A vulnerability has been found in the Swift keyboard software, preinstalled on more than 600 million Samsung devices, including the recently released Galaxy S6. The flaw can be exploited to allow a remote attacker to execute arbitrary code on the user's phone.
This flaw was uncovered by NowSecure mobile security researcher Ryan Welton, who explained that an attacker could use the bug to access sensors and resources like GPS, camera and microphone; secretly install malicious apps without the user knowing; tamper with how other apps work or how the phone works; eavesdrop on incoming/outgoing messages or voice calls; and attempt to access sensitive personal data like pictures and text messages.
To make matters worse, if the phone has the Swift keyboard software, it's impossible to uninstall or disable it, and the flaw can be exploited even if you don't use the app.
“It’s unfortunate but typical for OEMs and carriers to preinstall third-party applications to a device,” said Welton, in an analysis. “In some cases these applications are run from a privileged context. This is the case with the Swift keyboard on Samsung.”
This means that the keyboard was signed with Samsung’s private signing key and runs in one of the most privileged contexts on the device, system user, which is a notch short of being root.
The ramifications can be considerable. “In my eyes the crux of the biscuit here is the state-sponsored attack,” said Craig Young, cybersecurity researcher with Tripwire, in an email. “Nations with an eye toward spying on and oppressing dissidents can have a field day with this vulnerability silently installing malware onto all the affected Samsung devices connecting through the cellular internet connection. Defense against this type of attacker and detection of the resulting attack is far more difficult for the average user and power users alike.”
The attack vector for this vulnerability requires an attacker capable of modifying upstream traffic. The vulnerability is triggered automatically (no human interaction) on reboot as well as randomly when the application decides to update. This can include geographically proximate attacks such as rogue Wi-Fi access points or cellular base stations, or attacks from local users on a network, including ARP poisoning. Fully remote attacks are also feasible via DNS hijacking, packet injection, a rogue router or ISP, and so on.
Welton said that Samsung was notified in December of 2014. Given the magnitude of the issue, NowSecure also notified CERT, who assigned CVE-2015-2865, and also informed the Google Android security team.
“While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network,” Welton said. “In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices' models and number of network operators globally.”
It isn’t easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update, but Welton has a patch status list, available here. The mobile device user should also avoid insecure Wi-Fi networks, and should contact carriers for patch information and timing.
“Until Samsung devices get patched, the most paranoid users will want to take advantage of censorship bypassing VPN services, like privateinternetaccess.com, that give users the control to prevent any plaintext communication directly from the Android,” Young said. “Of course all bets are off if the pop-out point from the VPN is on a network controlled or influenced by an adversary.”