On Tuesday, researchers revealed a potentially massive vulnerability in an update mechanism for a Samsung-customized version of SwiftKey. The bug, which could affect Samsung Galaxy S6 and S5 models, would allow adversaries to hijack the phones' cameras and microphones, as well as read SMS communications and install malware. Ars Technica reported such a vulnerability could compromise as many as 600 million phones across the world.
A demonstration of the exploit, presented by researchers at the Blackhat security conference in London, is available here:
On Friday, Samsung reached out to Privacy Tech to share some updates on the bug.
First off, the company admitted the risk pointed out by the researchers does exist, but the "likelihood of making a successful attack, exploiting this vulnerability is low." Additionally, Samsung states, "There have been no reported customer cases of Galaxy devices being compromised through these keyboard updates."
Samsung points out that a "specific set of conditions" would have to converge for a successful hack to occur, including "the user and hacker physically being on the same unprotected network while downloading a language update." Plus, the company states, KNOX-protected devices (Samsung note all flagship models contain this security protection from the S4 models onward) contain additional capabilities including "real-time kernel protection to prevent a malicious attack from being effective."
KNOX-protected devices have the ability to update security policies on Samsung devices "over-the-air, to invalidate" vulnerabilities. However, devices without the KNOX technology may still be in the lurch, at least temporarily. Samsung said they are currently working on an "expedited firmware update."
With that in mind, Samsung, in a press release, said it will be rolling out new updates to patch the vulnerability "in the coming days" and will continue to work with SwiftKey and other "related parties" to mitigate potential risks.
Samsung also notes the updates will be pushed out, but users must consent prior to any updates.
In past posts, I've noted that it's important for companies to pay attention to hacker culture to ensure any exploits in their products or services are adroitly addressed. To their credit, it appears that Samsung has done just that here.
Security researchers are doing immensely important work, whether directly or indirectly, helping companies recognize and fix security vulnerabilities. The New York Times recently reported on the work of HackerOne. The startup aims to connect hackers with companies to help them get paid for their work. Often, hackers can make more money by selling exploits to the bad guys, and are often ignored when they go to the good guys. HackerOne wants to make it more worth their while to work for the good guys and get paid.
"Every technology technology has vulnerabilities," Facebook security guru Alex Rice told the Times, "and if you don't have a public process for responsible hackers to report them, you are only going to find out about them through attacks in the black market ... That is just unacceptable."
Hopefully, Samsung is right, and no one took advantage of the exploit in the wild.
If you want to comment on this post, you need to login.