600M Samsung smartphones are at risk of hacking, security expert says
A major vulnerability in software that comes bundled with Samsung phones has left as many as 600 million Samsung smartphone owners at risk of hacking, according to a report in Forbes.
Samsung gives SwiftKey typing software included on its devices system-level access, and the software also installs updates in plain text, security company NowSecure says -- which, when combined, make it possible for an intruder to hijack the update and remotely execute code and malicious programs.
Here's what NowSecure claims attackers can remotely do using the vulnerability:
- Access sensors and resources like GPS, camera and microphone
- Secretly install malicious app(s) without the user knowing
- Tamper with how other apps work or how the phone works
- Eavesdrop on incoming/outgoing messages or voice calls
- Attempt to access sensitive personal data like pictures and text messages
NowSecure researcher Ryan Welton says that the company notified Samsung in December 2014, and the company produced a patch in "early 2015." However, Samsung is reliant on carriers to roll out the patch, and "it is unknown if the carriers have provided the patch to the devices on their network. In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices models and number of network operators globally."
In short: Samsung can produce the best fixes in the world, but they're no good to anyone if the carriers don't push them to their users.
Recent NowSecure tests found that the the Galaxy S6 is unpatched on both the Verzion and the Sprint network in the US, as well as the T-Mobile Galaxy S5, AT&T Galaxy S4 Mini, and multiple other devices. The company estimates as many as 600 million devices could be affected.
Devices are vulnerable when they log on to insecure networks, such as a public Wi-Fi hotspot. Welton also told Forbes that "Fully remote attacks are also feasible by hijacking the Domain Name System (DNS), the network layer that directs user traffic to the right website after they ask to visit a particular URL, or by compromising a router or internet service provider from afar."
So what can users do to stop this happening? Very little, actually. Not only does SwiftKey come pre-installed on devices, it can't be uninstalled, leaving users constantly vulnerable until their carrier rolls out the patch. Mitigating steps suggested by NowSecure including avoiding insecure Wi-Fi networks, contacting your carrier for more information — or, most effectively, just "use a different mobile device."
In a statement, SwiftKey says it is "doing everything we can to support our long-time partner Samsung in their efforts to resolve this obscure but important security issue."
It goes on: "The vulnerability in question poses a low risk: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user's keyboard is conducting a language update at that specific time, while connected to the compromised network." A spokesperson also pointed out to Business Insider that the vulnerability does not affect the SwiftKey app available to download on the Apple App Store and Google Play Store.
Samsung did not immediately respond to a request for comment.
More from Business Insider:
Obama's former chief tech officer: Hacking got me the job
Uber wants to ditch the email-and-password login -- here's why
The most innovative company in the world -- as ranked by patents -- isn't actually Apple