securitybreach Posted June 17, 2015 Share Posted June 17, 2015 As many as 600 million Samsung phones may be vulnerable to attacks that allow hackers to surreptitiously monitor the camera and microphone, read incoming and outgoing text messages, and install malicious apps, a security researcher said. The vulnerability is in the update mechanism for a Samsung-customized version of SwiftKey, available on the Samsung Galaxy S6, S5, and several other Galaxy models. When downloading updates, the Samsung devices don't encrypt the executable file, making it possible for attackers in a position to modify upstream traffic—such as those on the same Wi-Fi network—to replace the legitimate file with a malicious payload. The exploit was demonstrated Tuesday at the Blackhat security conference in London by Ryan Welton, a researcher with security firm NowSecure. A video of his exploit is . Phones that come pre-installed with the Samsung IME keyboard, as the Samsung markets its customized version of SwiftKey, periodically query an authorized server to see if updates are available for the keyboard app or any language packs that accompany it. Attackers in a man-in-the-middle position can impersonate the server and send a response that includes a malicious payload that's injected into a language pack update. Because Samsung phones grant extraordinarily elevated privileges to the updates, the malicious payload is able to bypass protections built into Google's Android operating system that normally limit the access third-party apps have over the device. Surprisingly, the Zip archive file sent during the keyboard update isn't protected by transport layer security encryption and is therefore susceptible to man-in-the-middle tampering. The people designing the system do require the contents of that file to match a manifest file that gets sent to the phone earlier, but that requirement provided no meaningful security. To work around that measure Welton sent the vulnerable phone a spoofed manifest file that included the SHA1 hash of the malicious payload. He provided more details about the exploit and underlying vulnerability here and here. Welton said the vulnerability exists regardless of what keyboard a susceptible phone is configured to use. Even when the Samsung IME keyboard isn't in use, the exploit is still possible. The attack is also possible whether or not a legitimate keyboard update is available. While SwiftKey is available as a third-party app for all Android phones, there's no immediate indication they are vulnerable, since those updates are handled through the normal Google Play update mechanism..... And this is why: I guess it was only a matter of time until this happened. That's what you get for mindlessly modifying each and every part of the system. Let me be clear here: This whole mess is entirely Samsung's fault. If this had happened in Google's keyboard or if they would have just gone with proper Swiftkey (Samsungs keyboard is a modified version of Swiftkey) this would be quickly solved through a simple app update. Unfortunately this doesn't seem to be possible here, so I guess millions and millions of devices will never get a fix. https://plus.google....sts/LY7ZZGmJ4r7 Quote Link to comment Share on other sites More sharing options...
ebrke Posted June 17, 2015 Share Posted June 17, 2015 (edited) Interesting comment from G+. I had seen the original article on Ars (I think). Edited June 17, 2015 by ebrke Quote Link to comment Share on other sites More sharing options...
abarbarian Posted June 18, 2015 Share Posted June 18, 2015 And this is why: I guess it was only a matter of time until this happened. That's what you get for mindlessly modifying each and every part of the system. Let me be clear here: This whole mess is entirely Samsung's fault. If this had happened in Google's keyboard or if they would have just gone with proper Swiftkey (Samsungs keyboard is a modified version of Swiftkey) this would be quickly solved through a simple app update. Unfortunately this doesn't seem to be possible here, so I guess millions and millions of devices will never get a fix. https://plus.google....sts/LY7ZZGmJ4r7 Looks like Samsung have been trying to emulate Microsofts best practice 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.