600M Samsung Smartphones Vulnerable To Hacking - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Applications
Commentary
6/17/2015
04:20 PM
Larry Loeb
Larry Loeb
Commentary
100%
0%

600M Samsung Smartphones Vulnerable To Hacking

A report from a security firms finds that Samsung's smartphones are vulnerable to attacks thanks to replacement software in the SwiftKey keyboard. However, it's not really Samsung's fault.

10 Smartphone Apps You Can Talk To
10 Smartphone Apps You Can Talk To
(Click image for larger view and slideshow.)

Security research firm NowSecure says it has uncovered a serious problem in all of Samsung's smartphones that may allow them to be attacked, according to some published reports.

This vulnerability comes from the SwiftKey keyboard replacement software included with all of the phones, rather than from the core system software.

The problem seems to be that the software, which is given system-level access by Samsung, updates itself in plain text. This means that an attacker can spoof SwiftKey into thinking it is getting an update when it is really being attacked.

This attack could then run malicious code that could access the camera and microphone sensors or eavesdrop on phone calls.

NowSecure says it notified Samsung in December 2014 of the vulnerability, and a patch was developed in early 2015.

(Image: Martin Dimitrov/iStockphoto)

(Image: Martin Dimitrov/iStockphoto)

However, the patch needs to be deployed by the wireless carriers, rather than the user. Since no one knows if the patch has in fact been deployed by the carriers, one must assume the vulnerability is still extant.

NowSecure has said that Verizon Wireless, Sprint, and AT&T have not deployed it, according to their tests.

Users would be most vulnerable to a spoofing attack on insecure networks like public WiFi hotspots.

Paco Hope, principal consultant with Cigital, a consulting firm that looks at application and software security, wrote in June 17 statement that this flaw with Samsung's smartphones shows that companies need to do more than testing to find flaws in their software.

"This Samsung vulnerability is a textbook example of a software vulnerability in the design, not the code," Hope wrote. "The operating system updates a core component over HTTP and verifies it with a simple hash also loaded over trivially hijacked HTTP. It is easy to forge an arbitrary replacement. Software security techniques like threat modeling and architecture risk analysis pick up obvious security anti-patterns like this. There are many valid secure design patterns that would have served. This is an example of why software security involves a lot more than penetration testing and code review.

[Read about millennials and security.]

While Hope makes a valid point, it is also obvious that Samsung got hosed by SwiftKey here.

Samsung probably did not know about SwiftKey's updating practices before giving it system-level access. So, the upshot of this will be more scrutiny for the software partners of all brands of phones.

When it comes to smartphone security, Samsung isn't the only vendor reporting trouble lately.

In May iPhone users were plagued by a string of texts that could crash the device. Although Apple offered a temporary fix after several users and security firms reported the problem, there hasn't been a permanent fix just yet. However, there doesn't seem to be any long-term damage from this particular flaw.

[Editor's note: Due to an editing error, the number of samsung phones affected was mistated. The estimated number is actually 600 million, according to NowSecure.]

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
eitanc
50%
50%
eitanc,
User Rank: Apprentice
7/12/2015 | 4:59:33 AM
A simple workaround
This issue can be solved using a simple workaround if the device is rooted - see here:
fudie.net/how-to-protect-yourself-from-the-samsung-keyboard-vulnerability-in-android-devices/
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
6/30/2015 | 10:44:03 AM
Re: so why haven't the carrier's fixed this?
Kstaron, I tend to agree with larrys sentiments here. Alternatives exist its not like u r tied with just the swiftkey keyboard.u can always select another one from the app store. Also skycure has come out with real protection for this vulnerability(see in google app store). U can always download that app as well.
Kevin Runners
50%
50%
Kevin Runners,
User Rank: Apprentice
6/25/2015 | 8:43:13 AM
Re: Only Samsung?
It's not only about Samsung. All Android devices with Swiftkey installed can be vulnerable.
larryloeb
50%
50%
larryloeb,
User Rank: Author
6/24/2015 | 10:42:10 AM
Re: so why haven't the carrier's fixed this?
Why should they? They have no direct interest in doing user support for Samsung's problems. It's a pain and sets a precedent others can point to.

Maybe they want to charge Samsung somehow for doing it
kstaron
50%
50%
kstaron,
User Rank: Ninja
6/24/2015 | 10:38:20 AM
so why haven't the carrier's fixed this?
I'm most concerned right now with the fact that three major carriers haven't carried out the update to fix this yet. If i can't do it as a user, the carrier should be doing this fix post haste unless of course they want to have some liability in any issues this causes for users. Is there some huge obstacle preventing the carriers to do the fix?
larryloeb
50%
50%
larryloeb,
User Rank: Author
6/22/2015 | 1:23:59 PM
Re: Only Samsung?
Samsung used Swiftkey with elevated system access; even though they are claiming their KNOX scheme will prevent such things on newer phones.

I could see he same thing happening on other Android phones.
Dr.T
50%
50%
Dr.T,
User Rank: Strategist
6/22/2015 | 1:10:35 PM
Re: Small surface area
I agrees. This is like Chrome pushing updates regardless of user preferences. That made Chrome more secure comparing to other browsers and reached to the most market share. 
Dr.T
50%
50%
Dr.T,
User Rank: Strategist
6/22/2015 | 1:07:47 PM
Re: Small surface area
I agree. System level access should never be given to third parties regardless of what their intention could be.
Dr.T
50%
50%
Dr.T,
User Rank: Strategist
6/22/2015 | 1:05:55 PM
Re: Small surface area
That is partially good news for Samsung but anytime there is news around security it is perceived as bad regardless how server it is. 
Dr.T
50%
50%
Dr.T,
User Rank: Strategist
6/22/2015 | 1:02:34 PM
Only Samsung?
 

I am surprised this SwiftKey vulnerability is only about Samsung. If it requires patched on the carrier layer, it must be the case for other carriers in my view.
Page 1 / 2   >   >>
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll