Skip to main content

New exploit turns Samsung Galaxy phones into remote bugging devices



As many as 600 million Samsung phones may be vulnerable to attacks that allow hackers to surreptitiously monitor the camera and microphone, read incoming and outgoing text messages, and install malicious apps, a security researcher said.

The vulnerability is in the update mechanism for a Samsung-customized version of SwiftKey, available on the Samsung Galaxy S6, S5, and several other Galaxy models. When downloading updates, the Samsung devices don't encrypt the executable file, making it possible for attackers in a position to modify upstream traffic—such as those on the same Wi-Fi network—to replace the legitimate file with a malicious payload. The exploit was demonstrated Tuesday at the Blackhat security conference in London by Ryan Welton, a researcher with security firm NowSecure. A video of his exploit is here.



Phones that come pre-installed with the Samsung IME keyboard, as the Samsung markets its customized version of SwiftKey, periodically query an authorized server to see if updates are available for the keyboard app or any language packs that accompany it. Attackers in a man-in-the-middle position can impersonate the server and send a response that includes a malicious payload that's injected into a language pack update. Because Samsung phones grant extraordinarily elevated privileges to the updates, the malicious payload is able to bypass protections built into Google's Android operating system that normally limit the access third-party apps have over the device.

Surprisingly, the Zip archive file sent during the keyboard update isn't protected by transport layer security encryption and is therefore susceptible to man-in-the-middle tampering. The people designing the system do require the contents of that file to match a manifest file that gets sent to the phone earlier, but that requirement provided no meaningful security. To work around that measure Welton sent the vulnerable phone a spoofed manifest file that included the SHA1 hash of the malicious payload. He provided more details about the exploit and underlying vulnerability here and here.

Welton said the vulnerability exists regardless of what keyboard a susceptible phone is configured to use. Even when the Samsung IME keyboard isn't in use, the exploit is still possible. The attack is also possible whether or not a legitimate keyboard update is available. While SwiftKey is available as a third-party app for all Android phones, there's no immediate indication they are vulnerable, since those updates are handled through the normal Google Play update mechanism.

For the time being, there's little people with vulnerable phones can do to prevent attacks other than to avoid unsecured Wi-Fi networks. Even then, those users would be susceptible to attacks that use DNS hijacking, packet injection, or similar techniques to impersonate the update server. There is also no way to uninstall the underlying app, even when Galaxy owners use a different keyboard. In practical terms, the exploit requires patience on the part of attackers, since they must wait for the update mechanism to trigger, either when the phone starts, or during periodic intervals.

Read More

Comments

Popular posts from this blog

ASUS VivoBook X202E Windows 8 Touchscreen Laptop Review And Giveaway

It wasn’t very long ago when prices of touchscreen Windows 8 laptops soared beyond $1000. Thankfully, those days are behind us, and portable computers can easily be purchased – touchscreen and all – for under $500. That’s precisely the demographic in which the ASUS VivoBook X202E falls. When compared to a high-end laptop, its specifications might seem modest, but for laptop buyers just looking for a way to browse the web, watch videos, use basic apps, and not spend too much money, something in this budget is perfectly suitable. The question is, of course, how does the ASUS VivoBook X202E compare to others on the market, and is it the one which you should be spending your hard-earned money on? Well, you’re just going to have to keep reading to find out. Best of all, we are giving away an ASUS VivoBook X202E to one lucky winner. Keep reading for your chance to take home this Windows 8 touchscreen laptop! Introducing the ASUS VivoBook X202E Laptop The ASUS VivoBook X202...

Samsung Galaxy Note 3 N9000 Review and Giveaway

When it comes to massive phones, nothing is more iconic than the Samsung Galaxy Note. It has gained popularity not only due to its size, but its additional features such as a stylus and a larger battery make it a more useful phone. Samsung released the third generation of the Galaxy Note in October, updating the phablet with a larger screen and improved hardware. Read through our review, then join the giveaway to win the  Samsung Galaxy Note 3 ! Competitors Of course, other Android competitors haven’t let the $640  Galaxy Note 3  be the only player in the phablet market. There are others such as the  Sony Xperia Z Ultra , the Samsung Galaxy Mega , and the other more common phones that are reaching 5″ screens such as the  Samsung Galaxy S4 , the  HTC One , and the  Nexus 5 . Unlike the normal-sized top contenders, the Galaxy Note 3 has a bigger screen and larger battery. It also offers specific features (surrounding the S Pen stylus) th...

Samsung Galaxy S5 Review and Giveaway

Few smartphones are as aggressively marketed as Samsung’s Galaxy S5. The S5 can no longer be considered brand-new — but it  is  Samsung’s flagship, at least for the next few months. With a gorgeous screen, a capable camera, a waterproof build, and a user-replaceable battery, the Galaxy S5 has a lot to offer… at least on paper. Let’s find out how good it really is. What Makes This Review Different There are about a million Galaxy S5 reviews out there. Why should you read this one? Two keys points make our review different: We bought our own device . Unlike many tech blogs, we don’t use a review unit Samsung gave us. We went out to the store and bought one, just like you would. This means everything you read here is truly impartial – we owe Samsung nothing. We used it for more than a month . Some sites rush to be the first to publish a review on a new device. That’s not how we do things. I used the Galaxy S5 as my main (and only) Android phone for nearly two months,...