Samsung Android Security Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 06/17/2015 9:32:15 PM PDT by Swordmaker
If your rocking a Samsung smartphone, you could be vulnerable to hackers, thanks to a preinstalled keyboard on your device.
The vulnerability was discovered by Ryan Welton from mobile security specialists NowSecure. The issue is with the preinstalled Swift keyboard which looks for language pack updates over an unencrypted line. Welton found that a hacker could create a spoof proxy server and send a fake update to the device with malicious code. The hacker could then exploit the device by eavesdropping on incoming and outgoing messages or voice calls, access personal data such as pictures or text messages, tamper with apps, and even install other malicious apps.
Chances are very slim that a hacker who knows about this security flaw will be at your local Starbucks at the same exact time as you.
Welton first discovered the flaw last year and subsequently notified Samsung in December 2014. Samsung immediately worked on a patch and sent updates to various carriers for devices running Android 4.2 or higher in March 2015. However, it’s unknown whether these patches have made their way to devices. Carriers are notorious for taking their time with updates due to their so-called rigorous testing for bugs.
Unfortunately, there is no other fix because users can’t simply uninstall the Swift app — one of the not so joyous benefits of carrier bloatware. Users are still vulnerable even when Swift isn’t set as the default keyboard.
What’s even scarier about this vulnerability is it even affects the Galaxy S6, which was released in April. Welton detailed this security flaw earlier today at the Blackhat Security Summit in London. He stated that he was able to hack into a Galaxy S6 running on Verizon Wireless. “We can confirm that we have found the flaw still unpatched on the Galaxy S6 for the Verizon and Sprint networks, in off the shelf tests we did over the past couple of days,” a NowSecure spokesperson confirmed.
According to the NowSecure website, it’s likely that the Galaxy S4 Mini, Galaxy S4, Galaxy S5, and Galaxy S6 are all affected, but it’s unclear which carrier-specific models received updates. The site only mentions U.S. carriers, so we aren’t sure if owners of international variants need to be worried.
Now before everyone with a Samsung phone goes into a panic attack, we need to point out that chances are rare that your device will be attacked through this vulnerability. A hacker can only use this method via a public Wi-Fi network, like those found at a coffee shop, hotel, or other public spaces. More importantly, a hacker has to have knowledge of this exploit and has to be on the same network as you. Chances are very slim that a hacker who knows about this security flaw will be at your local Starbucks at the same exact time as you.
Nevertheless, a security flaw should never be taken lightly, so NowSecure recommends staying away from public Wi-Fi networks if you have one of these Samsung devices. That might be easier said then done, though, especially for those who are on capped data plans and don’t want to use their carrier’s mobile network all day. The other thing you can do is contact your carrier and demand that your phone gets updated with the patch if it hasn’t already.
With all the apps connecting in the background and no way to stop them...hard to tell who’s who.
If you want on or off the Mac Ping List, Freepmail me.
Oh well. . .
At least we can tell the users of Samsung phones on our respective platforms to watch out. . .
Shame the Samsung S5 has this vulnerability -
Sure have loved the pics it takes, expandable memory, replaceable / spare battery, super long battery life, waterproof, strong glass, and so much more.
Just when I thought I shoulda bought an Apple iproduct, was shocked to learn of this chink in its armor -
http://www.businessinsider.com/apple-ios-and-os-x-security-flaw-could-let-hackers-steal-passwords-and-app-data-2015-6...
;n)
Wireless Keyboard, mouse, router, smartphone, dumb phone , XBOX , telephone.
They have an app for that.
“If your rocking a Samsung smartphone”
If “you’re” not going to use proper English, I’m not going to read “your” article.
I have them printed out on paper under my blotter and have deleted same. Yes, I know, nothing is ever entirely deleted, but hackers can't get there unless direct access to your hard or flash drive. I've used Kaspersky for years and never gotten viruses, malware, trojans, or identity theft problems. If you have a strong firewall, you should be good.
That is currently just a vulnerability. . . and that vulnerability is not on iOS. The serious one is the keychain hack but it requires the hacker to FIRST get a malicious app onto the Mac, not an easy thing to do. The researchers were able to poison their own OS X Keychain App because they had control of the computer, but to get control of someone else's computer and poison THEIR keychain app is an entirely different question. It also requires that they be able to sneak a malicious app onto Apple's curated OS X Mac App store.
". . . steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote." — Your linked Business insider article.
The other big thing they thought they were demonstrating is also not so dire. . . the ability once they have a poisoned Keychain is stealing the iCloud token. . . not, as the article claimed "the iCloud passwords." However, that token is only used to guarantee secure connection between the iCloud's connection for that particular computer and the OS X Mac App store for downloading apps and updates. It could possibly allow a hacker to set up a man-in-the-middle-attack between the Apple server and the user and therefore possibly allow downloading more malicious software, but with a malicious malware already installed on the Mac, that is unnecessary, as the hacker presumably already has control of the Mac and going through such an exercise is moot.
The articles reporting this imply the token could allow a hacker to gain access to a user's iCloud data, but that is patently false. Even access to the Apple Keychain will not get a user's iCloud password because the password and user account for that are NOT STORED in the keychain. The iCloud token has nothing to do with user data.
In iOS, the vulnerability involves an App downloaded from the App store supposedly masquerading as an App that is authorized to inter-connect with another App to share data by using an Apple URL that is linked for that purpose. . . as if Apple would authorize such an App to be on the Apple iOS App store or remain there after such a malicious activity as stealing data from other Apps was discovered. Such Apps have been attempted to be uploaded and such attempts get their developers a lifetime ban from ever doing development for or with Apple. It's simply NOT going to happen. What they are talking about is taking advantage of Apple's inter-App ability to hand-off data. . . and saying a malicious App could be made to steal the data, if some very unlikely events happened. The researchers claim this is a violation of Apple's own sandboxing. . . yet that is how cooperation between Apps is supposed to work.
Preventing malicious Apps is why Apple's App Stores are curated.
Not with an Apple device, they are not.
Take that up with Digital Trends and their editors. I'm not going to spend my time editing a professional online magazine's content for grammar to pull your cookies out of the fire if you happen to own one of the vulnerable Samsung phones. Get infected for all I care. You'll have brought it on yourself by terminal Grammar snobbery!
Kaspersky just announced early this week that THEY got hacked and someone stole their user database and their backdoor keys! LOL!
This vulnerability on Android is in the OS and downloads automatically because of built-in update routines in the SWIPE keyboard which apparently is routinely checking for new keyboard designs. . . which allows someone to piggyback malware on the download. A firewall won't prevent this. The blessing here is the initial infection has to occur locally from some hacker sharing a WIFI connection spoofing a server.
PS: those irk me too.
Thanks to Swordmaker for the ping!
From TFA:
> ...preinstalled Swift keyboard...
From your comment:
> ...have a SWIPE keyboard...
Are they the same? Not having a Samsung/Android myself...
That’s one of the reasons that the first thing I do with a new phone is root it and remove the bloatware.
those irk me too.If “you’re” not going to use proper English, I’m not going to read “your” article.
My mother was a teacher, her father and sister were teachers, my father was, initially at least, a teacher - and his father, mother, and sister were teachers. So if anyone could be expected to have grammar Nazi tendencies, you would expect it of me. But, two things:BTW, there is a very interesting book on the subject of English spelling,
- I used to be irked when commentators, particularly sports announcers, would say, “He did that good.” ”Good is an adjective, not an adverb; only ‘He did that well’ is correct.”
And then one day I heard Dad use “good” as an adverb. And I thought, ‘If he doesn’t retain the distinction, what chance is there that the rest of American culture will retain it???’ And I just believe that the answer is, ‘None.’
- What with iPhones, etc., spell check is going to corrupt our spelling, especially of homophones such as “your” and "you’re.” I think we are just going to suck it up and deal with it.
Spell It Out: The Curious, Enthralling, and Extraordinary Story of English Spelling Dec 2, 2014which discusses the constraints within which the medieval scribes sought to make English spelling logical.Interesting to learn that the Roman alphabet had 24 letters, and that the “double U” and the “j” were added in English; the “j” actually started life as a version of “i” and somehow turned into a consonant.
Off topic: I just read “How the Irish Saved Civilization” by Thomas Cahill. It discusses the transition from the Roman Empire to the Medieval order. Here’s some of the timeline:
409 - Roman garrison abandons Britain
410 - Goths sack Rome
430 - Death of Augustine (and the fall of his city, which he didn’t live to see)
432 - Bishop Patrick arrives in IrelandPatrick is amazingly successful at evangelizing. His acolytes form monasteries, copy books, and seed other monasteries. They then seed monasteries in Northern England, and ultimately France and Italy.461 - Death of Patrick
476 - Rein of the last Roman Emperor ends
At this point not only is the Empire kaput, Christianity in Europe is pretty much the same. The heathens are in charge everywhere, basically. But as a backwater to a backwater (england), Ireland is untouched by the transformation.500 - Brigid founds monastery with a wing for monks and a wing for nuns. Scandalous to Romans.
557 Columcille leaves Ireland, founds monastery on Iona, near Scotland.
590 - Columbanus leaves for Gaul.
782 - Alcuin takes over direction of Charlemagne’s Palatine School.At Charlemagne’s court an Irishman wrote a compilation of ancient knowledge De mensura Orbis terrae which documents that “the flat earth theory” was not actually current in Medieval times. (The reason Columbus had a hard time getting his expedition funded was not that people thought that the radius of curvature of the earth was infinite, but that the smart money was on the distance to Asia being pretty much what it actually is. Columbus’ men were pretty desperate to find land by the time they actually did; imagine the prospect of sailing the whole Pacific without resupply!!)793 - First Viking attack on Irish monastery.Things go downhill for Ireland from then on; the Vikings gradually evicerate Ireland, and centuries later the English pretty much finish the job. But without the Irish influence, Europe would not have been Christian when Islam arrived at the gates - and would have been easy pickings for jihad.
Brain fart on my part. . . LOL! Thanks for catching that. Getting older is the pits. . . and I had another birthday last Saturday. Those damn things just keep coming every year like clockwork, adding more and more brain farts with each one!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.