600 Million Samsung Galaxy Phones Exposed to Hackers

(CNNMoney)-Every Samsung Galaxy devices from the S3 to the latest S6 — has a significant flaw that lets in hackers, researchers have discovered.

The vulnerability lives in the phones’ keyboard software, which can’t be deleted. The flaw potentially allows hackers to spy on anyone using a Samsung Galaxy phone. Vulnerability lives in the phones’ keyboard software, which can’t be deleted.

You can be exposed by using public or insecure Wi-Fi. But some researchers think users are exposed even on cell phone networks.

Researchers at NowSecure, a cybersecurity firm, says they told Samsung about the vulnerability in November. Seven months later, nothing has been fixed. That’s why NowSecure made its findings public on Tuesday.

How serious is this problem? NowSecure CEO Andrew Hoog said that, on a well-established system that ranks cybersecurity problems from 1 to 10, this vulnerability stood at 8.3.

NowSecure said it tested several Samsung Galaxy phone models on many different cell phone carriers. All were vulnerable. Assuming every Samsung Galaxy phone out there is the same, NowSecure estimates 600 million devices are affected.

The problem involves the word prediction software used by Samsung devices. It’s made by British tech firm SwiftKey, which Samsung installs in devices at the factory.

Also Read:   You Can Dictate WhatsApp, Viber Messages via Google Now

Last year, NowSecure researchers discovered that the SwiftKey keyboard can be tricked to accept a malicious file when the software updates. Because of the way the keyboard is installed, that virus can access some of the deepest, core parts of the phone’s computer system.

With that level of access, a hacker can then do pretty much anything to your phone.

This hack isn’t easy. But it’s a tactic for cyber attackers on a mission with lots of money and access WiFi or cell networks. One possible target? Company executives traveling to countries, such as China, where the government routinely spies on visitors to steal their business plans.

It also exposes high-level U.S. government officials. Samsung just earned the NSA’s blessing for its Samsung Galaxy phone devices, which were approved for use by government employees. And the latest hack of federal employees — allegedly by the Chinese government — shows they are valuable targets.

Neither Samsung nor SwiftKey have claimed responsibility for inserting the flawed computer code. In a public statement, SwiftKey said it only found out about the flaw on Tuesday. SwiftKey said “the way this technology was integrated on Samsung devices introduced the security vulnerability.”

Also Read:   Samsung Now Claims a 40 Percent Share of Indian Smartphone Market, Nigeria Next

To calm down worried users, the British firm argued that this hack isn’t easy to pull off. It involves particular timing. A hacker can only sneak into a device when the keyboard software is applying a software update.

In a statement to reporters, Samsung said it “takes emerging security threats very seriously… and [is] committed to providing the latest in mobile security.”

The company also said it’s about to patch the issue through its Samsung KNOX service. “Updates will begin rolling out in a few days,” the company said, although it’s unclear whether all devices will receive the fix.

Part of the incredibly long delay to fix this problem is due to the way phone manufacturers work with cell phone carriers like AT&T, Sprint, T-Mobile and Verizon. Samsung could race to create a fix, but people must wait until carriers get around to distributing them.

This fractured system causes frequent complaints from users, who must patiently wait for all new software: everything from new features to patches for dangerous computer bugs.

NowSecure said it notified Samsung in November and as evidence of how slow this system is on December 31, Samsung asked for a year to fix it.

In its defense, Samsung said cybersecurity researchers at NowSecure didn’t fully explain the problem in November.

Also Read:   Rihanna inks $25M Sponsorship Deal With Samsung

“We learned about the full extent this past week,” Samsung told CNNMoney.

NowSecure advised Samsung Galaxy phone users to avoid insecure Wi-Fi, ditch their phones, and call their cell phone carriers to pressure them into a quick fix.

Hoog said they made the vulnerability public because the pressure was just too great. The cybersecurity firm had advised companies for half a year, unable to tell them that their employees and managers were are serious risk of being spied on by hackers.

“We needed to inform them about the risk,” he told CNNMoney. “It would be naive to think other entities (such as governments and cybermafias) would not be capable of finding this and executing it.”

 

This article was previously reported on Wmur

Leave a Reply