Huge Samsung Galaxy security flaw (updated with Samsung statement)

@Fuzion24 warnz of MITM haxorz: This is huge

Samsung Galaxy S6, S5, S4 and S4 Mini phones have a massive flaw that allows an attacker to take over the device. It's in the keyboard code, of all places, thanks to a custom SwiftKey build. There are about 600 million of these things in circulation, it's thought.

The bug is easy to exploit, because the phones are vulnerable to a plain-text man-in-the-middle attack. Yet it's hard to properly patch, because fixing it relies on wireless carriers all over the world getting their respective fingers out and doing something.

The more you think about it, the more awful this appears: Imagine a global botnet of 600 million mobiles. In IT Blogwatch, bloggers shudder.

Your humble blogwatcher curated these bloggy bits for your entertainment.

Thomas Fox-Brewster raises the alarm (and he ain't lickin' chicken):

Android phone owners would be forgiven for thinking major manufacturers had their backs when it came to security. ... But a serious issue many as 600 million Samsung mobiles highlights just how wrong that assumption can be.

The SwiftKey keyboard pre-installed on Samsung phones looked for...updates over unencrypted lines, in plain text. [It] could be used to give an attacker system user level privileges and allowing them to siphon off...most information the victim would have considered private.

Having been alerted to the issue back in November 2014, Samsung...eventually delivered one to carrier networks in late March for Android 4.2 and above. ... [NowSecure] believes current devices are still vulnerable. ... Samsung had not responded to a request for comment at the time of publication.  MORE

And Dan Goodin adds:

Phones that come pre-installed with the Samsung IME keyboard, as the Samsung markets its customized version of SwiftKey, periodically query an authorized server to see if updates are available. ... Attackers in a man-in-the-middle position can impersonate the server and send a response that includes a malicious payload.

Because Samsung phones grant extraordinarily elevated privileges, [the] payload is able to bypass protections built into Google's Android.

For the time being, there's little people with vulnerable phones can do to prevent attacks. [And] carriers have consistently failed to offer security updates in a timely manner..  MORE

NowSecure's Ryan "Fuzion24" Welton done unveiled the vuln in London: [You're fired -Ed.]

The Swift keyboard comes pre-installed...and cannot be disabled or uninstalled. Even when it is not...the default keyboard, it can still be exploited. [It] was signed with Samsung’s private signing key and runs in one of the most privileged contexts on the device, system user.

This exploit requires no user interaction.

To reduce your risk, avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing. ... The Play store version of the app has NO impact on the system level keyboard and does not remove the vulnerability. [The] threat will persist until...the Samsung stock patched through a carrier update.  MORE

Oh, and Welton goes on to clarify an important point:

The keyboard checks for updates...the first time the keyboard is opened after every reboot and seemingly randomly every few hours.  MORE

But David Ruddock dismisses it, as "Probably Nothing To Worry About":

It's actually not even clear if newer devices can be [exploited] as it was demonstrated on substantially older firmware. While there is no simple way to update the Samsung IME keyboard (you can remove the app entirely if you're rooted).

[And] this isn't an easy flaw to exploit. ... There's probably nothing much here to worry about unless you regularly frequent unsecured wireless networks.  MORE

Not so, says your humble blogwatcher:

IMHO, people sound complacent when they say, "There's probably nothing much here to worry about." MITM attacks on unencrypted connections aren't just restricted to your local cafe's Wi-Fi network.

An attacker can set themself up as a MITM on a wired or WPA network using techniques such as ARP poisoning and DNS spoofing. And don't get me started on the risk of nation states faking routes.

Bottom line: This is a nasty, nasty vulnerability that will remain unpatched in many of the 600 million devices. Those unpatched phones will be hanging around on the Internet for years. You bet that's something to worry about.  MORE

Update: Samsung disagrees:

There have been reports that there is vulnerability when keyboard updates are carried out [but] there have been no reported customer cases of Galaxy devices being compromised through these keyboard updates. 

All flagship models since Galaxy S4 have the KNOX security platform...which enforces a number of mandatory security settings. ... Security policy updates will begin rolling out in a few days. 

For the devices that don’t come with KNOX by default, we are currently working on an expedited firmware update. ... Availability and schedule may vary by...model, region and service carrier.  MORE

You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.

Copyright © 2015 IDG Communications, Inc.

Shop Tech Products at Amazon