600M Samsung Smartphones Vulnerable To Hacking - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Applications
Commentary
6/17/2015
04:20 PM
Larry Loeb
Larry Loeb
Commentary
100%
0%

600M Samsung Smartphones Vulnerable To Hacking

A report from a security firms finds that Samsung's smartphones are vulnerable to attacks thanks to replacement software in the SwiftKey keyboard. However, it's not really Samsung's fault.

10 Smartphone Apps You Can Talk To
10 Smartphone Apps You Can Talk To
(Click image for larger view and slideshow.)

Security research firm NowSecure says it has uncovered a serious problem in all of Samsung's smartphones that may allow them to be attacked, according to some published reports.

This vulnerability comes from the SwiftKey keyboard replacement software included with all of the phones, rather than from the core system software.

The problem seems to be that the software, which is given system-level access by Samsung, updates itself in plain text. This means that an attacker can spoof SwiftKey into thinking it is getting an update when it is really being attacked.

This attack could then run malicious code that could access the camera and microphone sensors or eavesdrop on phone calls.

NowSecure says it notified Samsung in December 2014 of the vulnerability, and a patch was developed in early 2015.

(Image: Martin Dimitrov/iStockphoto)

(Image: Martin Dimitrov/iStockphoto)

However, the patch needs to be deployed by the wireless carriers, rather than the user. Since no one knows if the patch has in fact been deployed by the carriers, one must assume the vulnerability is still extant.

NowSecure has said that Verizon Wireless, Sprint, and AT&T have not deployed it, according to their tests.

Users would be most vulnerable to a spoofing attack on insecure networks like public WiFi hotspots.

Paco Hope, principal consultant with Cigital, a consulting firm that looks at application and software security, wrote in June 17 statement that this flaw with Samsung's smartphones shows that companies need to do more than testing to find flaws in their software.

"This Samsung vulnerability is a textbook example of a software vulnerability in the design, not the code," Hope wrote. "The operating system updates a core component over HTTP and verifies it with a simple hash also loaded over trivially hijacked HTTP. It is easy to forge an arbitrary replacement. Software security techniques like threat modeling and architecture risk analysis pick up obvious security anti-patterns like this. There are many valid secure design patterns that would have served. This is an example of why software security involves a lot more than penetration testing and code review.

[Read about millennials and security.]

While Hope makes a valid point, it is also obvious that Samsung got hosed by SwiftKey here.

Samsung probably did not know about SwiftKey's updating practices before giving it system-level access. So, the upshot of this will be more scrutiny for the software partners of all brands of phones.

When it comes to smartphone security, Samsung isn't the only vendor reporting trouble lately.

In May iPhone users were plagued by a string of texts that could crash the device. Although Apple offered a temporary fix after several users and security firms reported the problem, there hasn't been a permanent fix just yet. However, there doesn't seem to be any long-term damage from this particular flaw.

[Editor's note: Due to an editing error, the number of samsung phones affected was mistated. The estimated number is actually 600 million, according to NowSecure.]

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
RyanJ879
50%
50%
RyanJ879,
User Rank: Apprentice
6/18/2015 | 8:52:28 AM
Small surface area
The vulnerability is yes a problem but the surface area of the attack is so small that the hype is quite unreasonable.  The attacker has to highjack the update session, which doesn't happen non-stop but randomly and when it needs to.  To pull off this attack it's such a small window that I'll be shocked if more than 0.00001% of Samsung phones become affected by this.
larryloeb
50%
50%
larryloeb,
User Rank: Author
6/18/2015 | 2:26:42 PM
Re: Small surface area
It's quite true that this is a limited scenario for SwiftKey's vulnerability.

But--and this is the big thing to me-- Samsung elevated a thrid party app to system status without vetting it. It's like gving someone the keys to your kingdom and just assuming they won't hurt you. That's a naiive apporach.

Secondly, why is it that the wireless cariers have to disseminate the fix? There should be some other method to do it. I'm not sure if this is an Anroid only problem (given how many flavors of Android are out there) or something that Samsung did.

Locking the barn door after the horses are out never works, anyway
RyanJ879
50%
50%
RyanJ879,
User Rank: Apprentice
6/18/2015 | 2:34:37 PM
Re: Small surface area
Universally this seems to be an issue among android devices.  From personal experience I've had the HTC aria delayed for updates for no known reason, and with my second samsung phone I've had updates delayed by the carrier.  ATT for some reason is a month behind Verizon and Sprint on updates.  Same hardware though, so why the prolonged update time?
larryloeb
50%
50%
larryloeb,
User Rank: Author
6/18/2015 | 3:32:19 PM
Re: Small surface area
The Apple ecosystem does have its advantages here.

Apple pushes out updates via opportunistic downloading. Users have to take a far less active role in updating.

I think this tends to work a lot better to keep software current than how Android can update.
Dr.T
50%
50%
Dr.T,
User Rank: Strategist
6/22/2015 | 1:02:34 PM
Only Samsung?
 

I am surprised this SwiftKey vulnerability is only about Samsung. If it requires patched on the carrier layer, it must be the case for other carriers in my view.
Dr.T
50%
50%
Dr.T,
User Rank: Strategist
6/22/2015 | 1:05:55 PM
Re: Small surface area
That is partially good news for Samsung but anytime there is news around security it is perceived as bad regardless how server it is. 
Dr.T
50%
50%
Dr.T,
User Rank: Strategist
6/22/2015 | 1:07:47 PM
Re: Small surface area
I agree. System level access should never be given to third parties regardless of what their intention could be.
Dr.T
50%
50%
Dr.T,
User Rank: Strategist
6/22/2015 | 1:10:35 PM
Re: Small surface area
I agrees. This is like Chrome pushing updates regardless of user preferences. That made Chrome more secure comparing to other browsers and reached to the most market share. 
larryloeb
50%
50%
larryloeb,
User Rank: Author
6/22/2015 | 1:23:59 PM
Re: Only Samsung?
Samsung used Swiftkey with elevated system access; even though they are claiming their KNOX scheme will prevent such things on newer phones.

I could see he same thing happening on other Android phones.
kstaron
50%
50%
kstaron,
User Rank: Ninja
6/24/2015 | 10:38:20 AM
so why haven't the carrier's fixed this?
I'm most concerned right now with the fact that three major carriers haven't carried out the update to fix this yet. If i can't do it as a user, the carrier should be doing this fix post haste unless of course they want to have some liability in any issues this causes for users. Is there some huge obstacle preventing the carriers to do the fix?
Page 1 / 2   >   >>
Slideshows
10 Top Cloud Computing Startups
Cynthia Harvey, Freelance Journalist, InformationWeek,  8/3/2020
Commentary
How Enterprises Can Adopt Video Game Cloud Strategy
Joao-Pierre S. Ruth, Senior Writer,  7/28/2020
Commentary
Conversational AI Comes of Age
Guest Commentary, Guest Commentary,  8/7/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Special Report: Why Performance Testing is Crucial Today
This special report will help enterprises determine what they should expect from performance testing solutions and how to put them to work most efficiently. Get it today!
Slideshows
Flash Poll