Jump to content

New exploit turns Samsung Galaxy phones into remote bugging devices


securitybreach

Recommended Posts

securitybreach
As many as 600 million Samsung phones may be vulnerable to attacks that allow hackers to surreptitiously monitor the camera and microphone, read incoming and outgoing text messages, and install malicious apps, a security researcher said.

 

The vulnerability is in the update mechanism for a Samsung-customized version of SwiftKey, available on the Samsung Galaxy S6, S5, and several other Galaxy models. When downloading updates, the Samsung devices don't encrypt the executable file, making it possible for attackers in a position to modify upstream traffic—such as those on the same Wi-Fi network—to replace the legitimate file with a malicious payload. The exploit was demonstrated Tuesday at the Blackhat security conference in London by Ryan Welton, a researcher with security firm NowSecure. A video of his exploit is

.

 

Phones that come pre-installed with the Samsung IME keyboard, as the Samsung markets its customized version of SwiftKey, periodically query an authorized server to see if updates are available for the keyboard app or any language packs that accompany it. Attackers in a man-in-the-middle position can impersonate the server and send a response that includes a malicious payload that's injected into a language pack update. Because Samsung phones grant extraordinarily elevated privileges to the updates, the malicious payload is able to bypass protections built into Google's Android operating system that normally limit the access third-party apps have over the device.

 

Surprisingly, the Zip archive file sent during the keyboard update isn't protected by transport layer security encryption and is therefore susceptible to man-in-the-middle tampering. The people designing the system do require the contents of that file to match a manifest file that gets sent to the phone earlier, but that requirement provided no meaningful security. To work around that measure Welton sent the vulnerable phone a spoofed manifest file that included the SHA1 hash of the malicious payload. He provided more details about the exploit and underlying vulnerability here and here.

 

Welton said the vulnerability exists regardless of what keyboard a susceptible phone is configured to use. Even when the Samsung IME keyboard isn't in use, the exploit is still possible. The attack is also possible whether or not a legitimate keyboard update is available. While SwiftKey is available as a third-party app for all Android phones, there's no immediate indication they are vulnerable, since those updates are handled through the normal Google Play update mechanism.....

 

 

And this is why:

 

I guess it was only a matter of time until this happened. That's what you get for mindlessly modifying each and every part of the system. Let me be clear here: This whole mess is entirely Samsung's fault. If this had happened in Google's keyboard or if they would have just gone with proper Swiftkey (Samsungs keyboard is a modified version of Swiftkey) this would be quickly solved through a simple app update. Unfortunately this doesn't seem to be possible here, so I guess millions and millions of devices will never get a fix.

https://plus.google....sts/LY7ZZGmJ4r7

Link to comment
Share on other sites

And this is why:

 

I guess it was only a matter of time until this happened. That's what you get for mindlessly modifying each and every part of the system. Let me be clear here: This whole mess is entirely Samsung's fault. If this had happened in Google's keyboard or if they would have just gone with proper Swiftkey (Samsungs keyboard is a modified version of Swiftkey) this would be quickly solved through a simple app update. Unfortunately this doesn't seem to be possible here, so I guess millions and millions of devices will never get a fix.

https://plus.google....sts/LY7ZZGmJ4r7

 

Looks like Samsung have been trying to emulate Microsofts best practice :whistling:

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...