Samsung’s built-in SwiftKey keyboard reportedly vulnerable to cracking attack [Updated]

BY Evan Selleck

Published 17 Jun 2015

Samsung Galaxy S6 Edge - the camera, LED flash and heart rate sensor cluster

Security is more important than ever before, especially on the mobile devices many people carry around with them every single day.

So for owners of a Samsung-branded Galaxy device, a new report may be worth paying attention to. According to Forbes, and citing information from a mobile security firm called NowSecure, the built-in SwiftKey keyboard that is included with many Samsung devices is open to a malicious attack. The report states that the keyboard replacement looks for language pack updates over unencrypted lines, and, moreover, that those searches were in plain text.

As a result, Ryan Welton, NowSecure’s CEO, was able to create a spoof proxy server and subsequently send malicious security updates to the devices that connected to it. Welton was able to install validating data on the devices as well, making sure the malicious software stayed installed on the handsets.

Welton notes that this could be used to mine information off a person’s personal device, including contact information, text messages, bank information, and more information that the user would not be aware has been accessed from a third-party source. It would also allow the outside individual keep watch on the device’s owner as well.

It should be worth noting that Samsung was presented with the problem back in November of 2014, and Samsung said they released a patch to fix the opening back in March of this year. However, Welton, while attending the Blackhat Security Summit in London, confirmed that recent tests with Verizon’s and Sprint’s Galaxy S6 resulted in still accessible devices through the aforementioned crack:

We can confirm that we have found the flaw still unpatched on the Galaxy S6 for the Verizon and Sprint networks, in off the shelf tests we did over the past couple of days.”

It’s believed that this security exploit includes the Galaxy S3, Galaxy S4, Galaxy S5, Galaxy Note 3, Galaxy Note 4, and the Galaxy S6.

A statement from a SwiftKey representative indicated that the company has been made aware of the security issues, but that the apps the company has available through the Google Play Store (and the iOS App Store) are not susceptible to this same attack:

We’ve seen reports of a security issue related to the Samsung keyboard. We can confirm that the SwiftKey Keyboard apps available via Google Play or the Apple App Store are not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.

Update: SwiftKey on June 17 officially updated its blog to reflect an official statement from Samsung, which states that the company will be rolling out an update to patch the security flaw in “a few days”:

Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security. Samsung KNOX has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days. In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.

Do you use the built-in SwiftKey keyboard on your Galaxy smartphone?

[via Forbes; NowSecure]