn't be connecting to anyway because there are far greater risks associated with that practice.
  I never allow my phone to connect to any WiFi network I don't trust, that's just stupid. And it never downloads updates unless it's on WiFi. So that pretty much leaves only updating my phone at work or at home.
  But then again, I have skills.
  Yawn .. just another article Apple iDrones will point to and try to justify their overpayment of a limited product. I mean, they just got a watch. At least .. some of them did. I wonder when they will have the ability to use more than one app at the same time. I love being able to pull up Google maps in a second window while I'm also surfing using Chrome. Or pull up Evernote and jot something down. Great capability .. maybe someday the used-to-be-innovative Apple will figure out how to do windows.
  
  --
  I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
6. Re:That's stupid by Anonymous Coward · 2015-06-17 01:56 · Score: 0
  
  Cox assures me that as soon as they have a fix for heartbleed, they'll look into getting a shellshock patch pushed out to me. Although my computer's 6 months old so it may be past the maintenance window.
7. Re:That's stupid by donaldm · 2015-06-17 01:57 · Score: 1
  
  Yes you are right Apple do make their brand however so do other vendors. What apple and the other vendors don't control although they do have some say are the carriers and if an update is released IOS or Android then it is up to the carriers to push it out.
  
  There are other vendors that sell Android phones and so far it is only the Samsung brand that has the issue and not the Linux kernel, so basically it is a Samsung problem.
  
  --
  There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
8. Re:That's stupid by Anonymous Coward · 2015-06-17 02:10 · Score: 0
  
  The Apple way doesn't work either. Have they sent out a fix for the SMS of death yet? No. When did that become public knowledge and start getting used? Right, three weeks ago. The Apple way. They have the ability to send out updates really quickly because of the way they were able to bully the carriers out of the way (and I applaud them for that and wish everyone else could do it). But they still manage to take too long to send out fixes.
9. Re:That's stupid by gstoddart · 2015-06-17 02:14 · Score: 1
  
  What apple and the other vendors don't control although they do have some say are the carriers and if an update is released IOS or Android then it is up to the carriers to push it out.
  Actually, I'm pretty sure Apple does control this.
  First, they don't allow carriers to customize iOS for their own purposes. Second, the updates for iOS come from Apple themselves.
  Which means carriers can't put shit on the Apple devices, and they can't fail to push out security updates. Because they're not part of the process.
  Android vendors routinely abandon devices and stop providing updates. And carriers routinely fail to add anything past the initial crap they put on the phone.
  But an iOS device is pretty much the same thing wherever you buy it. Which means you only need to worry about one company stopping providing with updates.
  
  --
  Lost at C:>. Found at C.
10. Re:That's stupid by Anonymous Coward · 2015-06-17 02:15 · Score: 0
  
  Windows driver updates are provided by HP, Dell, Asus, or whoever built the machine. And that's how Android system updates work because, for whatever reason, everything in Android is a driver[citation needed].
  (Yes, that's a pearl of sarcasm built around a grain of truth, in case your detector failed.)
11. Re:That's stupid by Penguinisto · 2015-06-17 02:26 · Score: 1
  
  So .. you prefer to pay too much for a phone with few choices simply because you don't have the ability to keep off of unsecured or untrusted WiFi networks?
  Just a sec' there...
  Most of the schmucks out there are paying through the nose for a contract with monthly data caps, so hell yes they'll latch onto WiFi every chance they get, and aren't going to know jack about trusted vs. untrusted networks... all they know is that they can turn on Wifi and get their updates/video/whatever without burning through their 4G allotment for the month.
  Personally, I leave WiFi strictly off on my phone, but I use Net10, so I don't have to worry about overage charges. But, that's just me... most of North America uses $majorCarrier and has to worry about it, so they act accordingly.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
12. Re:That's stupid by Anonymous Coward · 2015-06-17 02:27 · Score: 1
  
  Where are you getting that from? He just says he prefers that his OS updates are independent of his carrier. Surely every sane person feels the same way?
13. Re:That's stupid by Penguinisto · 2015-06-17 02:31 · Score: 1
  
  Actually, I believe that Apple's updates are pushed independently of the carrier - my wife's iPhone gets iOS updates just fine, even through we use Net10 (which doesn't distribute core Android updates for shit, since most of their customers do the 'bring-your-own-phone' thing or use one of the really oddball uber-cheap phones that Net10 sells.)
  IOW, I believe that Apple pushes all of their updates the same way that Google's Play Store does.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
14. Re:That's stupid by Krojack · 2015-06-17 02:43 · Score: 1
  
  The carriers excuse is that the devices use 'their network' thus they need control over the software to prevent abuse and damage their 'their network'. Sure we all know it's total bullshit but can't do anything about it.
  I like as little as possible government regulation as possible but understand it's needed in some areas. This is one of them. I would love to see some regulation forcing phone manufactures and carriers forcing the to push out security fixes within at 30 days at the extreme from the time an exploit is found. 15 would be better. If my Samsung Note 2 wasn't rooted it would still be running Android 4.1 (maybe 4..2?) which has various security holes in it. Sure put a limit on the device, say up to 3 or 4 years from that models initial release date. In my case the Note 2 (Verizon) would hit 3 years this November.
  I'm done with buying HTC and Samsung devices and their 6 - 12 month delay in updates. We all know they delay it so people will give up and just upgrade their device. I'm currently looking at the Nexus 6 directly from Google which also works on Verizon.
15. Re: That's stupid by Anonymous Coward · 2015-06-17 02:43 · Score: 0
  
  I double click the jesus-phone home button, write something in notes, double click again and go back to safari. What are you trying to say?
  Who the fuck cares if it's dual windows unless you're hauling a phablet around, but in that case you're probably also a mouth breathing dweep.
  Skills as in not allowing your mobile to connect to a public wifi?
  OMG! u r soo 3l1t3!!!
  I connect all the time to public wifi's and connect back to the vpn at home. I got a whole other set of skills you see?
16. Re:That's stupid by Krojack · 2015-06-17 02:47 · Score: 1
  
  I never allow my phone to connect to any WiFi network I don't trust, that's just stupid. And it never downloads updates unless it's on WiFi. So that pretty much leaves only updating my phone at work or at home.
  I recall my old HTC Thunderbolt would only download updates over the Verizon network. You had no choice. I'm not sure about today because I've rooted my phones 15 minutes after opening the box.
17. Re:That's stupid by wardrich86 · 2015-06-17 03:00 · Score: 1
  
  This dependency on carriers is the only thing I can't stand about Android, but at the same time, it was necessary to pique the interest of carriers to carry the phones.
18. Re: That's stupid by Anonymous Coward · 2015-06-17 04:02 · Score: 0
  
  You do realize that anyone sniffing your packets on the public wifi can see 100% of your traffic to and from your vpn correct? I hope you don't do online banking while you're sitting on those public access points. You sound exactly like the sort to do so though.
19. Re:That's stupid by dos1 · 2015-06-17 04:21 · Score: 1
  
  How is this "Apple method" different from just buying your phone instead of renting it from carrier on subsidized price?
  It's your, customers, choice, nobody forces you to do that.
20. Re:That's stupid by parkinglot777 · 2015-06-17 04:42 · Score: 1
  
  I never allow my phone to connect to any WiFi network I don't trust, that's just stupid. And it never downloads updates unless it's on WiFi. So that pretty much leaves only updating my phone at work or at home.
  Even though users must be cautious on security, not EVERYONE has that understanding! You could do it yourself, great and good for you. How about other laymen? How about you bought and gave an Android phone to your kids? Do you think they won't try to connect to any WiFi whenever they can in order to play/update apps/games?
  Using yourself as standard usually doesn't work. It is simply your expectation that others know and will do the right thing. Good luck to you to be able to succeed this, but sadly not everyone is [sarcastic] as smart as [/sarcastic] you are.
21. Re:That's stupid by 228e2 · 2015-06-17 06:35 · Score: 1
  
  Your point is very valid as I am currently writing an advisory for my workplace on this issue, so my only counterpoint is this:
  
  How secure is your workplace WiFi? Could an ex-employee sit in a car next to your building and cause havoc?
  
  --
  Since when does being a Socialist mean 'someone who has a different opinion than me'?
22. Re:That's stupid by Rakarra · 2015-06-17 07:30 · Score: 1
  
  The carriers excuse is that the devices use 'their network' thus they need control over the software to prevent abuse and damage their 'their network'. Sure we all know it's total bullshit but can't do anything about it.
  Everyone knows it's total bullshit too, as Internet service providers don't have any control over what computers and devices are hooked up on your home connection, nor should they.
23. Re:That's stupid by Anonymous Coward · 2015-06-17 07:36 · Score: 0
  
  Looks like a USA-only problem. My carrier only bills me for phone usage, sms and data connection - they couldn't care less what software I run on it. That is for samsung and google to decide. They preloaded sw, not the carrier. I can switch carrier anytime too.
24. Re:That's stupid by Anonymous Coward · 2015-06-17 07:44 · Score: 0
  
  "I wonder when they will have the ability to use more than one app at the same time."
  This Fall, but please, keep being smug and tell us how you'd never be affected by this problem.
25. Re:That's stupid by KGIII · 2015-06-17 11:12 · Score: 1
  
  I used to use a small regional carrier. They have been buying up other small regional carriers and are not so small any more. My service quality has lessened since this has started happening. They seem to have slowed down now. I am now able to go most places without incurring the wrath of National Roaming Fees but nation-wide service is now included in my plan...
  
  --
  "So long and thanks for all the fish."
26. Re:That's stupid by exomondo · 2015-06-17 11:30 · Score: 1
  
  Windows driver updates are provided by HP, Dell, Asus, or whoever built the machine.
  You can get driver updates through Windows update where the manufacturer provides them to Microsoft who runs them through their WHQL certification process and can then deliver them to the user. Or directly from the manufacturer themselves.
  On Android most drivers are proprietary and the lack of a stable ABI and driver model in Android means that you need a specific driver for your hardware for the particular version of Android that you are running - this is somewhat true of Windows too but the ABI and driver model are stable and standard for a lot longer, even many (not all) Windows 7 drivers will work on Windows 10.
  Now why can't these Android hardware manufacturers provide a compile-able kernel module for their binary drivers like for example the way nVidia does it on Linux? I'm not sure, perhaps there's some other technical hurdles or underlying changes that this can't address?
27. Re:That's stupid by Anonymous Coward · 2015-06-17 11:37 · Score: 0
  
  Yawn .. just another article Apple iDrones will point to and try to justify their overpayment of a limited product.
  Yes of course, this isnt a security problem it is just a conspiracy pushed by Apple users!
28. Re:That's stupid by mjwx · 2015-06-17 13:14 · Score: 1
  
  HTC actually has come up with a good way to handle this. They've moved many of their "factory" apps into the Play Store, so they can push updates that way independent of the carriers. I've even received lock screen and Sense (their "home screen" for those unfamiliar with it) updates though this method. The only thing they can't push is updates to Android itself this way.
  This is what Google did with its applications ages ago and recommends manufacturers do.
  b Google has solved the problem of carriers controlling updates to a large degree by uncoupling applications from the OS, I cant speak for HTC users as I've been on the Nexus phones for a few years now but for us, it's been a fantastic success (in fact Gmail updated itself last night). Like you said, the only thing they cant update this way is Android itself, but there are other ways around that (for nexus phones, the images can be downloaded and installed manually).
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
29. Re: That's stupid by pnutjam · 2015-06-18 04:07 · Score: 1
  
  Just in case anyone is taking this serious, it's wrong. VPN packets are encapsulated and sent to the vpn server, unless you have your vpn configured to use the local network instead of forwarding all packets to the vpn.
  
  --
  Cheap storage VM.
Question by Anonymous Coward · 2015-06-17 01:08 · Score: 0

How does this affect my iPhone?
The root... the root... the root is on fire... by Anonymous Coward · 2015-06-17 01:09 · Score: 0

What about... Install Swype > root > Disable/freeze/uninstall Samsgun keyboard?
1. Re:The root... the root... the root is on fire... by Anonymous Coward · 2015-06-17 01:14 · Score: 0
  
  >Rooting your phone to fix a security vulnerability
  Good luck with that.
2. Re:The root... the root... the root is on fire... by DanJ_UK · 2015-06-17 01:20 · Score: 1
  
  Ahahahaha. Ahahahahahaha.
  
  --
  - Dan
3. Re:The root... the root... the root is on fire... by Anonymous Coward · 2015-06-17 01:27 · Score: 2, Informative
  
  My VZW Galaxy S4 came with Swype and not Swiftkey. When you go to the listed page it looks to be an issue with Swiftkey and not Swype.
4. Re:The root... the root... the root is on fire... by Krojack · 2015-06-17 02:51 · Score: 1
  
  It worked for me. I no longer have the Samsung keyboard installed on my Samsung Note 2. In fact I'm running AOSP 5.1.1 rather then being stuck on 4.1 (or 4.2) like all other Note 2 users are.
5. Re:The root... the root... the root is on fire... by Anonymous Coward · 2015-06-17 04:23 · Score: 0
  
  Having root access on your phone should be a default state. Imagine buying a PC with root account locked out from you. I can't understand why people accept that.
6. Re:The root... the root... the root is on fire... by Rakarra · 2015-06-17 07:38 · Score: 1
  
  It worked for me. I no longer have the Samsung keyboard installed on my Samsung Note 2. In fact I'm running AOSP 5.1.1 rather then being stuck on 4.1 (or 4.2) like all other Note 2 users are.
  You might have missed his point, that the only way to root a Samsung Android phone is to exploit (and leave open) a giant security vulnerability.
7. Re:The root... the root... the root is on fire... by Anonymous Coward · 2015-06-17 07:41 · Score: 0
  
  >Rooting your phone to fix a security vulnerability
  Good luck with that.
  Oh, easy enough, it seems. You just take advantage of this swiftkey vulnerability, and use the published hack to push a shell running as the system user onto the phone. Then you replace whatever you like. Might be useful for installing cyanogen and other nice tools.
3rd party builds by charlesTheLurker · 2015-06-17 01:20 · Score: 1

Ouch. Presumably, if you're running an AOSP build this won't affect you.

--
Not a web designer.
1. Re:3rd party builds by The+MAZZTer · 2015-06-17 01:28 · Score: 1
  
  Or if you're rooted you can just uninstall the keyboard.
Different keyboard software by flopsquad · 2015-06-17 01:27 · Score: 1

About to switch away from the iUniverse to a Samsung. Many reviewers recommend installing better keyboard software than Samsung's default; would that address this problem?

--
Nothing posted to /. has ever been legal advice, including this.
1. Re:Different keyboard software by drinkypoo · 2015-06-17 01:30 · Score: 2
  
  As long as you freeze the included keyboard as well, yes. The ordinary google keyboard is pretty great these days. I also use anysoftkeyboard, specifically for its ssh layout which has control and tab.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
2. Re:Different keyboard software by Krojack · 2015-06-17 02:59 · Score: 1
  
  As long as you freeze the included keyboard as well, yes.
  Which you can't do, at least not on my Samsung tablet. You can not uncheck the "Samsung keyboard" under Language and input in settings nor can you turn off (or disable/freeze) the Samsung keyboard app. Both options are grayed out.
  You would have to root your phone to get around this at which point you will no longer get OTA update and patches.
3. Re:Different keyboard software by Anonymous Coward · 2015-06-17 04:04 · Score: 0
  
  What? This is absolutely not true, unless by "rooting" you mean "installing a third party ROM". They are not even close to the same thing.
4. Re:Different keyboard software by Krojack · 2015-06-17 05:47 · Score: 2
  
  Not sure if you're talking about the freezing of the keyboard app or OTA updates so here are 2 replies:
  Keyboard part
  You can root your phone then freeze the Samsung keyboard app using Titanium Backup.
  Also it is true as I'm looking at an un-rooted Samsung tablet and you CAN NOT disable/freeze the Samsung keyboard. I also just walked to to my co-workers desk who has the Galaxy S6 (un-rooted) and it's exactly the same. You CAN NOT disable the Samsung keyboard on un-rooted devices.
  OTA updates to rooted devices.
  If you ONLY root then you should be able to still get OTA updates. The second you install a custom recovery, which a lot of rooting methods do, then you can no longer receive OTA updates.
There are at least two known fixes by davidwr · 2015-06-17 01:28 · Score: 1

There's no known fix at the moment, aside from avoiding insecure Wi-Fi networks or switching phones.
In other words, there are at least two known fixes.
"Dear Samsung, I am returning my phone and buying another brand because...."

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Re:There are at least two known fixes by Anonymous Coward · 2015-06-17 01:44 · Score: 0
  
  Neither of which are a fix for the vulnerable device. Also, it isn't just a problem "with the default keyboard" which infers that its only if you use the default keyboard and installing another will fix it. This component can not be removed (save rooting the device) - you're vulnerable whether you USE it or not as the problem is in the update mechanism.
Why is Samsung making a keyboard? by danbob999 · 2015-06-17 01:28 · Score: 2

Why is Samsung making a keyboard in the first place?
1. Re:Why is Samsung making a keyboard? by gstoddart · 2015-06-17 01:38 · Score: 1
  
  Branding, marketing, differentiation, integration with the rest of their crap, and probably analytics.
  The usual crap.
  
  --
  Lost at C:>. Found at C.
2. Re:Why is Samsung making a keyboard? by ArcherB · 2015-06-17 01:39 · Score: 3, Interesting
  
  Because they can make a keyboard to fit the phones they design. For example, my ancient Note 2 keyboard had a number row because it had plenty of room for one. Since rooting and installing CM, I've had a difficult time finding a keyboard that has a number row and is as capable as the one made by Samsung.
  Frankly, I don't see this vulnerability being that big of a deal. The hacker would either need access to the root filesystem of your phone WHILE you are updating and have the perfect timing to insert the file AFTER it downloaded but before the update starts, or he would have to pull off a man in the middle attack, which means hanging out at a Starbucks, setting up the fake network, and waiting for someone to come in with a Samsung phone who just happens to download the update while in Starbucks and on your fake network where you can intercept the correct file and replace it with your own.
  Yeah... if I were still running sock, I wouldn't be worried.
  
  --
  There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
3. Re:Why is Samsung making a keyboard? by Anonymous Coward · 2015-06-17 01:49 · Score: 0
  
  Because every company that sells an Android phone seems to feel the need to fiddle with nearly every parameter to the point that there's little commonality from one device to the next. At least from an interface standpoint.
4. Re:Why is Samsung making a keyboard? by danbob999 · 2015-06-17 01:53 · Score: 1
  
  They should be able to do all that while making their keyboard available in the Play Store, and therefore easily updatable.
5. Re:Why is Samsung making a keyboard? by GTRacer · 2015-06-17 01:55 · Score: 1
  
  Have you tried the Google Keyboard, with the "English (US) (PC)" custom input style activated? That input style is a proper 4-row keyboard where shifted characters appear where they should. The only thing it lacks is navigation keys like Tab and arrows.
  
  --
  Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
6. Re:Why is Samsung making a keyboard? by gstoddart · 2015-06-17 02:02 · Score: 1
  
  You do realize Samsung has their own store, and isn't interested in your access to Google's, right?
  A Nexus device is Android as Google envisions it. Anything else has been designed to steer you towards making money for someone else.
  So, Samsung makes a device, customizes the heck out of of Android for their own purposes. And then the greedy telcos add their shit.
  And the consumer gets left with a device which may or may not receive updates as both Samsung and the carrier have moved onto new things, and don't care about devices they've already sold.
  Because carriers aren't in the business of supporting devices and software, just putting in enough effort to steer you to their stuff.
  You want something which you can always update? Buy an unlocked Nexus device at full price. Pretty much everything else has been messed with by people who have their own interests at heart, not yours.
  
  --
  Lost at C:>. Found at C.
7. Re:Why is Samsung making a keyboard? by jabberw0k · 2015-06-17 02:05 · Score: 1
  
  This is not a keyboard: It is a program displaying a picture that looks like a keyboard, on a computer that masquerades as being a telephone, all controlled by people and companies you don't know and wouldn't trust if you did.
8. Re:Why is Samsung making a keyboard? by Anonymous Coward · 2015-06-17 02:29 · Score: 1
  
  I wish I coul read what you wrote, but... Those are not words. It's just a program displaying pictures that look like words.
9. Re:Why is Samsung making a keyboard? by Solandri · 2015-06-17 02:39 · Score: 1
  
  Because it used to be Google didn't have a Korean keyboard for Android, and rather than direct customers in their home country to download a 3rd party one from the Play store, they decided to make one themselves that they trusted. That was one of the early advantages of Android over iOS - you could replace the keyboard if you didn't like the default one. Eventually they began adding extra features and keys to support features that were only in their phones.
  
  That's how innovation happens. It's not exclusive to the lab of a single company whose only claim to fame is that they own the OS. Everyone in the world comes up with different ideas, and the better ones get borrowed/stolen by everyone else including the company who owns the OS. Most manufacturers and carriers licensed or came up with their own version of Swype long before Google added it to Android.
10. Re:Why is Samsung making a keyboard? by Krojack · 2015-06-17 03:26 · Score: 1
  
  You do realize Samsung has their own store, and isn't interested in your access to Google's, right?
  You do realize that many of the pre-installed bloatware Samsung made apps are updated via the google play store right? Let me list just a few..
  These are pre-install bloatware that can be disabled but not uninstalled. They also show up while searching the app store.
  Samsung Link
  Samsung Push Service
  Samsung Print Service Plugin
  These are pre-install bloatware that can NOT be disabled or uninstalled. They are also hidden on the app store to prevent non-samsung owners from installing them. They DO update via the normal Google Play store.
  * Samsung Security Policy Update
  * Samsung Video
  * Video Editor
  * Photo Editor
  * Samsung Hub
  * Samsung keyboard Note 3/10.1 (Not the same as the 'Samsung keyboard' app but might work together)
11. Re:Why is Samsung making a keyboard? by danbob999 · 2015-06-17 03:27 · Score: 1
  
  What innovation did Samsung bring with its keyboard? If I don't need Korean, why would I need it?
  Samsung make OS images specific to many countries/carriers. Most of these could do just fine without a Korean keyboard.
  Swype wasn't added by Google to the play store. It was added by Swype itself. They (and not Google) choose to sell directly to carriers/manufacturers instead of selling through the play store.
12. Re:Why is Samsung making a keyboard? by Eric+Sharkey · 2015-06-17 03:42 · Score: 1
  
  "Hacker's Keyboard" has a number row, tab, and arrows.
13. Re:Why is Samsung making a keyboard? by Alumoi · 2015-06-17 03:56 · Score: 1
  
  Hackers keyboard: full PC layout, perfect for tablets.
14. Re:Why is Samsung making a keyboard? by Fencepost · 2015-06-17 04:45 · Score: 1
  
  Swiftkey has a checkable option under "Customize" in their settings for "Show a number row in all layouts."
  
  It also has options on larger screens to include a numeric keypad, not sure exactly what the settings are for that though.
  
  --
  fencepost
  just a little off
15. Re:Why is Samsung making a keyboard? by GTRacer · 2015-06-17 05:29 · Score: 1
  
  It does, but so far as I can tell, it wouldn't work well on a phone in portrait orientation.
  
  --
  Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
16. Re:Why is Samsung making a keyboard? by GTRacer · 2015-06-17 05:30 · Score: 1
  
  Very true, but I believe it's not so good on phones in portrait.
  
  --
  Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
17. Re:Why is Samsung making a keyboard? by Rakarra · 2015-06-17 07:43 · Score: 1
  
  Good for tablets, but I've found the Hacker's keyboards (which I use for my ssh connections) pack too many keys too closely, and I end up making a lot more spelling mistakes. Naturally, there's no spell correction like there is with the Samsung keyboard. I don't want ssh connections spell checked (that could never work), though I wouldn't mind other apps like sms messaging being spell checked.
18. Re:Why is Samsung making a keyboard? by thegarbz · 2015-06-17 10:50 · Score: 1
  
  Because not everyone likes the Google keyboard. Because when they started doing it the Google keyboard was lacking in features. Because when they started doing it they partnered with Swype to bring a unique experience and IMO a killer feature that differentiated their phones from the rest to their customers.
  Basically, why not make a keyboard? They already customise the rest of the Android experience, why not the keyboard too.
19. Re:Why is Samsung making a keyboard? by KGIII · 2015-06-17 11:34 · Score: 1
  
  You do not have to personally need it for it to be innovation. But, to be honest, I am not sure a different keyboard language layout is all that innovative but the point remains the same - your personal needs do not determine innovation.
  
  --
  "So long and thanks for all the fish."
20. Re: Why is Samsung making a keyboard? by snowsnoot · 2015-06-17 13:41 · Score: 1
  
  Mod parent up! I have one other suggestion.. Root your beautiful piece of Samsung HARDWARE and replace its software with CyanogenMod which is updated every night and even better than Nexus because it is mostly stock Android but also has a neat feature called Privacy Guard which allows the user fine grained controls over app permissions. There are many more reasons to go this route but I won't go on. This is the best of both worlds IMO and I won't ever go back to Samsung bastardized Android ever.
21. Re:Why is Samsung making a keyboard? by Anonymous Coward · 2015-06-18 05:32 · Score: 0
  
  Just as a side note:
  I like how a lot of people call "Samsung Print Service Plugin" bloat, but fails to realize that i things have the same thing - just not as an "app" (it's built right in so it requires a full firmware update for patches as opposed to just an app). "Samsung Link" is simply cloud (or local) storage.
22. Re:Why is Samsung making a keyboard? by danbob999 · 2015-06-18 06:15 · Score: 1
  
  I understand Samsung is free to innovate. But my point was that for most people, Samsung's keyboard is a regression, not an innovation. Now that Google has a Korean keyboard, there is no reason left for Samsung to keep heir keyboard anyways. Especially if they can't maintain it, they should get rid of it.
Misleading Summary by Anonymous Coward · 2015-06-17 01:29 · Score: 0

"no known fix at the moment" and then later "Samsung has provided a patch to carriers". So we know there's a patch that fixes the vulnerability.
Re: That's why I only buy IPhone by Anonymous Coward · 2015-06-17 01:37 · Score: 0

I think YOU drink a lot!
Manufacturers don't understand security by Gumbercules!! · 2015-06-17 01:40 · Score: 1

Oh this is mindblowing. Who writes software that just asks a remote server for a file, then blindly executes that file with system privileges, but doesn't put any checks and balances in place to make sure it's really the remote server and the file is legit? It's not even HTTPS for goodness sakes (not that that would make much difference).

Samsung seems to still be a manufacturer at heart and like all manufacturers, they just don't get software security.Not even a little bit.
1. Re:Manufacturers don't understand security by jones_supa · 2015-06-17 01:53 · Score: 4, Informative
  
  OEMs put all sorts of hacks in place just to get their garbage software to work. There is no concept of security, the goal is just to get the quickest access to the resource. This is the same story than the LG split screen software.
  Samsung engineers have probably moved to other projects already.
so... by Anonymous Coward · 2015-06-17 01:41 · Score: 0

... the headline of "600m Samsung phones can be used as eavesdropping devices" from other sites who had the news earlier was not slashdot crowd friendly enough?
What about the signature verification? by Elias77 · 2015-06-17 01:46 · Score: 1

It occurs to me, that the crucial part is the signature of the update package for the keyboard. The article states, that "the keyboard was signed with Samsung's private signing key". How can the attackers fake the signature of the update? Isn't the signature checked?
1. Re:What about the signature verification? by wonkey_monkey · 2015-06-17 02:20 · Score: 1
  
  I read it as saying that because the already-installed keyboard APK has been signed, it runs with high priveleges. And because of its weaknesses, it will download and run unsigned, tampered "updates." These aren't just updates to the keyboard APK itself, but also things like language packs.
  
  --
  systemd is Roko's Basilisk.
2. Re: What about the signature verification? by Anonymous Coward · 2015-06-17 02:29 · Score: 0
  
  But, APK's hosts file is supposed to protect me from attacks!
3. Re:What about the signature verification? by Anonymous Coward · 2015-06-17 03:51 · Score: 0
  
  The problem occurs when downloading new language packs, not the software itself. The language pack is a zip file and is accompanied by a manifest file which contains a SHA1 hash for the zip file, but both files are fetched using HTTP and the SHA1 hash can simply be replaced by the hash of the replacement zip file.
You are not captain of this ship by jabberw0k · 2015-06-17 02:02 · Score: 1

Leading to the question, Why would anyone knowingly purchase a computer they cannot control? When will folks wake up and stop drinking this so-called "smart" so-called "telephone" Kool-Aid?
ZIP implementation broken as well by Anonymous Coward · 2015-06-17 02:05 · Score: 0

This is so trivial to exploit because their zip implementation _also_ has a major security flaw and allows .. in paths in the files of the ZIP file.
How incompetent are Samsung's software developers? Not doing that kind of thing should have been common knowledge about 10-20 years ago.
Re: That's why I only buy IPhone by Anonymous Coward · 2015-06-17 02:08 · Score: 0

NO you drink drunk. YOU dUKNK DRINK>. YUuR. MYy your pretyy.
Important questions... by Ark42 · 2015-06-17 02:20 · Score: 1

Can this be used to root your phone (as in, install SuperSU), and can this be done without tripping Knox?
Can this be then mitigated by a simple hosts entry for the domain used to check for updates? (Pretty sure the answer here would yes - if skslm.swiftkey.net points to 127.0.0.1, no rouge WiFi's DNS is going to be able to change that).

--
Morphing Software
What? by wonkey_monkey · 2015-06-17 02:23 · Score: 1

When the phone tries to update the keyboard, it fails to encrypt the executable file.
Why would the phone be trying to encrypt the executable (? article also says it's a ZIP file) file?
I think what's trying to be said is that the phone fails to verify the signature on the update file - a ZIP file which may contain an executable - which it then unzips without a care.

--
systemd is Roko's Basilisk.
1. Re:What? by jo_ham · 2015-06-17 12:57 · Score: 1
  
  When the phone tries to update the keyboard, it fails to encrypt the executable file.
  Why would the phone be trying to encrypt the executable (? article also says it's a ZIP file) file?
  I think what's trying to be said is that the phone fails to verify the signature on the update file - a ZIP file which may contain an executable - which it then unzips without a care.
  No, it verifies the hash on the file, but you can trick it by sending a fake hash too.
Had to disable the Samsung KB on day 1 by jeffmflanagan · 2015-06-17 02:29 · Score: 1

I have an S6, and the Samsung keyboard would disappear as soon as it appeared, making text entry impossible. Fortunately I could use voice recognition to find another keyboard in the Play store to make the phone usable.
Workaround by emil · 2015-06-17 02:59 · Score: 1

I am on the Alliance rom that bundles SuperSU, so I can fix this (unlike most unfortunate Samsung users).
I used the "NoBloat" application from the Google Play store to disable the Samsung keyboard (after clearing the cache with the app manager).
After doing so, I see the file /system/app/SamsumgIME.apk_ (note the underscore). I may try to copy the AOSP keyboard over from CM11 so there is a working keyboard in /system.
I would like to congratulate Google and Samsung for their stunning incompetence in Android security. Your only hope of closing exploits on this platform is to root. I would be hard pressed to name a modern, GUI-centric Linux distribution that lacked a system update agent capable of patching all system components.
Except Android.
1. Re:Workaround by Anonymous Coward · 2015-06-17 09:28 · Score: 0
  
  WARNING!!! Don't disable the Samsung keyboard if your device is encrypted! You will no longer be able to enter the encryption password when you boot your phone!
2. Re:Workaround by Anonymous Coward · 2015-06-17 09:41 · Score: 0
  
  Fortunately, if you have a custom recovery like TWRP installed, you can rename back /system/app/SamsumgIME.apk_ and /system/app/SamsumgIME.odex_ to restore the working keyboard!
like the whole world does by batistuta · 2015-06-17 03:03 · Score: 1

you mean, it should work the way it has been working everywhere in the world (except the US) since cell phones have been invented?
Only in one specific case...? by Tyrannosaur · 2015-06-17 03:09 · Score: 2

When the phone tries to update the keyboard, it fails to encrypt the executable file.
So this only happens when I have a keyboard update available and waiting for me? How often does this happen, anyway? To be honest, this is a problem, but not that big of a problem....
1. Re:Only in one specific case...? by Fencepost · 2015-06-17 04:53 · Score: 1
  
  I haven't dug into the details, but I suspect it's more "It only happens when the phone checks for a keyboard update and the server tells it there's one available."
  
  The problem in that statement is if it's "the server" not "Samsung's verified server." If the signature on the downloaded file isn't verified but it's checked and downloaded only over a secure connection to a valid server then I'm less worried. If it's checking over a secure signed connection but downloading over an insecure channel that's a problem anytime they update (since the download can be MITM'd). If it's checking regularly in a way that can be spoofed, then this is a huge huge issue because any compromised / malicious open WiFi hotspot could be MITMing the check and download.
  
  Of course, it's not like there are a lot of Samsung devices out there. They have a pretty small share of the market, right?
  
  --
  fencepost
  just a little off
2. Re:Only in one specific case...? by jo_ham · 2015-06-17 13:01 · Score: 4, Informative
  
  No, it can happen if there's no keyboard update available.
  The system periodically polls the server to check for an update, so it can happen as frequently as that check occurs. They don't say how often that is, but that if the keyboard is installed (i.e., if you have a non-rooted Samsung phone) even if you're using a different keyboard, you're vulnerable on an unsecured network to a MITM attack with arbitrary privileged code execution.
  I would say it's a very serious problem, albeit one that can only occur when the phone does a periodic update check. It doesn't require that an actual update be available to work.
3. Re:Only in one specific case...? by jo_ham · 2015-06-17 13:04 · Score: 1
  
  That's exactly what it's doing, according to Ars.
  It's a serious hole. The update check mechanism can be fooled. It doesn't require that a genuine update is available, just that something that claims it is the server says there is.
  It polls the server, the spoof replies and sends a fake hash and the payload and the phone executes it with elevated privileges.
Easy by fluffernutter · 2015-06-17 03:38 · Score: 1

So disable update on keyboard now, because you're probably fine at the moment. Wait for fix, then update.

--
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Nope. by emil · 2015-06-17 07:02 · Score: 1

The keyboard application launches at boot and regularly downloads .ZIP files of json objects. This download happens as the system user, and is vulnerable to directory traversal. Disabling updates for this .APK will not halt this activity, and it is unlikely that all vendors will bother to patch this.
1. Re:Nope. by Anonymous Coward · 2015-06-17 08:15 · Score: 0
  
  I'll have to check if my S2 is vulnerable... one of these days, when I charge the battery up again.
  Not that I ever really take it anywhere with me, it hasn't left the house since the day I got it (well, ok, been out in the yard a couple times to take pictures).
  At least it's only wi-fi, although I can pick up some of the neighbors wi-fi sites...
  the sim card is in my old Nokia flip phone - doubt that's vulnerable to any of this garbage.
HTC Aria on AT&T also by billstewart · 2015-06-17 09:35 · Score: 1

Apparently there was a period of a couple of weeks when I could have gotten the upgrade from 2.1 to 2.2, but the carrier didn't actually push it, just made it available if you noticed and asked it to download, and soon after that, when Google Play came out, my Locked-To-Android-Market phone could no longer do any updates. I couldn't find a smartphone that small to replace it (sorry, but smallness is a feature for something you carry in your pocket), and eventually replaced the phone when apps I wanted were only running on 4.x anyway. I suppose I should go back and Cyanogenize it.

--

Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I have a Samsung S5, get a LG (horrid advice). by Trax3001BBS · 2015-06-17 12:44 · Score: 1

With My Samsung S5 or any mobile device I use a Blue-Tooth keyboard, as it's just down right easier (of course I don't travel). So a keyboard exploit shouldn't be a problem. I do have the keyboard, and other services I don't use updates disabled.
My new LG (the Samsung S5's service is in limbo at this time), while it's a version of Android, it's tactile is so weak as to making it unusable. There is a feature to highlight then double click the screen, opening a function (whatever it may be), and now the only way tto open anything. I can't use it now (the phone) nor get back to that feature to disable. I've resorted to using my e-mailer to contact anybody who's phones e-mail address I have.
but, you won't be having any cell phone security issues to confront.
no known fix? by sad_ · 2015-06-17 22:24 · Score: 1

fix it by installing a custom android rom, those samsung phones listed are well supported by many roms.
you won't regret it either because samsung-android is horrible!

--
On a long enough timeline, the survival rate for everyone drops to zero.
CM11 keyboard by Anonymous Coward · 2015-06-19 03:27 · Score: 0

I successfully moved LatinIME.apk off my Ovation CM11 and it works in Alliance. This may make a keyboard available if you've encrypted (and it may not).