Major security flaw may affect 600M Samsung smartphones
Flaw in pre-installed keyboard software could allow hackers to eavesdrop on users' calls and damage handsets, a security company discovers.
Laura HautalaFormer Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
ExpertiseE-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking.Credentials
2022 Eddie Award for a single article in consumer technology
Millions of Samsung Galaxy smartphone owners may be at risk of eavesdropping of calls, theft of data and installation of malware -- and there isn't much they can do about it.
The flaw is found in Swiftkey keyboard software preinstalled on 600 million of the South Korean electronics giant's smartphones, mobile security company NowSecure said Wednesday. Affected users are powerless to address the vulnerability because they cannot uninstall the software.
Affected devices include the recently released Galaxy S6, as well as the S5, S4, and S4 Mini on all major carriers, NowSecure said.
Samsung said it will release a fix for the problem in the next few days, accessible through its service Samsung Knox. It will come in the form of a security policy update that can be downloaded onto the phones.
"Samsung takes emerging security threats very seriously," Samsung said in a statement. "In addition to the security policy update, we are also working with Swiftkey to address potential risks going forward."
NowSecure said Samsung was notified in December 2014 of the problem.
"While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network," NowSecure said in its report. All of the phones either have no patch available or the status of the patch is unknown, according to the list.
The phones are vulnerable to attack from a variety of fronts, according to NowSecure's technical analysis of the flaw. A less sophisticated hacker who's nearby a phone might gain access through unsecured Wi-Fi connections. Or a serious attacker could use a more involved approach to gain access from much farther away, according to NowSecure.
As a result, the flaw would appear to be a pervasive and serious problem until fixed.
"To reduce your risk, avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing," NowSecure said in its report.
However, some security professionals noted that an attack might have limited returns for hackers.
"It appears there needs to be a lot of things in place for this to work properly," Nathan Collier, senior malware intelligence analyst at Malwarebytes Labs, said in an email about NowSecure's description of how an intruder could break into a phone.
Noting that he didn't expect to see anyone carrying out such an attack, Collier said it wasn't the typical route taken by people trying to take over computers and devices.
"Malware authors are looking for big returns using the path of least resistance, and having to write code for several different phone models is quite tedious. Samsung is aware of the issue. Hopefully they will be providing a patch for their customers shortly."