Security researchers at NowSecure recently disclosed a vulnerability affecting Samsung smartphones.
The research detailed how the default keyboard that comes with most modern Samsung Galaxy smartphones can be exploited to give an attacker access to private data and sensors on the phone.
This is because Samsung lets the keyboard run at a high enough privilege level to give an attacker access to large parts of the filesystem.
NowSecure said it disclosed the issue to both Samsung and Google towards the end of 2014.
It added that the release of patches was delayed as Samsung needed operator approval for any software modifications it pushes out to its phones.
Samsung stated that operators haven’t received a patch from it yet.
“For the devices that don’t come with KNOX by default, we are currently working on an expedited firmware update that will be available upon completion of all testing and approvals,” said Samsung.
Availability and schedule may vary by model, region and, service carrier.
In the meantime, devices with Samsung’s KNOX security will receive a security policy “in the coming days,” said Samsung.
To benefit from this, you will need a Samsung Galaxy S4 or newer, and KNOX must be installed and enabled on your device.
“To ensure your device receives the latest security updates, go to Settings > Lock Screen and Security > Other Security Settings > Security policy updates, and make sure the Automatic Updates option is activated.”
Security threat downplayed
Samsung said the likelihood of an attacker successfully exploiting this vulnerability is low.
“There have been no reported customer cases of Galaxy devices being compromised through these keyboard updates [since 16 June 2015].”
Is your Samsung Galaxy smartphone vulnerable?
NowSecure listed the Samsung Galaxy S6, S5, S4, and S4 Mini as vulnerable, but noted that its list was not all-inclusive.
Other Android-based Samsung devices use the same keyboard technology that runs at the same privilege levels as the devices that were mentioned.
With regards to these devices, Samsung Global said: “We are operating under the assumption that most devices are affected. We take emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security.”
It isn’t clear which devices are affected, but a search indicates that the following Samsung smartphones could be at risk:
- Samsung Galaxy S6 Edge
- Samsung Galaxy S6
- Samsung Galaxy S5
- Samsung Galaxy S5 Mini
- Samsung Galaxy S4
- Samsung Galaxy S4 Active
- Samsung Galaxy S4 Zoom
- Samsung Galaxy S4 Mini
- Samsung Galaxy Note 4
- Samsung Galaxy Note 3
- Samsung Galaxy Note 2
Samsung told network operators that in addition to the security policy update for KNOX, it will fix the risks with Emergency Maintenance Releases, or software updates, which it will provide to carriers.
Vodacom provided feedback from its devices team at Vodafone UK, which said they will issue an update once a security patch is received from Samsung.
MTN, Cell C, and Telkom did not provide comment by the time of publication.