NowSecure has released the details of a security vulnerability affecting a number of Samsung smartphones that come with the company’s Swift keyboard for Android.
The security researchers said the vulnerability exists because Samsung lets its default keyboard run at too high a privilege level.
Specifically, it runs as device.system.user, “a notch short of being root”, said NowSecure.
It’s impossible to avoid the vulnerability by using a third-party keyboard, as the Samsung keyboard remains installed on the system and runs in the background.
Like many other smartphone vendors, Samsung makes it impossible to remove many of the apps it ships on its devices – including the default Samsung keyboard.
It should also be noted that although Samsung’s keyboard uses technology from SwiftKey, the issue does not affect SwiftKey’s own third-party keyboard for smartphones.
SwiftKey said: “This vulnerability is unrelated to and does not affect our SwiftKey consumer apps on Google Play and the Apple App Store.” It has since removed this statement from its website.
NowSecure explained that the attack vector for this vulnerability requires an attacker capable of modifying upstream traffic.
This means that for the moment, attacks exploiting the privileges of the default Samsung keyboard will require a level of technical skill that makes it difficult to execute.
Hacking a Samsung phone this way involves tricking it into downloading a file it thinks is a language pack update, modifying files elsewhere on the Android file system, and then rebooting the device.
A reboot may be unnecessary depending on whether the Samung keyboard application triggers a language update.
After the reboot, an attacker could:
- Access sensors and resources like GPS, camera and microphone.
- Secretly install malicious apps.
- Tamper with how other apps work or how the phone works.
- Eavesdrop on messages or voice calls.
- Attempt to access sensitive personal data like pictures and text messages.
NowSecure said an attacker could exploit the vulnerability over rogue Wi-Fi access points or cellular base stations, or over a local network using methods such as ARP poisoning.
“Fully remote attacks are also feasible via DNS Hijacking, packet injection, a rogue router or ISP.”
Affected devices, patches incoming
According to NowSecure, the Samsung Galaxy S6, S5, S4, and S4 mini are affected by the vulnerability.
It said it disclosed the issue to both Samsung and Google towards the end of 2014, but that release of patches has been delayed as Samsung needs operator approval for any software modifications it pushes out to its phones.
“While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network. In addition, it is difficult to determine how many mobile device users remain vulnerable.”
NowSecure estimated that over 600 million Samsung devices around the world are vulnerable.
Samsung issued the following statement on the matter:
Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security.
Samsung KNOX has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days.
In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.