Samsung security flaws leave 600 million Android users vulnerable to simple keyboard hack. New research indicates NowSecure a critical flaw in Samsung phones left an estimated 600 million vulnerable devices hacks by simple man-in-middle-style-hack.
This is not the first time that poor security practices of Samsung has been in the news this year, but this mobile dwarfs default encryption smart television themes we cover this spring. The problem, however, has the same root cause - not existing encryption practices and poor security measures.
In this case, Samsung sent his own version of SwiftKey, an Android keyboard. SwiftKey developers have stated that the error is not present in their version of the code, which means Samsung is responsible for the creation and distribution of the failure.
SwiftKey update process runs invisibly in the background, but it runs on the level of user permissions system. That's just one step away from root access and permission process to bypass security checks and safeguards that might otherwise prevent operation occurs. There is little in the way of checking files or confirmation - the update process performs a check of hash in the ZIP file you download, but researchers have already discovered how to bypass it.
Because Samsung does all this in plain text, it is trivially easy for anyone in the same Wi-Fi network for a classic-man-in-the-middle attack and serve a SHA1 hash infected with identical file. This can be used to monitor the camera, microphone, read messages, and install applications, all without the user being aware of it. SwiftKey because you can not remove, any owner of Galaxy S5 or S6 is potentially affected. Do not use the keyboard does not help, either - you can still check for updates in the background and will be vulnerable whenever it does.
The Android ecosystem is fundamentally inadquate
A few months ago, we've covered Google's decision to stop patching previous versions of Android, although how they continue to sell devices that use these versions. One of the most common defenses of the company is that Google should not bother to write patches for its own operating system, as it does not control the distribution platform and can not force computer manufacturers to really roll out an update.
Samsung is now trapped in a similar boat. By all accounts, the company actually fixed the error SwiftKey January, but no single company has yet included the review. That means that everyone with one of these devices is now vulnerable to attack MitM quite trivial. While Samsung deserves a significant part of the blame for not checking their own security measures, it is not the only institution to blame. What we see here is the end result that no one takes seriously the security at any particular level.
This lack of security best practices is one reason why the Internet of Things could stop off. In a world where devices are very easy to manipulate or cut, the benefits of the "dumb" products could quickly overwhelm the bells and whistles manufacturers try to paste in your various "smart" hardware. As things stand, the devices ship with security implementations incredibly broken, and the only response from wireless carriers is sit on their collective thumbs.
If you own a Samsung Galaxy device, as of today, there is absolutely nothing you can do to close this security hole. Rooting the device to remove the keyboard or cyanogen installation could take care of the problem, but below that, everyone is stuck with it.
