Samsung announces fix for major Galaxy keyboard security flaw

There is good news today for many of the 600 million Samsung Galaxy users who have been put at risk by a security flaw in the pre-installed SwiftKey keyboard. Samsung is preparing a fix which will be rolled out as a security update. The problem was that Samsung Galaxy S phones, including the S4 Mini, S4, S5, and S6, failed to properly validate language pack updates for the special pre-installed version of the SwiftKey keyboard. The threat, according to researchers at NowSecure who discovered the vulnerability, was that the updates were performed by downloading a ZIP archive via an unencrypted HTTP connection. That could provide an opportunity for an attacker to intercept the download, and send malicious code in its place, disguised as the archive. If successfully exploited, hackers could then run malware with system privileges on your Samsung Galaxy - remotely spying through its camera or microphone, tracking your physical location via GPS, installing further malicious apps without you knowing, steal information and even eavesdropping on your messages and voice calls. And the worst news of all is that the pre-installed predictive keyboard cannot be disabled or uninstalled, and even if you don't use it as your default keyboard you could still be at risk. A pretty unpleasant situation, I'm sure you'll agree, even if the threat was only likely to be exploited if a hacker was using the same unsecured WiFi network as you. NowSecure informed Samsung of the issue in late 2014, but the threat did not become well known until this week when it went public with its findings. SwiftKey, for its part, reassured users that standalone versions of its keyboard downloadable from the Google Play and iOS App Stores were not affected - the problem was only with the bespoke version produced by Samsung. In response to heavy media reporting, Samsung has now issued a statement, confirming that it will be issuing a fix for the issue "in the coming days":

This vulnerability, as noted by the researchers, requires a very specific set of conditions for a hacker to be able to exploit a device this way. This includes the user and the hacker physically being on the same unprotected network while downloading a language update. Also, on a KNOX-protected device there are additional capabilities in place such as real-time kernel protection to prevent a malicious attack from being effective. So the likelihood of making a successful attack, exploiting this vulnerability is low. There have been no reported customer cases of Galaxy devices being compromised through these keyboard updates. But as the reports indicate, the risk does exist and Samsung will roll out a security policy update in the coming days.

To receive the security update, you need to be running the KNOX security platform, which has been installed on all flagship Samsung phones since the Galaxy S4. To ensure that you receive the security update, go to Settings > Lock Screen and Security > Other Security Settings > Security policy updates, and check that the Automatic Updates option is activated. You can also manually check for updates on the same screen. Of course, this raises the question of what you should do if your Samsung Android phone has the SwiftKey keyboard pre-installed but doesn't have the additional security provided through KNOX. Samsung says that for those users it is "working on an expedited firmware update that will be available upon completion of all testing and approvals." Unfortunately, whether you receive that firmware update will rather depend on your carrier's willingness to push it out - a perennial problem for many Android users. Samsung hardly has an unblemished record when it comes to security issues with its devices. Backdoors have been found on its Android devices, its fingerprint login system has been bypassed, its online store has been found vulnerable to a bug that could allow hackers to hijack accounts, and its smart TVs have been accused of capturing private conversations and passing them to third parties. Whether their response to this latest security scare has been timely enough is up for debate, but now that a fix is in the works, Samsung customers would be wise to ensure that they have properly configured their Android devices to receive this and future security updates.