Most newer smart phones from Samsung is equipped with a separate, virtual keyboard – Samsung IME – which is based on technology from SwiftKey. Now it has become known that the language update feature to tastaturappen can be exploited by malicious people including planting malware on the device.
There are security company NowSecure who should have discovered vulnerability. According to this report, due to the vulnerability primarily to two factors.
Stephen Hawking: Print twice as fast with SwiftKey
Unencrypted
One is that the update files Samsung IME keyboard is sent unencrypted (HTTP) via the internet. This allows man-in-the-middle attacks if the device is connected to the Internet via, for example, a WLAN zone controlled by malicious.
The second factor that may have great importance, is that the keyboard application is signed by Samsung and runs with very high privileges on the device – not root, but the level below – system.
According NowSecure has system-user access to make changes at many locations in the filesystem.
See also: How is SwiftKey on iOS 8
Complicated
If tastaturappen download a language file from a malicious source, attackers using a relatively complicated recipe achieve planting malicious code from the language file, which is actually a zip archive, in places where the code will automatically be executed. Sample code for this can be found here.
Samsung IME app looks for updated language files automatically at regular intervals, including right after starting the device. Additionally, users can even ask the app to include support for multiple languages.
Exploiting weaknesses depends therefore that tastaturappen actually get started downloading one or more of such language files while the device uses an internet connection as malicious have some control over.
Samsung keyboard can not be uninstalled without rooting the device, and the app will most likely download language updates although it is not set to be the default keyboard app in the system.
SwiftKey: Popular Android keyboard becomes free
Long Time
According to the Wall Street Journal should NowSecure detected vulnerability already last autumn. The newspaper said CEO of the company, Andrew Hoog, that Samsung was informed of this in November last year. December 31, Samsung will have asked for a year to fix the problem.
After much back and forth going Samsung in March, stated that the company had created a security fix that had been sent to the mobile operators. At the same time Samsung and NowSecure agreed on a deadline of three months before NowSecure announced details about the vulnerability.
Last week, employees in NowSecure have bought brand new Galaxy S6 mobiles from the US operators Verizon and Sprint.
Both were still vulnerable. A list of other, vulnerable Samsung devices found here.
For Work: Android pander to companies
SwiftKey
SwiftKey, who created the basic technology in Samsung’s keyboard app, stated in a blog post yesterday that the vulnerability does not have anything to do with apps company itself offer through Google Play and Apple App Store .
In the blog post, which for unknown reasons has been deleted afterwards (but which can be read here), renders SwiftKey also a statement from a spokesperson for Samsung.
– Samsung takes over security threats very seriously. We are aware of this recent problem that has been cited by several media, and will offer the latest in mobile security, the statement said.
– Samsung Knox has the ability to update security policies on phones, via the web, to prevent potential vulnerabilities caused by this problem. Deployment of security policies updates will start in a few days.
It is stated also that Samsung will cooperate with SwiftKey about security in the future.
Mobile Security : This is Knox 2.0
No comments:
Post a Comment