600M Samsung Smartphones Vulnerable To Hacking

A report from a security firms finds that Samsung's smartphones are vulnerable to attacks thanks to replacement software in the SwiftKey keyboard. However, it's not really Samsung's fault.

Larry Loeb, Blogger, Informationweek

June 17, 2015

3 Min Read
<p align="left">(Image: Martin Dimitrov/iStockphoto)</p>

10 Smartphone Apps You Can Talk To

10 Smartphone Apps You Can Talk To

10 Smartphone Apps You Can Talk To (Click image for larger view and slideshow.)

Security research firm NowSecure says it has uncovered a serious problem in all of Samsung's smartphones that may allow them to be attacked, according to some published reports.

This vulnerability comes from the SwiftKey keyboard replacement software included with all of the phones, rather than from the core system software.

The problem seems to be that the software, which is given system-level access by Samsung, updates itself in plain text. This means that an attacker can spoof SwiftKey into thinking it is getting an update when it is really being attacked.

This attack could then run malicious code that could access the camera and microphone sensors or eavesdrop on phone calls.

NowSecure says it notified Samsung in December 2014 of the vulnerability, and a patch was developed in early 2015.

However, the patch needs to be deployed by the wireless carriers, rather than the user. Since no one knows if the patch has in fact been deployed by the carriers, one must assume the vulnerability is still extant.

NowSecure has said that Verizon Wireless, Sprint, and AT&T have not deployed it, according to their tests.

Users would be most vulnerable to a spoofing attack on insecure networks like public WiFi hotspots.

Paco Hope, principal consultant with Cigital, a consulting firm that looks at application and software security, wrote in June 17 statement that this flaw with Samsung's smartphones shows that companies need to do more than testing to find flaws in their software.

"This Samsung vulnerability is a textbook example of a software vulnerability in the design, not the code," Hope wrote. "The operating system updates a core component over HTTP and verifies it with a simple hash also loaded over trivially hijacked HTTP. It is easy to forge an arbitrary replacement. Software security techniques like threat modeling and architecture risk analysis pick up obvious security anti-patterns like this. There are many valid secure design patterns that would have served. This is an example of why software security involves a lot more than penetration testing and code review.

[Read about millennials and security.]

While Hope makes a valid point, it is also obvious that Samsung got hosed by SwiftKey here.

Samsung probably did not know about SwiftKey's updating practices before giving it system-level access. So, the upshot of this will be more scrutiny for the software partners of all brands of phones.

When it comes to smartphone security, Samsung isn't the only vendor reporting trouble lately.

In May iPhone users were plagued by a string of texts that could crash the device. Although Apple offered a temporary fix after several users and security firms reported the problem, there hasn't been a permanent fix just yet. However, there doesn't seem to be any long-term damage from this particular flaw.

[Editor's note: Due to an editing error, the number of samsung phones affected was mistated. The estimated number is actually 600 million, according to NowSecure.]

About the Author(s)

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights