Well, that headline should get your attention. The good news is the risk is relatively low. The bad news is that the patch process in the Android ecosystem is very broken. So what is a researcher to do – announce the vulnerability at Blackhat London. And, unfortunately, there is nothing for a user to do other than wait for the carriers to get off their rear ends and release the patch that Samsung delivered to them months ago.
Short version of the problem: Samsung integrated a third party product called Swiftkey into all Galaxy phones since the S3 and all Note phones since the Note 3 in the keyboard driver. Swiftkey does predictive guesses on the words you are typing. Samsung made two very serious security mistakes in how they implemented it that make it susceptible to hacking. They released a fix to the carriers, but as of Blackhat London, using test phones bought last week, the vulnerability is still there.
And, you cannot disable it, uninstall it or mitigate it.
You don’t hear me say this very often, but this is one place were Apple has it right and Android has it totally wrong. Since Apple OWNS the software and the phones, they control the updates for software. They have not allowed the carriers to get in the way and mess things up. Good for Apple. In the Android world, the carriers had to get in the middle of things – because the could – and pee on the fire hydrant, so to speak. Since Android is at least partly open source, each carrier does this tweak and that tweak. What that means is when a phone manufacturer or the Android community releases a patch, it could take months to fix it. This bug was disclosed in November 2014 and is still not fixed.
Samsung, as the 800 pound gorilla in the phone space next to Apple, could force carriers to push updates quickly, but they don’t want to risk annoying the carriers and have them push a competitor’s phone, so they sit back and let the carriers screw things up. Maybe this will get fixed, but I am not optimistic.
Here is the problem as best I can understand. The SwiftKey software that Samsung licenses is integrated into all the Galaxy and Note phones and cannot be disabled or uninstalled. It “phones home” occasionally to look for updates. The way Samsung chose to implement it is insecure. The updates are not encrypted and not signed, so as long as an attacker can get in the middle of the data stream (say at a public Wifi), they can replace that code.
To make things worse, the keyboard runs as a highly privileged system process, so, if you do compromise it, it pretty much has control of the universe. NowSecure announced the bug after being annoyed with the carriers glacial pace to fix it. Worse yet, depending on how it is exploited, even a factory reset won’t remove the malicious code. Only running it over in the parking lot will.
I have been doing some reading on this and there are two comments that have been made by people that are wrong and I would like to clear up.
First, people say that they do not use the default keyboard so they are safe. This is wrong. The keyboard, even if it is not “active” still checks for updates in this secure manner. One user said that you can force stop the keyboard if you are using another one and then as long as the phone does not get rebooted, then you are safe – assuming you have not already been attacked. Not very practical.
Second, people say that they don’t use alternate languages (say Spanish or German), so they are safe. This is wrong also. The English language checks for updates.
The biggest risk is from sketchy WiFi. This is yet another reason why you should avoid them.
However, if we look at attacks like the Duqu2 attack that I wrote about last week, it would be trivial for a nation state or other sophisticated attacker to get in the middle of your cellular communications as well, so even that is not perfect.
Another good news point – there is no way for a hacker – at least none that has been announced – to force this bug, so they would have to be there when the phone is rebooted or at some other time when the keyboard is checking for updates.
Swiftkey has been careful to point out that the apps that they distribute on the Apple and Google stores do not suffer from these weaknesses – this is a Samsung problem.
Maybe this will move the carriers a little bit towards fixing the broken update process.
Anyone got a flip phone?