Over 600 million Samsung mobile device users — including those of the recently-released Galaxy S6 — have been left exposed to a critical security risk caused by the SwiftKey hack. The exploit was recently demonstrated at the Black Hat security conference in London by Ryan Welton, a researcher with security firm NowSecure.
The security vulnerability arises from SwiftKey keyboard that comes pre-installed on a number of Samsung devices. The keyboard which cannot be disabled or uninstalled allows hackers easy access to users’ devices.
The flaw allows a hacker to remotely:
1) Access sensors and resources like GPS, camera and microphone.
2) Secretly install malicious app(s) without the user knowing.
3)Tamper with how other apps work or how the phone works.
4)Eavesdrop on incoming/outgoing messages or voice calls.
5)Give attempt to access sensitive personal data like pictures and text messages.
Ryan Welton, mobile security specialist at NowSecure, found that the pre-installed SwiftKey app can be tricked to download language pack updates over unencrypted connection in plain text. Thus in the pretence of language packs, malicious code can be injected to take control of the smartphone. Once that code provides access to the attacker, the phone’s data, messages, and everything is exposed without leaving even a hint to the user. Reports GSMArena
Hackers can exploit the vulnerability even when the Swift keyboard is not used as the default keyboard. According to NowSecure, it informed the Korean tech-giant about the vulnerability in November 2014. Samsung reportedly gave a patch to mobile operators across the world; however, it is unclear if carriers have passed the fix to all users.Also, Samsung reportedly asked NowSecure to wait for three months before going public with the vulnerability.
For now, only the pre-installed SwiftKey app is vulnerable, not the ones from Google Play Store or Apple iOS Store. There is no way one can uninstall SwiftKey from the Samsung’s Galaxy range of devices since the app has been whitelisted and deemed to be native. Till there is a patch released for the Samsung phones, it is advisable to use Google Keyboard or any other third party keyboard in the mean time.
SwiftKey reached out to assure users, “We’ve seen reports of a security issue related to the Samsung keyboard. We can confirm that the SwiftKey Keyboard apps available via Google Play or the Apple App Store are not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.”
The SwiftKey hack has affected the following devices Galaxy S6, Galaxy S5, Galaxy S4 and Galaxy S4 Mini, however, NowSecure cautions that this is not an all-inclusive list of impacted devices. Reports The Times of India