A flaw discovered in several Samsung Galaxy smartphone models has left more than 600 million phones vulnerable to hacking, cybersecurity firm NowSecure says.
According to the NowSecure report, the entry point for hackers lies in the phones' pre-installed keyboard software. The flaw would allow attackers to eavesdrop on calls, tamper with apps, copy messages and photos, and gain access to the phone’s GPS, camera, and microphone – all without the user’s knowledge.
Mobile-security researcher Ryan Welton discovered the problem last November, according to the Wall Street Journal. Often, when security researchers find a security flaw in a system, they alert the company to give them a chance to fix it before bringing the vulnerability to public attention. NowSecure notified Samsung of the problem in November.
NowSecure CEO Andrew Hoog told the Journal that at the end of December that Samsung had requested a year to fix the flaw, which NowSecure thought was too long. If security researchers had found the bug, malicious hackers may have found it, or may eventually find it, too.
The two companies were in discussion until March, when Samsung released to wireless carriers a software update to fix the problem. At that time Samsung agreed to let NowSecure make the issue public after three months.
With the new update, NowSecure says the problem persists on the devices it has tested, a list of which can be found in the report, possibly due to delays by wireless carriers in pushing out the software patch, or reluctance by users to update the software on their smartphones.
Mr. Welton wrote in a blog post that while it is impossible to eliminate the keyboard app containing the problem, there are several things users can do to limit their risk.
“Unfortunately, the flawed keyboard app can’t be uninstalled or disabled,” he wrote. “Also, it isn’t easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update. To reduce your risk, avoid insecure Wi-Fi networks, use a different mobile device, and contact your carrier for patch information and timing.”
SwiftKey, the company that provided Samsung with the technology for the word prediction function on the keyboard app, released a statement saying the flaw has no effect on the company’s apps on Google Play and Apple App Store.
SwiftKey also said hacking a phone through the keyboard flaw would be a challenge, requiring the attacker to have the right tools at the right time.
“The vulnerability in question is not easy to exploit: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”
Mr. Hoog told the Wall Street Journal that while NowSecure, as of this week, has not found a successfully patched phone, to his knowledge no phones have fallen victim to hackers through the flaw yet.