Posted on 06/17/2015 9:32:15 PM PDT by Swordmaker
If your rocking a Samsung smartphone, you could be vulnerable to hackers, thanks to a preinstalled keyboard on your device.
The vulnerability was discovered by Ryan Welton from mobile security specialists NowSecure. The issue is with the preinstalled Swift keyboard which looks for language pack updates over an unencrypted line. Welton found that a hacker could create a spoof proxy server and send a fake update to the device with malicious code. The hacker could then exploit the device by eavesdropping on incoming and outgoing messages or voice calls, access personal data such as pictures or text messages, tamper with apps, and even install other malicious apps.
Chances are very slim that a hacker who knows about this security flaw will be at your local Starbucks at the same exact time as you.
Welton first discovered the flaw last year and subsequently notified Samsung in December 2014. Samsung immediately worked on a patch and sent updates to various carriers for devices running Android 4.2 or higher in March 2015. However, it’s unknown whether these patches have made their way to devices. Carriers are notorious for taking their time with updates due to their so-called rigorous testing for bugs.
Unfortunately, there is no other fix because users can’t simply uninstall the Swift app — one of the not so joyous benefits of carrier bloatware. Users are still vulnerable even when Swift isn’t set as the default keyboard.
What’s even scarier about this vulnerability is it even affects the Galaxy S6, which was released in April. Welton detailed this security flaw earlier today at the Blackhat Security Summit in London. He stated that he was able to hack into a Galaxy S6 running on Verizon Wireless. “We can confirm that we have found the flaw still unpatched on the Galaxy S6 for the Verizon and Sprint networks, in off the shelf tests we did over the past couple of days,” a NowSecure spokesperson confirmed.
According to the NowSecure website, it’s likely that the Galaxy S4 Mini, Galaxy S4, Galaxy S5, and Galaxy S6 are all affected, but it’s unclear which carrier-specific models received updates. The site only mentions U.S. carriers, so we aren’t sure if owners of international variants need to be worried.
Now before everyone with a Samsung phone goes into a panic attack, we need to point out that chances are rare that your device will be attacked through this vulnerability. A hacker can only use this method via a public Wi-Fi network, like those found at a coffee shop, hotel, or other public spaces. More importantly, a hacker has to have knowledge of this exploit and has to be on the same network as you. Chances are very slim that a hacker who knows about this security flaw will be at your local Starbucks at the same exact time as you.
Nevertheless, a security flaw should never be taken lightly, so NowSecure recommends staying away from public Wi-Fi networks if you have one of these Samsung devices. That might be easier said then done, though, especially for those who are on capped data plans and don’t want to use their carrier’s mobile network all day. The other thing you can do is contact your carrier and demand that your phone gets updated with the patch if it hasn’t already.
476 - Rein of the last Roman Emperor ends.
Unless you intended that to be a pun. . . it should be:
476 - Reign of the last Roman Emperor ends
I am not sure that rooting and removing bloatware would also remove a keyboard installed by the manufacturer. However, that is a good idea for the few who do it. However your solution is one that only about 3% of the Samsung buyers ever do, leaving 97% of the buyers vulnerable to this exploit.
My Samsung Galaxy S4 phone has the Samsung keyboard installed, not the “Swift”.
Darn homophones!
Rooting opens you up to other vulnerabilities now that you have all out super user access. You’re at times more in danger from bogus apps on the Android store.
Swell! I just bought 2 S5s.
You better watch it, someone may claim you're a homophobe!
Look around, it doesn't apparently even need to be activated to do this. Samsung installed Swift as part of the factory install.
That includes me who just acquired my first smart phone a little over a week ago.......
Two days ago I headed off to a nearby ATT Store to complain that my Galaxy S6 was unable to answer phone calls when I pressed the green phone button.
Fortunately I made a stop at my local gas station and mentioned my problem to one of the sons. So I gave him my phone number and had him call me, sure enough, pressing the green phone button did nothing. He laughed and said don't press the button "swipe" it...........that worked.....LOL!
I don't know, I guess I'm just an old guy stuck in old technology...........
I looked again, Swift isn’t installed.
Is that the kind of headset you're supposed to wear while watching gay pr0n?
Glad to hear it.
Me too, buddy!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.