Is your Samsung Galaxy vulnerable to hackers?

Over 600 million Samsung Galaxy phones have a flaw in the keyboard software that may allow hackers to take almost full control of the phone, says a cybersecurity firm.

|
Eric Risberg/AP/File
In this April 10, 2015 file photo, a salesperson demonstrates the new Samsung Galaxy S6 Edge smartphone. Cybersecurity firm NowSecure revealed a flaw in the Samsung Galaxy keyboard that leaves the phone open to hackers.

A flaw discovered in several Samsung Galaxy smartphone models has left more than 600 million phones vulnerable to hacking, cybersecurity firm NowSecure says.

According to the NowSecure report, the entry point for hackers lies in the phones' pre-installed keyboard software. The flaw would allow attackers to eavesdrop on calls, tamper with apps, copy messages and photos, and gain access to the phone’s GPS, camera, and microphone – all without the user’s knowledge.

Mobile-security researcher Ryan Welton discovered the problem last November, according to the Wall Street Journal. Often, when security researchers find a security flaw in a system, they alert the company to give them a chance to fix it before bringing the vulnerability to public attention. NowSecure notified Samsung of the problem in November.

NowSecure CEO Andrew Hoog told the Journal that at the end of December that Samsung had requested a year to fix the flaw, which NowSecure thought was too long. If security researchers had found the bug, malicious hackers may have found it, or may eventually find it, too.

The two companies were in discussion until March, when Samsung released to wireless carriers a software update to fix the problem. At that time Samsung agreed to let NowSecure make the issue public after three months.

With the new update, NowSecure says the problem persists on the devices it has tested, a list of which can be found in the report, possibly due to delays by wireless carriers in pushing out the software patch, or reluctance by users to update the software on their smartphones.

Mr. Welton wrote in a blog post that while it is impossible to eliminate the keyboard app containing the problem, there are several things users can do to limit their risk.

“Unfortunately, the flawed keyboard app can’t be uninstalled or disabled,” he wrote. “Also, it isn’t easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update. To reduce your risk, avoid insecure Wi-Fi networks, use a different mobile device, and contact your carrier for patch information and timing.”

SwiftKey, the company that provided Samsung with the technology for the word prediction function on the keyboard app, released a statement saying the flaw has no effect on the company’s apps on Google Play and Apple App Store.

SwiftKey also said hacking a phone through the keyboard flaw would be a challenge, requiring the attacker to have the right tools at the right time.

“The vulnerability in question is not easy to exploit: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”

Mr. Hoog told the Wall Street Journal that while NowSecure, as of this week, has not found a successfully patched phone, to his knowledge no phones have fallen victim to hackers through the flaw yet.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Is your Samsung Galaxy vulnerable to hackers?
Read this article in
https://www.csmonitor.com/Technology/2015/0617/Is-your-Samsung-Galaxy-vulnerable-to-hackers
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe