Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samsung Cellphone Keyboard Software Vulnerable To Attack

Posted by Soulskill on from the not-quite-under-their-thumb dept.

Adesso writes: A serious security problem in the default Samsung keyboard installed on many of the company's cellphones has been lurking since December 2014 (CVE-2015-2865). When the phone tries to update the keyboard, it fails to encrypt the executable file. This means attackers on the same network can replace the update file with a malicious one of their own. Affected devices include the Galaxy S6, S5, S4, and S4 mini — roughly 600 million of which are in use. There's no known fix at the moment, aside from avoiding insecure Wi-Fi networks or switching phones. The researcher who presented these findings at the Blackhat security conference says Samsung has provided a patch to carriers, but he can't find out if any of them have applied the patch. The bug is currently still active on the devices he tested.

10 of 104 comments (clear)

  1. That's stupid by ArcadeMan · · Score: 4, Insightful

    Samsung has provided a patch to carriers

    So if your carrier doesn't want to patch your phone to force you to buy yet another phone/switch to a costlier monthly package... well, you're screwed.

    I prefer the Apple method: they make the phones, they make the OS and the basic software, they push the updates directly to you. Letting the carriers in charge of anything but the actual communications is just insane.

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:That's stupid by nate_in_ME · · Score: 3, Interesting

      HTC actually has come up with a good way to handle this. They've moved many of their "factory" apps into the Play Store, so they can push updates that way independent of the carriers. I've even received lock screen and Sense (their "home screen" for those unfamiliar with it) updates though this method. The only thing they can't push is updates to Android itself this way.

  2. Re:The root... the root... the root is on fire... by Anonymous Coward · · Score: 2, Informative

    My VZW Galaxy S4 came with Swype and not Swiftkey. When you go to the listed page it looks to be an issue with Swiftkey and not Swype.

  3. Why is Samsung making a keyboard? by danbob999 · · Score: 2

    Why is Samsung making a keyboard in the first place?

    1. Re:Why is Samsung making a keyboard? by ArcherB · · Score: 3, Interesting

      Because they can make a keyboard to fit the phones they design. For example, my ancient Note 2 keyboard had a number row because it had plenty of room for one. Since rooting and installing CM, I've had a difficult time finding a keyboard that has a number row and is as capable as the one made by Samsung.

      Frankly, I don't see this vulnerability being that big of a deal. The hacker would either need access to the root filesystem of your phone WHILE you are updating and have the perfect timing to insert the file AFTER it downloaded but before the update starts, or he would have to pull off a man in the middle attack, which means hanging out at a Starbucks, setting up the fake network, and waiting for someone to come in with a Samsung phone who just happens to download the update while in Starbucks and on your fake network where you can intercept the correct file and replace it with your own.

      Yeah... if I were still running sock, I wouldn't be worried.

      --
      There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
  4. Re:Different keyboard software by drinkypoo · · Score: 2

    As long as you freeze the included keyboard as well, yes. The ordinary google keyboard is pretty great these days. I also use anysoftkeyboard, specifically for its ssh layout which has control and tab.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  5. Re:Manufacturers don't understand security by jones_supa · · Score: 4, Informative

    OEMs put all sorts of hacks in place just to get their garbage software to work. There is no concept of security, the goal is just to get the quickest access to the resource. This is the same story than the LG split screen software.

    Samsung engineers have probably moved to other projects already.

  6. Only in one specific case...? by Tyrannosaur · · Score: 2

    When the phone tries to update the keyboard, it fails to encrypt the executable file.

    So this only happens when I have a keyboard update available and waiting for me? How often does this happen, anyway? To be honest, this is a problem, but not that big of a problem....

    1. Re:Only in one specific case...? by jo_ham · · Score: 4, Informative

      No, it can happen if there's no keyboard update available.

      The system periodically polls the server to check for an update, so it can happen as frequently as that check occurs. They don't say how often that is, but that if the keyboard is installed (i.e., if you have a non-rooted Samsung phone) even if you're using a different keyboard, you're vulnerable on an unsecured network to a MITM attack with arbitrary privileged code execution.

      I would say it's a very serious problem, albeit one that can only occur when the phone does a periodic update check. It doesn't require that an actual update be available to work.

  7. Re:Different keyboard software by Krojack · · Score: 2

    Not sure if you're talking about the freezing of the keyboard app or OTA updates so here are 2 replies:

    Keyboard part

    You can root your phone then freeze the Samsung keyboard app using Titanium Backup.

    Also it is true as I'm looking at an un-rooted Samsung tablet and you CAN NOT disable/freeze the Samsung keyboard. I also just walked to to my co-workers desk who has the Galaxy S6 (un-rooted) and it's exactly the same. You CAN NOT disable the Samsung keyboard on un-rooted devices.

    OTA updates to rooted devices.

    If you ONLY root then you should be able to still get OTA updates. The second you install a custom recovery, which a lot of rooting methods do, then you can no longer receive OTA updates.