Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samsung Cellphone Keyboard Software Vulnerable To Attack

Posted by Soulskill on from the not-quite-under-their-thumb dept.

Adesso writes: A serious security problem in the default Samsung keyboard installed on many of the company's cellphones has been lurking since December 2014 (CVE-2015-2865). When the phone tries to update the keyboard, it fails to encrypt the executable file. This means attackers on the same network can replace the update file with a malicious one of their own. Affected devices include the Galaxy S6, S5, S4, and S4 mini — roughly 600 million of which are in use. There's no known fix at the moment, aside from avoiding insecure Wi-Fi networks or switching phones. The researcher who presented these findings at the Blackhat security conference says Samsung has provided a patch to carriers, but he can't find out if any of them have applied the patch. The bug is currently still active on the devices he tested.

3 of 104 comments (clear)

  1. Re:The root... the root... the root is on fire... by Anonymous Coward · · Score: 2, Informative

    My VZW Galaxy S4 came with Swype and not Swiftkey. When you go to the listed page it looks to be an issue with Swiftkey and not Swype.

  2. Re:Manufacturers don't understand security by jones_supa · · Score: 4, Informative

    OEMs put all sorts of hacks in place just to get their garbage software to work. There is no concept of security, the goal is just to get the quickest access to the resource. This is the same story than the LG split screen software.

    Samsung engineers have probably moved to other projects already.

  3. Re:Only in one specific case...? by jo_ham · · Score: 4, Informative

    No, it can happen if there's no keyboard update available.

    The system periodically polls the server to check for an update, so it can happen as frequently as that check occurs. They don't say how often that is, but that if the keyboard is installed (i.e., if you have a non-rooted Samsung phone) even if you're using a different keyboard, you're vulnerable on an unsecured network to a MITM attack with arbitrary privileged code execution.

    I would say it's a very serious problem, albeit one that can only occur when the phone does a periodic update check. It doesn't require that an actual update be available to work.