Jump to content


New exploit turns Samsung Galaxy phones into remote bugging devices


  • Please log in to reply
2 replies to this topic

#1 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 22,780 posts

Posted 17 June 2015 - 02:00 PM

Quote

As many as 600 million Samsung phones may be vulnerable to attacks that allow hackers to surreptitiously monitor the camera and microphone, read incoming and outgoing text messages, and install malicious apps, a security researcher said.

The vulnerability is in the update mechanism for a Samsung-customized version of SwiftKey, available on the Samsung Galaxy S6, S5, and several other Galaxy models. When downloading updates, the Samsung devices don't encrypt the executable file, making it possible for attackers in a position to modify upstream traffic—such as those on the same Wi-Fi network—to replace the legitimate file with a malicious payload. The exploit was demonstrated Tuesday at the Blackhat security conference in London by Ryan Welton, a researcher with security firm NowSecure. A video of his exploit is here.

Phones that come pre-installed with the Samsung IME keyboard, as the Samsung markets its customized version of SwiftKey, periodically query an authorized server to see if updates are available for the keyboard app or any language packs that accompany it. Attackers in a man-in-the-middle position can impersonate the server and send a response that includes a malicious payload that's injected into a language pack update. Because Samsung phones grant extraordinarily elevated privileges to the updates, the malicious payload is able to bypass protections built into Google's Android operating system that normally limit the access third-party apps have over the device.

Surprisingly, the Zip archive file sent during the keyboard update isn't protected by transport layer security encryption and is therefore susceptible to man-in-the-middle tampering. The people designing the system do require the contents of that file to match a manifest file that gets sent to the phone earlier, but that requirement provided no meaningful security. To work around that measure Welton sent the vulnerable phone a spoofed manifest file that included the SHA1 hash of the malicious payload. He provided more details about the exploit and underlying vulnerability here and here.

Welton said the vulnerability exists regardless of what keyboard a susceptible phone is configured to use. Even when the Samsung IME keyboard isn't in use, the exploit is still possible. The attack is also possible whether or not a legitimate keyboard update is available. While SwiftKey is available as a third-party app for all Android phones, there's no immediate indication they are vulnerable, since those updates are handled through the normal Google Play update mechanism.....



And this is why:

Quote

I guess it was only a matter of time until this happened. That's what you get for mindlessly modifying each and every part of the system. Let me be clear here: This whole mess is entirely Samsung's fault. If this had happened in Google's keyboard or if they would have just gone with proper Swiftkey (Samsungs keyboard is a modified version of Swiftkey) this would be quickly solved through a simple app update. Unfortunately this doesn't seem to be possible here, so I guess millions and millions of devices will never get a fix.

https://plus.google....sts/LY7ZZGmJ4r7
Posted ImagePosted Image Posted Image
CNI Radio/G+ Profile/Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#2 OFFLINE   ebrke

ebrke

    Board Bigwig

  • Forum MVP
  • 2,669 posts

Posted 17 June 2015 - 04:20 PM

Interesting comment from G+.  I had seen the original article on Ars (I think).

Edited by ebrke, 17 June 2015 - 04:23 PM.

Registered Linux User 344759

#3 OFFLINE   abarbarian

abarbarian

    Thread Kahuna

  • Forum MVP
  • 5,272 posts

Posted 18 June 2015 - 05:02 AM

Quote

And this is why:

Quote

I guess it was only a matter of time until this happened. That's what you get for mindlessly modifying each and every part of the system. Let me be clear here: This whole mess is entirely Samsung's fault. If this had happened in Google's keyboard or if they would have just gone with proper Swiftkey (Samsungs keyboard is a modified version of Swiftkey) this would be quickly solved through a simple app update. Unfortunately this doesn't seem to be possible here, so I guess millions and millions of devices will never get a fix.

https://plus.google....sts/LY7ZZGmJ4r7

Looks like Samsung have been trying to emulate Microsofts best practice :whistling:
Install ARCH
You'll never need to install it again
"I did and I'm really happy"

Posted Image~~~~~~~~~~~~~Posted Image




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users