Samsung security flaw could affect millions of smartphones

TORONTO – Researchers have discovered a massive security flaw in Samsung’s Galaxy smartphone line that could allow hackers to take control of a user’s phone and access private data stored on the device.

U.S. security firm NowSecure published a report this week revealing that a bug in the Swift keyboard software – which is pre-installed on more than 600 million Samsung devices – could allow attackers to secretly install malicious apps on a user’s phone without their knowledge.

If a hacker successfully exploited the flaw, it would allow them to access the device’s camera and microphone, eavesdrop on phone calls and access private data, including photos and text messages.

The problem is if your phone is running the Swift keyboard software, you aren’t able to uninstall it.

What is this vulnerability?

SwiftKey uses artificial intelligence technology to predict the next word a user is going to type. On the user’s end, the software simply offers a few word suggestions. But Samsung uses data sent from SwiftKey to improve the typing experience on its devices.

According to NowSecure, the flaw revolves around how SwiftKey provides updates to Samsung and how Samsung then applies those updates to its software.

“The Swift keyboard comes pre-installed on Samsung devices and cannot be disabled or uninstalled. Even when it is not used as the default keyboard, it can still be exploited,” read NowSecure’s report.

What could it allow hackers to do?

According to the security firm, if the flaw in the keyboard is exploited, an attacker could:

• Access sensors and features like the phone’s GPS, camera and microphone
• Secretly install malicious apps without the user knowing
• Tamper with how other apps work or how the phone works
• Eavesdrop on incoming and/or outgoing messages or voice calls
• Attempt to access sensitive personal data like pictures and text messages

What devices are affected?

The flaw could affect as many as 600 million devices, including Samsung’s most recent device the Galaxy S6, by NowSecure’s estimates. The list of devices affected includes the Galaxy S6, S5, S4 and S4 Mini.

However, if you use the iOS or Android app version of SwiftKey, it’s important to note that your device is not affected.

SwiftKey considers the flaw to be “low-risk”

According to a statement issued by SwiftKey to tech website Mashable, though the flaw is concerning its relatively “low risk” for the average user, because most are unlikely to be put in a situation where an attacker could exploit the vulnerability.

“The vulnerability in question is not easy to exploit: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device,” read a statement from SwiftKey issued to Mashable.

“This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”

When will there be a fix?

Samsung said the company will be issuing a security update through its Knox security platform “in a few days,” according to Mashable’s report.

“Samsung KNOX has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days. In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward,” read a statement from the company.

NowSecure said Samsung previously provided a security patch to fix the issue to mobile network operators; however, it’s unknown if the carriers provided the patch to devices on their networks.

What can you do to protect yourself?

Security experts recommend staying off of unsecured public Wi-Fi connections if your device is affected by the flaw. Typically, free public networks offer little to no security, which makes them a hot bed for hackers looking to exploit flaws like this one.