At least 600 million Samsung smartphones are vulnerable to remote attacks because of the way the company implemented the SwiftKey keyboard, NowSecure researcher Ryan Welton warned Tuesday.
A phone can be attacked if it's connected to a compromised or malicious WiFi network and the SwiftKey app is updating existing languages or adding a new language pack.
The preinstalled keyboard, white-labeled "com.sec.android.iputmethod/SamsungIME," cannot be disabled or uninstalled, and it can be exploited even when it's not used as the default keyboard, said NowSecure CEO Andrew Hoog.
Samsung gave the app system privileges, which lets remote attackers manipulate the keyboard update mechanism on Samsung phones and execute code as a privileged user.
Who's Vulnerable"We have detected the flaw on Galaxy S3, S4, S5 and S6 models, as well as Note 3 and 4, and several other models," Hoog told TechNewsWorld.
NowSecure can't verify whether the flaw exists "on every possible variant on every carrier," but the 600 million figure is its "best and most conservative estimate," he added.
Galaxy tablet models dating back to 2012 have the Samsung IME package, Hoog disclosed, but that "does not necessarily indicate vulnerability."
The SwiftKey app in the Apple App Store and on Google Play is not vulnerable, SwiftKey said.
Downloading the app from Google Play and running it on a vulnerable Samsung smartphone isn't going to help, though, because the preinstalled SwiftKey app looks for updates in the background.
"The application regularly checks in to a server to see if an update is available when it connects to a WiFi network, so if you have an evil WiFi router and you set the requests to the update server to point to your evil server, the device can be exploited," noted Ken Westin, a security analyst for Tripwire.
Sharing the Blame:SwiftKey essentially blames Samsung, and says it's working with the vendor to resolve the problem.
However, SwiftKey is at least partially to blame, because it downloads updates over HTTP instead of the more secure HTTPS, argued Amit Sethi, a principal consultant at Cigital.
"The SwiftKey app verifies the update," he told TechNewsWorld. "The hash itself is also delivered over HTTP, which means both the hash and the update package can be modified by an attacker."
"SwiftKey should have conducted threat modeling or architecture risk analysis to ensure that its language packs were updated securely," Sethi suggested. "Samsung should at least have looked at what the app was doing before deciding to give it system level privileges."
Samsung's Knox security service can update vulnerable phones' security policy over the air to invalidate the threat posed by the flaw, the company said.
Samsung will issue the updates soon.That might not help, however, because "the updates need to come from carriers, [which] are usually not quick to update patches," Tripwire's Westin told TechNewsWorld.
Mobile antivirus products "are essentially snake oil ... . They operate in a sandboxed environment and will not do much to protect against this vulnerability," he added.
Reactions to the News
SwiftKey users took news of the flaw lightheartedly.
"This is a terrible risk for those of us who type several languages, don't keep our keyboards updated for those languages, and do updates from untrusted network connections. Whatever shall those of us who do all of those things do?" FoxBlackcinder responded on SwiftKey's blog.
"For the six people who live on planet Earth who write in the multiple keyboard versions of Thai and are constantly updating them on an unsecure network... Be afraid... Be VERY afraid," Paul Beauregard wrote.
Their optimism may be well founded, because the vulnerability "requires a bit of effort to successfully exploit," said Lane Thames, a software development engineer at Tripwire.
To minimize risk, users should not reboot their device when it's connected to a WiFi network, he told TechNewsWorld. They also should refrain from connecting to unknown or insecure WiFi networks.
The news will weaken Samsung's security message for some time, said Rob Enderle, principal at the Enderle Group.That said, "if security vulnerabilities in phones had a high impact on consumer demand," he told TechCrunch, "Android wouldn't exist in the market today.