Skip to main content

Samsung Keyboard Bug

Samsung Keyboard Bug Leaves 600m Android Devices Exposed to Hackers










A vulnerability in Samsung's Android keyboard installed on over 600m devices worldwide could allow hackers to take full control of the smartphone or tablet.
 
The security bug revolves around the update mechanism of the built-in keyboard, which looks for language updates for trending phrases either daily or weekly.
 
"The keyboard was signed with Samsung's private signing key and runs in one of the most privileged contexts on the device, system user, which is a notch short of being root," said researcher Ryan Welton from security company NowSecure who discovered the hole.
 
The problem was discovered last year. NowSecure told Samsung about the bug in December. Samsung asked NowSecure to keep the discovery under wraps until it could patch the problem. Google's Android security team was also notified.
 
However, six months on it is unclear whether the patch is out. Samsung started that process in early 2015, but unlike Apple's direct model of software updates, is beholden to mobile phone providers to push out updates to their users.
It is unclear whether that has happened and on what scale users have updated their devices.

Users stuck even if they install another keyboard

"Unfortunately, the flawed keyboard app can't be uninstalled or disabled," said Welton. "It isn't easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update."
 
The problem surrounds Samsung's integration of Swiftkey's underlying keyboard engine into its own keyboard software. Swiftkey essentially provides the brains for detecting what a user is trying to type and Samsung does the rest producing the completed keyboard and pre-installing it on its devices.
 
The Guardian understands that the fault lies within Samsung's code. SwiftKey-based keyboards on other Android devices from other manufacturers, and SwiftKey's apps from the Google Play Store or for the iPhone are unaffected .
 
If the Samsung Android device is connected to a malicious Wi-Fi network when the keyboard attempts to update its trending phrases and language pack, a hacker could substitute the update for a backdoor into the phone giving a hacker almost complete access to the phone.
 
According to NowSecure a hacker could remotely access a smartphone's sensors, such as GPS, the camera or microphone, eavesdrop on calls or attack sensitive personal data.
 
"Unfortunately, we were only made aware of the issue on Tuesday," said Joe Braid, chief marketing officer of SwiftKey. "We are working as hard as possible to support Samsung and help it fix the issue."
 
Simply installing another third-party keyboard, including SwiftKey's full keyboard does not fix the issue, as the Samsung keyboard continues to run in the background.
 
"There isn't a whole lot you can do except try to steer clear of networks you don't trust, where a crook might try to intercept and hack your traffic," said Paul Ducklin from security company Sophos . "The silver lining, if that's not too strong a way to describe it, is that a crook can't exploit this hole just whenever he likes: you have to be on his dodgy network when a [keyboard] update happens, and he has to notice in time to jump in as a man-in-the-middle."
 
The number of Samsung devices affected is extensive, but includes the latest Samsung Galaxy S models, including the Galaxy S6, S5 and S4.

Stay connected for more latest updates...

Comments

Popular posts from this blog

Apple iPhone 8, iPhone X event: Live stream 

Apple’s iPhone X will mark the 10th anniversary edition of the smartphone, while iPhone 8 and iPhone 8 Plus will be seen as upgrades to the iPhone 7 series. So what time will the Apple event start, and how can one view the livestream? We answer all your questions below. Apple iPhone X event: Timing, how to watch live stream Apple’s September 12 event or the iPhone X event takes place at 10.00 AM Pacific Time (PDT) which is 10.30 PM IST in India. Apple will have a livestream for the event as always and this uses the company’s own HTTP Live Streaming (HLS) technology. Apple is launching this phone in the Steve Jobs Theater, in the new Apple Park Campus, which is also a first. Apple event time across world:  San Francisco: 10 AM, New York: 1 PM, London: 6PM, Berlin: 7 PM, Moscow: 8 PM, New Delhi: 10:30 PM, Beijing: 1 AM (September 13), Tokyo: 2 AM (September 13) / Sydney: 3 AM (September 13). Apple users should be able to watch the livestream on their  iOS  or MacOS device itsel

Best Time

The best time to buy an Android phone is April The world of Android smartphones can often be chaotic and disorganized, but this year it seems to have settled on the month of April for the debut and availability of the widest range of attractive new devices. Six months after Google’s release of Android Marshmallow, all the hardware manufacturers are now ready to deliver a deluge of phones built around the latest version of the operating system. It’s already begun with handsets like the  Xiaomi Mi 5  and  Samsung Galaxy S7 Huawei’s  P9 flagship  and its dual-camera system are set to launch on April 6th, which is also when  Meizu will unveil its M3 Note . A week later, HTC will pull the curtain back on its 2016 flagship, expected to be called the  HTC 10 , and Oppo will join the fun at around the same with the international release of its  R9 and R9 Plus . Whether it’s the R9’s 16-megapixel selfie camera, the revival of HTC’s BoomSound, or the prospect of another Huawei smartphone wit

Firefox

Firefox For Android Passes 100 Million Downloads In The Google Play Store Google's mobile version of Chrome has become the de facto standard browser for Android, but never let it be said that it's the only option. Mozilla Firefox, which  predates Chrome on both desktop platforms and Android , has been downloaded from the Play Store 100 million times. Mozilla decided to toast the occasion  on its official blog . Aside from the obvious user interface differences, the Android version of Firefox has gradually added compelling features like integration with synced Mozilla services (which are a godsend if you use the desktop browser as your primary web interface), extra user-accessible tools like a fullscreen switch, customized search engines, and add-ons that expand the base app's functionality. Though detailed download information isn't posted to the Play Store, it's probably second only to Chrome (and the original AOSP browser in markets like Chi