During the Black Hat London presentation “Abusing Android Apps and Gaining Remote Code Execution,” NowSecure mobile security researcher Ryan Welton revealed that over 600 million Samsung mobile devices are vulnerable to an attack that is “highly reliable, completely silent, and affects all devices.”
If you have a Samsung Galaxy phone, then you have the default Swift keyboard installed and that puts you at risk due to a significant security flaw in the keyboard. The Swift keyboard comes pre-installed on Samsung mobile devices and it cannot be uninstalled or even disabled. Even if you don’t use Samsung’s default keyboard, “it can still be exploited.”
If the flaw in the keyboard is exploited, an attacker could remotely:
- Access sensors and resources like GPS, camera and microphone.
- Secretly install malicious app(s) without the user knowing.
- Tamper with how other apps work or how the phone works.
- Eavesdrop on incoming/outgoing messages or voice calls.
- Attempt to access sensitive personal data like pictures and text messages.
NowSecure notified Samsung about the security flaw in December 2014. “Given the magnitude of the issue, NowSecure notified CERT who assigned CVE-2015-2865, and also informed the Google Android security team.” Samsung provided a patch to wireless carriers in early 2015, but that’s not nearly the same as the devices being patched since each carrier has to push the fix to vulnerable phones on their network. For example, in testing just this week NowSecure found the Galaxy S6 is still vulnerable on Verizon and Sprint networks.
Vulnerable Samsung phones
As of today, June 16, Galaxy S6, Galaxy S5, Galaxy S4 and Galaxy S4 Mini are listed as Samsung phones impacted by the flaw, but NowSecure noted that is not an all-inclusive list of impacted devices.
On the Verizon network: Galaxy S6 is “unpatched,” the status is “unknown” if Verizon deployed the fix to Galaxy S5, Galaxy S4 and Galaxy S4 Mini mobile devices on its network.
On AT&T: The patch status is “unknown” for Galaxy S6, Galaxy S5 and Galaxy S4; Galaxy S4 Mini is listed as “unpatched.”
On Sprint: Galaxy S6 is “unpatched” and the patch status is “unknown” for Galaxy S5, Galaxy S4 and Galaxy S4 Mini phones.
On T-Mobile: Galaxy S5 has not been patched; Galaxy S6, Galaxy S4 and Galaxy S4 Mini have an “unknown” patch status.
Details about the Swift keyboard vulnerability on Samsung phones
According to NowSecure’s technical details, the Swift “keyboard was signed with Samsung’s private signing key and runs in one of the most privileged contexts on the device, system user, which is a notch short of being root.”
The attack vector for this vulnerability requires an attacker capable of modifying upstream traffic. This can include geographically proximate attacks such as rogue Wi-Fi access points or cellular base stations, or attacks from local users on a network, including ARP poisoning. Fully remote attacks are also feasible via DNS Hijacking, packet injection, a rogue router or ISP, etc.
Welton explained that new languages can be added to Swift keyboards or existing languages can be upgraded. Those files come as a .zip and are “written as system user. This is a very powerful user capable of writing many places on the file system.” Oh, and the zip is sent over plaintext. The keyboard app validates the language zip files, but it does this with a manifest that is also sent insecurely.
After a little hacker magic, Welton was able to trigger the vulnerability and execute the payload. He also notes that each model and version of Samsung devices would require a specific payload, but that’s apparently not challenging as “Swift is kind enough to give us model version and build information in the http headers where they ask the server for the langaugePack update.”
He added:
Unfortunately, the flawed keyboard app can’t be uninstalled or disabled. Also, it isn’t easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update. To reduce your risk, avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing.