Samsung Cellphone Keyboard Software Vulnerable To Attack

Adesso writes: A serious security problem in the default Samsung keyboard installed on many of the company's cellphones has been lurking since December 2014 (CVE-2015-2865). When the phone tries to update the keyboard, it fails to encrypt the executable file. This means attackers on the same network can replace the update file with a malicious one of their own. Affected devices include the Galaxy S6, S5, S4, and S4 mini — roughly 600 million of which are in use. There's no known fix at the moment, aside from avoiding insecure Wi-Fi networks or switching phones. The researcher who presented these findings at the Blackhat security conference says Samsung has provided a patch to carriers, but he can't find out if any of them have applied the patch. The bug is currently still active on the devices he tested.

That's stupid

[ArcadeMan]

Samsung has provided a patch to carriers

So if your carrier doesn't want to patch your phone to force you to buy yet another phone/switch to a costlier monthly package... well, you're screwed.

I prefer the Apple method: they make the phones, they make the OS and the basic software, they push the updates directly to you. Letting the carriers in charge of anything but the actual communications is just insane.

Re:That's stupid

[nate_in_ME]

HTC actually has come up with a good way to handle this. They've moved many of their "factory" apps into the Play Store, so they can push updates that way independent of the carriers. I've even received lock screen and Sense (their "home screen" for those unfamiliar with it) updates though this method. The only thing they can't push is updates to Android itself this way.

Re:Why is Samsung making a keyboard?

[ArcherB]

Because they can make a keyboard to fit the phones they design. For example, my ancient Note 2 keyboard had a number row because it had plenty of room for one. Since rooting and installing CM, I've had a difficult time finding a keyboard that has a number row and is as capable as the one made by Samsung.

Frankly, I don't see this vulnerability being that big of a deal. The hacker would either need access to the root filesystem of your phone WHILE you are updating and have the perfect timing to insert the file AFTER it downloaded but before the update starts, or he would have to pull off a man in the middle attack, which means hanging out at a Starbucks, setting up the fake network, and waiting for someone to come in with a Samsung phone who just happens to download the update while in Starbucks and on your fake network where you can intercept the correct file and replace it with your own.

Yeah... if I were still running sock, I wouldn't be worried.

Re:Manufacturers don't understand security

[jones_supa]

OEMs put all sorts of hacks in place just to get their garbage software to work. There is no concept of security, the goal is just to get the quickest access to the resource. This is the same story than the LG split screen software.

Samsung engineers have probably moved to other projects already.

Re:Only in one specific case...?

[jo_ham]

No, it can happen if there's no keyboard update available.

The system periodically polls the server to check for an update, so it can happen as frequently as that check occurs. They don't say how often that is, but that if the keyboard is installed (i.e., if you have a non-rooted Samsung phone) even if you're using a different keyboard, you're vulnerable on an unsecured network to a MITM attack with arbitrary privileged code execution.

I would say it's a very serious problem, albeit one that can only occur when the phone does a periodic update check. It doesn't require that an actual update be available to work.