Samsung Cellphone Keyboard Software Vulnerable To Attack

Adesso writes: A serious security problem in the default Samsung keyboard installed on many of the company's cellphones has been lurking since December 2014 (CVE-2015-2865). When the phone tries to update the keyboard, it fails to encrypt the executable file. This means attackers on the same network can replace the update file with a malicious one of their own. Affected devices include the Galaxy S6, S5, S4, and S4 mini — roughly 600 million of which are in use. There's no known fix at the moment, aside from avoiding insecure Wi-Fi networks or switching phones. The researcher who presented these findings at the Blackhat security conference says Samsung has provided a patch to carriers, but he can't find out if any of them have applied the patch. The bug is currently still active on the devices he tested.

That's stupid

[ArcadeMan]

Samsung has provided a patch to carriers

So if your carrier doesn't want to patch your phone to force you to buy yet another phone/switch to a costlier monthly package... well, you're screwed.

I prefer the Apple method: they make the phones, they make the OS and the basic software, they push the updates directly to you. Letting the carriers in charge of anything but the actual communications is just insane.