If you use a Samsung smartphone, a pre-installed keyboard could make your device highly vulnerable to hackers. And, for the moment, there is practically nothing you can do about it.
The vulnerability was discovered by Ryan Welton a mobile security specialist at NowSecure. The issue involves problems with the standard pre-installed SwiftKey autofill keyboard which uses an unencrypted line to look for language pack updates.
[quote_box_left]”We supply Samsung with the core technology that powers the word predictions in their keyboard. It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability.”[/quote_box_left]
Welton discovered that by creating a spoof proxy server, a hacker could easily send a fake update to the device containing malicious code. From there, they could eavesdrop on your incoming and outgoing messages as well as your voice calls.
The access would also allow them to view your personal data such as pictures or text messages, modify or tamper with apps, and even install other malicious applications on your phone.
Unfortunately, there is currently no fix since users can’t uninstall the SwiftKey app –which is part of Samsung’s standard bloatware it ships out with their phones, including its new flagship Galaxy lines.According to the NowSecure, it’s likely that the Galaxy S4 Mini, Galaxy S4, Galaxy S5, and Galaxy S6 are all affected by this security flaw. The company added that it’s unclear which carrier-specific models received updates.
For the moment NowSecure only mentions U.S. carriers, so no one is sure if there are international variants of what some are calling a “massive” security flaw.
SwiftKey CMO places blame on Samsung
SwiftKey CMO Joe Braidwood confirmed to Mashable that the vulnerability is unrelated to the SwiftKey consumer app and placed the blame on Samsung.
“We supply Samsung with the core technology that powers the word predictions in their keyboard. It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability,” he said in a statement.
Samsung was alerted to a similar issue back in November 2014, and told NowSecure it was working on a patch and eventually delivered one to carrier networks in late March for Android 4.2 and above. But the company believes current devices are still vulnerable –which Welton and NowSecure seem to proven so.
Braidwood also pointed out that is a “low risk” concern.
“A user must be connected to a compromised network (…), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time,” he argues.
Well, there’s that.
So, what should you do?
Since the keyboard cannot be uninstalled, NowSecure warns users to avoid unsecured Wi-Fi networks and/or use a different mobile device.
Samsung has yet to release a statement regarding the issue.
Here is a video from December, 2014 of Welton exploiting the previous vulnerability flaw.