Flaw puts 600 million Samsung Galaxy phones at risk

The unprotected, plain-text update mechanism for Samsung's customised version of the SwiftKey keyboard could allow hackers to remotely inject and execute code on devices, a security reseacher has found.

As many as 600 million Galaxy smartphones, including the new S6, could be vulnerable to a flaw that allows attackers to access the camera, microphone, calls and text messages and install malicious apps without users noticing or granting permission.

Compounding the issue is the lack of ability for users to disable or uninstall the default Samsung keyboard. Additionally, devices remain vulnerable even when the Samsung preloaded keyboard is not in use.

NowSecure researcher Ryan Welton demonstrated his exploit at the Blackhat security conference in London, with proof of concept code that showed a successful code injection attack.

His research revealed that Samsung's Input Method Editor (IME) keyboard downloads updates insecurely, allowing attackers who are able modify upstream traffic - in, for instance, cafés with unsecured wi-fi networks - to automatically trigger the vulnerability.

No user interaction is required, Welton said.

Attackers in a man-in-the-middle position can impersonate the authorised server the phones ping periodically to check for updates to IME and send a response including a malicious payload, which is injected into a language pack update.

The payload is able to bypass protections build into Android - which normally restrict the access granted to third-party apps - due to the highly elevated system user privileges Samsung phones grant to the updates. 

Welton revealed the Samsung mechanism to update the keyboard lives within a ZIP archive file that has no encryption.

There is no immediate evidence, however, that the third-party SwiftKey app is vulnerable, Welton said, as those updates are handled through Google Play.

He advised users with affected phones to avoid unsecured wi-fi networks, but said there was little else they could do.

Users were at danger from DNS hijacks, packet injection and similar attacks that are used to modify traffic, and which could be used to trigger the flaw.

The flaw affects Samsung Galaxy S phones, including the S4 Mini, S4, S5, and recently-released S6, but Welton emphasised the list was not all-inclusive.

Welton said he had reported the vulnerability to Samsung, Google and the US CERT team.

He said Samsung had provided a patch to mobile network operators earlier this year but it was unclear whether the patches have been distributed by telcos.