During a presentation at BlackHat London in early June, a major vulnerability in software that comes bundled with Samsung phones was unveiled. The bug, uncovered by NowSecure researcher Ryan Welton, lets intruders hijack software updates for Swiftkey, the device’s default keyboard, and execute their own code. The security firm estimated that 600 million Samsung smartphone owners are potentially at risk.
The keyboard app, signed with Samsung’s private signing key, runs in the “system user” context. As a system user, you can do virtually anything on the device. This privileged level of access coupled with the fact that Switfkey installs updates in plain text (not encrypted), makes it possible for an intruder to hijack the update and remotely execute code and malicious programs. The vulnerability is triggered automatically on reboot and during application updates.
After gaining control of your device, an attacker can access resources like your camera and microphone, secretly install malicious applications, eavesdrop on telephone calls, and retrieve personal data such as pictures and text messages. The Switfkey typing software comes pre-installed on devices and cannot be uninstalled, leaving users vulnerable until their carrier implements a patch provided by Samsung.
Welton simulated an attack in which he created a spoof proxy server and directed an unsuspecting user to this rogue network. Like most Man-in-the-Middle attacks, users are vulnerable on unsecured wireless networks like those found at an airport or coffee shop. As Switfkey’s updates are unencrypted, Welton was able to send malicious security updates to affected devices through a wireless man-in-the-middle attack.
NowSecure discovered the bug in December 2014 and notified Samsung. Although the initial patch was created in “early 2015”, it is up to the carrier to roll out the update. It was recently determined by the security firm that multiple devices off the shelves were still vulnerable, including the S3, S4, S5, S6 and Galaxy Note 3 and 4. Swiftkey noted that the keyboard apps available via the Apple Store of Google Play store are not affected by this vulnerability. However, can’t just upgrade to a new version of the app to be safe; it’s up to the carrier to push the proper upgrade.
Until patches are ready for distribution by your carrier, avoid using open wireless networks. Secure, encrypted wireless is the surest way to protect against attacks like these. A further reminder why WPA2-Enterprise and 802.1X authentication are more important than they have ever been.