Massive security flaws discovered in Samsung Galaxy phones ~ Coding Savvy
Coding Savvy FB Twitter Google
» »

Massive security flaws discovered in Samsung Galaxy phones

Security company NowSecure has discovered a potential breach related to the Swift keyboard installed on Samsung's Android devices upto 600 million Samsung Galaxy phones could be at risk of a major security breach that could see malicious hackers take control of parts of the phones. If security is breached, an attacker would be able to access the camera and microphone, secretly install apps, access pictures and listen in on phone calls.
Massive security flaws dicovere in Samsung Galaxy phones
The potential weak spot is from a flaw in the Swift keyboard software that comes pre-installed on Samsung phones, included the flagship Galaxy S6.
More specifically, it revolves around updates provided to Samsung by SwiftKey, the British virtual keyboard company, and how Samsung applies them into the pre-installed software.
Massive security flaws dicovere in Samsung Galaxy phones
SwiftKey provides data on what users are talking about on their phones, which is used to improve the typing experience on Samsung phones. However, an error in how Samsung integrates this information could leave phones open to attacks, according to security firm NowSecure, which discovered the bug. NowSecure says it told Samsung about the flaw months ago, and that the Korean manufacturer has attempted to fix it, but that many smartphones are still vulnerable. It recently bought popular devices off the shelf, and found they could still be hacked into. The flaw becomes a major problem if users log on to unsecured Wi-Fi networks, which are then used by the keyboard software to install SwiftKey's updates. At this point, a hacker could exploit the vulnerability to install their own code. Since the SwiftKey updates are given a privileged position on the devices, they are able to take control of important functions on the phone. It is important to distinguish between the Swift keyboard software, which comes pre-installed on the devices and uses some SwiftKey services, and the optional SwiftKey keyboard - a popular virtual keyboard for Android and iOS devices. The flaw is not related to the SwiftKey keyboard, and un-installing it will not fix the flaw. The Swift keyboard software, meanwhile, cannot be uninstalled. Using a different keyboard or changing the default one will not help either.
According to SwiftKey, the flaw is "low-risk".
"The vulnerability in question poses a low risk: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device," the company said, although it has subsequently deleted the corresponding blogpost. "This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network." Samsung said it was working with SwiftKey "to address potential risks going forward".

How to protect yourself
Here's what you can do to find out if you're at risk and limit the risk of attack.
See if your phone is at risk
The first thing is to see if your phone is at risk. NowSecure said the following could be:
Galaxy S6
Galaxy S5
Galaxy S4
Galaxy S4 Mini


However, this is not comprehensive and are only the ones NowSecure identified.

Avoid insecure Wi-Fi networks
 
We all love free Wi-Fi.
However, many of them are unsecured and vulnerable to hacking.
Most Wi-Fi networks that require you to log in via your network settings, rather than via a browser, are more likely to be safe. If you're accessing networks in a coffee shop or hotel, check with staff to see if it is legitimate, although this isn't a fail-safe solution.
Once you're done using the network, tell your phone to forget it so that it does not automatically log in again. Your phone may be most vulnerable when it is being rebooted, so try not to do this when connected to a public network.

Switch your phone or contact your carrier

A radical solution perhaps, but one of those proposed by NowSecure, is to use a different device. You can also contact your mobile operator to see if a patch has been developed and installed.
Was this article helpful?
Thanks! Your feedback helps us improve tutorials.

You May Also Like...

No comments:

Post a Comment