Pew, pew, pew! Sammy shoots out updates to plug mobile keyboard snooping bug

Samsung has promised to deploy updates to resolve a serious mobile keyboard snooping bug, with security policy fixes expected in the coming days, the company said on Thursday – while simultaneously downplaying the issue.

As previously reported, researchers at security firm NowSecure warned that a problem involving the keyboard pre-installed with Samsung devices created a spying risk.

The risk arises from a design decision which meant updates were made over an unsecured, unencrypted HTTP connection, rather than HTTPS.

Worse yet, the update process has system-level access and the authenticity of updates isn’t checked, creating a mechanism for skilled hackers to push malware.

More than 600 million Samsung mobile devices – including the recently released Galaxy S6 – are potentially vulnerable to a greater or lesser extent.

“The Swift keyboard comes pre-installed on Samsung devices and cannot be disabled or uninstalled. Even when it is not used as the default keyboard, it can still be exploited,” an advisory by NowSecure explained.

“This can be exploited in a manner that requires no user interaction — a user does not have to explicitly choose to download a language pack update to be exploited," it added.

Remote code execution creates an open goal for attackers to snoop on Samsung devices, as third-party security experts have been quick to point out.

Paul Ducklin, a senior security advisor at Sophos, has a decent run-down of the issue here.

Sammy admitted there was a problem, while arguing that various factors make an attack difficult to pull off in practice. It said it was unaware of any exploitation, which – in any case – is guarded against by its KNOX security architecture on the latest model.

Nonetheless, the Korean consumer electronics giant will release an update, as a blog post explained.

This vulnerability, as noted by the researchers, requires a very specific set of conditions for a hacker to be able to exploit a device this way.

This includes the user and the hacker physically being on the same unprotected network while downloading a language update. Also, on a KNOX-protected device there are additional capabilities in place such as real-time kernel protection to prevent a malicious attack from being effective.

So, the likelihood of making a successful attack, exploiting this vuln is low.

There have been no reported customer cases of Galaxy devices being compromised through these keyboard updates. But as the reports indicated, the risk does exist and Samsung will roll out a security policy update in the coming days.

The issue involves Samsung's version of the app, a rebadged version of the popular SwiftKey keyboard for Android.

Downloads of SwiftKey Keyboard from Google Play or the Apple App Store are not affected by this issue, as developer SwiftKey emphasised. ®