Samsung Cellphone Keyboard Software Vulnerable To Attack

Adesso writes: A serious security problem in the default Samsung keyboard installed on many of the company's cellphones has been lurking since December 2014 (CVE-2015-2865). When the phone tries to update the keyboard, it fails to encrypt the executable file. This means attackers on the same network can replace the update file with a malicious one of their own. Affected devices include the Galaxy S6, S5, S4, and S4 mini — roughly 600 million of which are in use. There's no known fix at the moment, aside from avoiding insecure Wi-Fi networks or switching phones. The researcher who presented these findings at the Blackhat security conference says Samsung has provided a patch to carriers, but he can't find out if any of them have applied the patch. The bug is currently still active on the devices he tested.

That's stupid

[ArcadeMan]

Samsung has provided a patch to carriers

So if your carrier doesn't want to patch your phone to force you to buy yet another phone/switch to a costlier monthly package... well, you're screwed.

I prefer the Apple method: they make the phones, they make the OS and the basic software, they push the updates directly to you. Letting the carriers in charge of anything but the actual communications is just insane.

Re:

[gstoddart]

Yeah, no kidding. WTF are we trusting carriers for?

They don't care about your security, they want to sell you phones which have their custom shit in it to maximize their profits.

Trusting carriers to spend the time and effort applying updates is utterly insane, because they're lazy and greedy -- which means you likely won't get the update at all.

But since they have nothing to lose and no liability for failing to push the updates, what do you think will change? The carriers simply don't give a damn.

Android

Re:

[Krojack]

The carriers excuse is that the devices use 'their network' thus they need control over the software to prevent abuse and damage their 'their network'. Sure we all know it's total bullshit but can't do anything about it.

I like as little as possible government regulation as possible but understand it's needed in some areas. This is one of them. I would love to see some regulation forcing phone manufactures and carriers forcing the to push out security fixes within at 30 days at the extreme from the time a

Re:

[Rakarra]

The carriers excuse is that the devices use 'their network' thus they need control over the software to prevent abuse and damage their 'their network'. Sure we all know it's total bullshit but can't do anything about it.

Everyone knows it's total bullshit too, as Internet service providers don't have any control over what computers and devices are hooked up on your home connection, nor should they.

Re:

[exomondo]

Windows driver updates are provided by HP, Dell, Asus, or whoever built the machine.

You can get driver updates through Windows update where the manufacturer provides them to Microsoft who runs them through their WHQL certification process and can then deliver them to the user. Or directly from the manufacturer themselves.

On Android most drivers are proprietary and the lack of a stable ABI and driver model in Android means that you need a specific driver for your hardware for the particular version of Android that you are running - this is somewhat true of Windows too but the ABI and driver

Re:That's stupid

[nate_in_ME]

HTC actually has come up with a good way to handle this. They've moved many of their "factory" apps into the Play Store, so they can push updates that way independent of the carriers. I've even received lock screen and Sense (their "home screen" for those unfamiliar with it) updates though this method. The only thing they can't push is updates to Android itself this way.

Re:

[mjwx]

HTC actually has come up with a good way to handle this. They've moved many of their "factory" apps into the Play Store, so they can push updates that way independent of the carriers. I've even received lock screen and Sense (their "home screen" for those unfamiliar with it) updates though this method. The only thing they can't push is updates to Android itself this way.

This is what Google did with its applications ages ago and recommends manufacturers do.
b Google has solved the problem of carriers controlling updates to a large degree by uncoupling applications from the OS, I cant speak for HTC users as I've been on the Nexus phones for a few years now but for us, it's been a fantastic success (in fact Gmail updated itself last night). Like you said, the only thing they cant update this way is Android itself, but there are other ways around that (for nexus phones, the im

Re:

[Penguinisto]

So .. you prefer to pay too much for a phone with few choices simply because you don't have the ability to keep off of unsecured or untrusted WiFi networks?

Just a sec' there...

Most of the schmucks out there are paying through the nose for a contract with monthly data caps, so hell yes they'll latch onto WiFi every chance they get, and aren't going to know jack about trusted vs. untrusted networks... all they know is that they can turn on Wifi and get their updates/video/whatever without burning through their 4G allotment for the month.

Personally, I leave WiFi strictly off on my phone, but I use Net10, so I don't have to worry about overage charges. But, that's

Re:

[KGIII]

I used to use a small regional carrier. They have been buying up other small regional carriers and are not so small any more. My service quality has lessened since this has started happening. They seem to have slowed down now. I am now able to go most places without incurring the wrath of National Roaming Fees but nation-wide service is now included in my plan...

Re:

[Anonymous Coward]

Where are you getting that from? He just says he prefers that his OS updates are independent of his carrier. Surely every sane person feels the same way?

Re:

[pnutjam]

Just in case anyone is taking this serious, it's wrong. VPN packets are encapsulated and sent to the vpn server, unless you have your vpn configured to use the local network instead of forwarding all packets to the vpn.

Re:

[Krojack]

I never allow my phone to connect to any WiFi network I don't trust, that's just stupid. And it never downloads updates unless it's on WiFi. So that pretty much leaves only updating my phone at work or at home.

I recall my old HTC Thunderbolt would only download updates over the Verizon network. You had no choice. I'm not sure about today because I've rooted my phones 15 minutes after opening the box.

HTC Aria on AT&T also

[billstewart]

Apparently there was a period of a couple of weeks when I could have gotten the upgrade from 2.1 to 2.2, but the carrier didn't actually push it, just made it available if you noticed and asked it to download, and soon after that, when Google Play came out, my Locked-To-Android-Market phone could no longer do any updates. I couldn't find a smartphone that small to replace it (sorry, but smallness is a feature for something you carry in your pocket), and eventually replaced the phone when apps I wanted were

Re:

[parkinglot777]

I never allow my phone to connect to any WiFi network I don't trust, that's just stupid. And it never downloads updates unless it's on WiFi. So that pretty much leaves only updating my phone at work or at home.

Even though users must be cautious on security, not EVERYONE has that understanding! You could do it yourself, great and good for you. How about other laymen? How about you bought and gave an Android phone to your kids? Do you think they won't try to connect to any WiFi whenever they can in order to play/update apps/games?

Using yourself as standard usually doesn't work. It is simply your expectation that others know and will do the right thing. Good luck to you to be able to succeed this, but sadly not ev

Re:

[228e2]

Your point is very valid as I am currently writing an advisory for my workplace on this issue, so my only counterpoint is this:

How secure is your workplace WiFi? Could an ex-employee sit in a car next to your building and cause havoc?

Re:

[donaldm]

Yes you are right Apple do make their brand however so do other vendors. What apple and the other vendors don't control although they do have some say are the carriers and if an update is released IOS or Android then it is up to the carriers to push it out.

There are other vendors that sell Android phones and so far it is only the Samsung brand that has the issue and not the Linux kernel, so basically it is a Samsung problem.

Re:

[gstoddart]

What apple and the other vendors don't control although they do have some say are the carriers and if an update is released IOS or Android then it is up to the carriers to push it out.

Actually, I'm pretty sure Apple does control this.

First, they don't allow carriers to customize iOS for their own purposes. Second, the updates for iOS come from Apple themselves.

Which means carriers can't put shit on the Apple devices, and they can't fail to push out security updates. Because they're not part of the process

Re:

[Penguinisto]

Actually, I believe that Apple's updates are pushed independently of the carrier - my wife's iPhone gets iOS updates just fine, even through we use Net10 (which doesn't distribute core Android updates for shit, since most of their customers do the 'bring-your-own-phone' thing or use one of the really oddball uber-cheap phones that Net10 sells.)

IOW, I believe that Apple pushes all of their updates the same way that Google's Play Store does.

Workaround

[emil]

I am on the Alliance rom that bundles SuperSU, so I can fix this (unlike most unfortunate Samsung users).

I used the "NoBloat" application from the Google Play store to disable the Samsung keyboard (after clearing the cache with the app manager).

After doing so, I see the file /system/app/SamsumgIME.apk_ (note the underscore). I may try to copy the AOSP keyboard over from CM11 so there is a working keyboard in /system.

I would like to congratulate Google and Samsung for their stunning incompetence in Android s

Re:

[wardrich86]

This dependency on carriers is the only thing I can't stand about Android, but at the same time, it was necessary to pique the interest of carriers to carry the phones.

like the whole world does

[batistuta]

you mean, it should work the way it has been working everywhere in the world (except the US) since cell phones have been invented?

Re:

[dos1]

How is this "Apple method" different from just buying your phone instead of renting it from carrier on subsidized price?

It's your, customers, choice, nobody forces you to do that.

Re:

[DanJ_UK]

Ahahahaha. Ahahahahahaha.

Re:

[Krojack]

It worked for me. I no longer have the Samsung keyboard installed on my Samsung Note 2. In fact I'm running AOSP 5.1.1 rather then being stuck on 4.1 (or 4.2) like all other Note 2 users are.

Re:

[Rakarra]

It worked for me. I no longer have the Samsung keyboard installed on my Samsung Note 2. In fact I'm running AOSP 5.1.1 rather then being stuck on 4.1 (or 4.2) like all other Note 2 users are.

You might have missed his point, that the only way to root a Samsung Android phone is to exploit (and leave open) a giant security vulnerability.

Re:

[Anonymous Coward]

My VZW Galaxy S4 came with Swype and not Swiftkey. When you go to the listed page it looks to be an issue with Swiftkey and not Swype.

3rd party builds

[charlesTheLurker]

Ouch. Presumably, if you're running an AOSP build this won't affect you.

Re:

[The MAZZTer]

Or if you're rooted you can just uninstall the keyboard.

You are not captain of this ship

[jabberw0k]

Leading to the question, Why would anyone knowingly purchase a computer they cannot control? When will folks wake up and stop drinking this so-called "smart" so-called "telephone" Kool-Aid?

Different keyboard software

[flopsquad]

About to switch away from the iUniverse to a Samsung. Many reviewers recommend installing better keyboard software than Samsung's default; would that address this problem?

Re:

[drinkypoo]

As long as you freeze the included keyboard as well, yes. The ordinary google keyboard is pretty great these days. I also use anysoftkeyboard, specifically for its ssh layout which has control and tab.

Re:

[Krojack]

As long as you freeze the included keyboard as well, yes.

Which you can't do, at least not on my Samsung tablet. You can not uncheck the "Samsung keyboard" under Language and input in settings nor can you turn off (or disable/freeze) the Samsung keyboard app. Both options are grayed out.

You would have to root your phone to get around this at which point you will no longer get OTA update and patches.

Re:

[Krojack]

Not sure if you're talking about the freezing of the keyboard app or OTA updates so here are 2 replies:

Keyboard part

You can root your phone then freeze the Samsung keyboard app using Titanium Backup.

Also it is true as I'm looking at an un-rooted Samsung tablet and you CAN NOT disable/freeze the Samsung keyboard. I also just walked to to my co-workers desk who has the Galaxy S6 (un-rooted) and it's exactly the same. You CAN NOT disable the Samsung keyboard on un-rooted devices.

OTA updates to rooted devices

There are at least two known fixes

[davidwr]

There's no known fix at the moment, aside from avoiding insecure Wi-Fi networks or switching phones.

In other words, there are at least two known fixes.

"Dear Samsung, I am returning my phone and buying another brand because...."

Why is Samsung making a keyboard?

[danbob999]

Why is Samsung making a keyboard in the first place?

Re:

[gstoddart]

Branding, marketing, differentiation, integration with the rest of their crap, and probably analytics.

The usual crap.

Re:

[danbob999]

They should be able to do all that while making their keyboard available in the Play Store, and therefore easily updatable.

Re:

[gstoddart]

You do realize Samsung has their own store, and isn't interested in your access to Google's, right?

A Nexus device is Android as Google envisions it. Anything else has been designed to steer you towards making money for someone else.

So, Samsung makes a device, customizes the heck out of of Android for their own purposes. And then the greedy telcos add their shit.

And the consumer gets left with a device which may or may not receive updates as both Samsung and the carrier have moved onto new things, and don

Re:

[Krojack]

You do realize Samsung has their own store, and isn't interested in your access to Google's, right?

You do realize that many of the pre-installed bloatware Samsung made apps are updated via the google play store right? Let me list just a few..

These are pre-install bloatware that can be disabled but not uninstalled. They also show up while searching the app store.
Samsung Link [google.com]
Samsung Push Service [google.com]
Samsung Print Service Plugin [google.com]

These are pre-install bloatware that can NOT be disabled or uninstalled. They are also hidden on the app store to prevent non-samsung owners from installing them. They DO update via the n

Re: Why is Samsung making a keyboard?

[snowsnoot]

Mod parent up! I have one other suggestion.. Root your beautiful piece of Samsung HARDWARE and replace its software with CyanogenMod which is updated every night and even better than Nexus because it is mostly stock Android but also has a neat feature called Privacy Guard which allows the user fine grained controls over app permissions. There are many more reasons to go this route but I won't go on. This is the best of both worlds IMO and I won't ever go back to Samsung bastardized Android ever.

Re:Why is Samsung making a keyboard?

[ArcherB]

Because they can make a keyboard to fit the phones they design. For example, my ancient Note 2 keyboard had a number row because it had plenty of room for one. Since rooting and installing CM, I've had a difficult time finding a keyboard that has a number row and is as capable as the one made by Samsung.

Frankly, I don't see this vulnerability being that big of a deal. The hacker would either need access to the root filesystem of your phone WHILE you are updating and have the perfect timing to insert the file AFTER it downloaded but before the update starts, or he would have to pull off a man in the middle attack, which means hanging out at a Starbucks, setting up the fake network, and waiting for someone to come in with a Samsung phone who just happens to download the update while in Starbucks and on your fake network where you can intercept the correct file and replace it with your own.

Yeah... if I were still running sock, I wouldn't be worried.

Re:

[GTRacer]

Have you tried the Google Keyboard, with the "English (US) (PC)" custom input style activated? That input style is a proper 4-row keyboard where shifted characters appear where they should. The only thing it lacks is navigation keys like Tab and arrows.

Re:

[Eric Sharkey]

"Hacker's Keyboard" has a number row, tab, and arrows.

Re:

[GTRacer]

It does, but so far as I can tell, it wouldn't work well on a phone in portrait orientation.

Re:

[Rakarra]

Good for tablets, but I've found the Hacker's keyboards (which I use for my ssh connections) pack too many keys too closely, and I end up making a lot more spelling mistakes. Naturally, there's no spell correction like there is with the Samsung keyboard. I don't want ssh connections spell checked (that could never work), though I wouldn't mind other apps like sms messaging being spell checked.

Re:

[Alumoi]

Hackers keyboard: full PC layout, perfect for tablets.

Re:

[GTRacer]

Very true, but I believe it's not so good on phones in portrait.

Re:

[Fencepost]

Swiftkey has a checkable option under "Customize" in their settings for "Show a number row in all layouts."

It also has options on larger screens to include a numeric keypad, not sure exactly what the settings are for that though.

Re:

[jabberw0k]

This is not a keyboard: It is a program displaying a picture that looks like a keyboard, on a computer that masquerades as being a telephone, all controlled by people and companies you don't know and wouldn't trust if you did.

Re:

[Anonymous Coward]

I wish I coul read what you wrote, but... Those are not words. It's just a program displaying pictures that look like words.

Re:

[Solandri]

Because it used to be Google didn't have a Korean keyboard for Android, and rather than direct customers in their home country to download a 3rd party one from the Play store, they decided to make one themselves that they trusted. That was one of the early advantages of Android over iOS - you could replace the keyboard if you didn't like the default one. Eventually they began adding extra features and keys to support features that were only in their phones.

That's how innovation happens. It's not exclu

Re:

[danbob999]

What innovation did Samsung bring with its keyboard? If I don't need Korean, why would I need it?
Samsung make OS images specific to many countries/carriers. Most of these could do just fine without a Korean keyboard.

Swype wasn't added by Google to the play store. It was added by Swype itself. They (and not Google) choose to sell directly to carriers/manufacturers instead of selling through the play store.

Re:

[KGIII]

You do not have to personally need it for it to be innovation. But, to be honest, I am not sure a different keyboard language layout is all that innovative but the point remains the same - your personal needs do not determine innovation.

Re:

[danbob999]

I understand Samsung is free to innovate. But my point was that for most people, Samsung's keyboard is a regression, not an innovation. Now that Google has a Korean keyboard, there is no reason left for Samsung to keep heir keyboard anyways. Especially if they can't maintain it, they should get rid of it.

Re:

[thegarbz]

Because not everyone likes the Google keyboard. Because when they started doing it the Google keyboard was lacking in features. Because when they started doing it they partnered with Swype to bring a unique experience and IMO a killer feature that differentiated their phones from the rest to their customers.

Basically, why not make a keyboard? They already customise the rest of the Android experience, why not the keyboard too.

Manufacturers don't understand security

[Gumbercules!!]

Oh this is mindblowing. Who writes software that just asks a remote server for a file, then blindly executes that file with system privileges, but doesn't put any checks and balances in place to make sure it's really the remote server and the file is legit? It's not even HTTPS for goodness sakes (not that that would make much difference).

Samsung seems to still be a manufacturer at heart and like all manufacturers, they just don't get software security.Not even a little bit.

Re:Manufacturers don't understand security

[jones_supa]

OEMs put all sorts of hacks in place just to get their garbage software to work. There is no concept of security, the goal is just to get the quickest access to the resource. This is the same story than the LG split screen software [slashdot.org].

Samsung engineers have probably moved to other projects already.

What about the signature verification?

[Elias77]

It occurs to me, that the crucial part is the signature of the update package for the keyboard. The article states, that "the keyboard was signed with Samsung's private signing key". How can the attackers fake the signature of the update? Isn't the signature checked?

Re:

[wonkey_monkey]

I read it as saying that because the already-installed keyboard APK has been signed, it runs with high priveleges. And because of its weaknesses, it will download and run unsigned, tampered "updates." These aren't just updates to the keyboard APK itself, but also things like language packs.

Important questions...

[Ark42]

Can this be used to root your phone (as in, install SuperSU), and can this be done without tripping Knox?

Can this be then mitigated by a simple hosts entry for the domain used to check for updates? (Pretty sure the answer here would yes - if skslm.swiftkey.net points to 127.0.0.1, no rouge WiFi's DNS is going to be able to change that).

What?

[wonkey_monkey]

When the phone tries to update the keyboard, it fails to encrypt the executable file.

Why would the phone be trying to encrypt the executable (? article also says it's a ZIP file) file?

I think what's trying to be said is that the phone fails to verify the signature on the update file - a ZIP file which may contain an executable - which it then unzips without a care.

Re:

[jo_ham]

When the phone tries to update the keyboard, it fails to encrypt the executable file.

Why would the phone be trying to encrypt the executable (? article also says it's a ZIP file) file?

I think what's trying to be said is that the phone fails to verify the signature on the update file - a ZIP file which may contain an executable - which it then unzips without a care.

No, it verifies the hash on the file, but you can trick it by sending a fake hash too.

Had to disable the Samsung KB on day 1

[Jeff Flanagan]

I have an S6, and the Samsung keyboard would disappear as soon as it appeared, making text entry impossible. Fortunately I could use voice recognition to find another keyboard in the Play store to make the phone usable.

Only in one specific case...?

[Tyrannosaur]

When the phone tries to update the keyboard, it fails to encrypt the executable file.

So this only happens when I have a keyboard update available and waiting for me? How often does this happen, anyway? To be honest, this is a problem, but not that big of a problem....

Re:

[Fencepost]

I haven't dug into the details, but I suspect it's more "It only happens when the phone checks for a keyboard update and the server tells it there's one available."

The problem in that statement is if it's "the server" not "Samsung's verified server." If the signature on the downloaded file isn't verified but it's checked and downloaded only over a secure connection to a valid server then I'm less worried. If it's checking over a secure signed connection but downloading over an insecure channel that's a prob

Re:

[jo_ham]

That's exactly what it's doing, according to Ars.

It's a serious hole. The update check mechanism can be fooled. It doesn't require that a genuine update is available, just that something that claims it is the server says there is.

It polls the server, the spoof replies and sends a fake hash and the payload and the phone executes it with elevated privileges.

Re:Only in one specific case...?

[jo_ham]

No, it can happen if there's no keyboard update available.

The system periodically polls the server to check for an update, so it can happen as frequently as that check occurs. They don't say how often that is, but that if the keyboard is installed (i.e., if you have a non-rooted Samsung phone) even if you're using a different keyboard, you're vulnerable on an unsecured network to a MITM attack with arbitrary privileged code execution.

I would say it's a very serious problem, albeit one that can only occur when the phone does a periodic update check. It doesn't require that an actual update be available to work.

Easy

[fluffernutter]

So disable update on keyboard now, because you're probably fine at the moment. Wait for fix, then update.

Nope.

[emil]

The keyboard application launches at boot and regularly downloads .ZIP files of json objects. This download happens as the system user, and is vulnerable to directory traversal. Disabling updates for this .APK will not halt this activity, and it is unlikely that all vendors will bother to patch this.

I have a Samsung S5, get a LG (horrid advice).

[Trax3001BBS]

With My Samsung S5 or any mobile device I use a Blue-Tooth keyboard, as it's just down right easier (of course I don't travel). So a keyboard exploit shouldn't be a problem. I do have the keyboard, and other services I don't use updates disabled.

My new LG (the Samsung S5's service is in limbo at this time), while it's a version of Android, it's tactile is so weak as to making it unusable. There is a feature to highlight then double click the screen, opening a function (whatever it may be), and now the only

no known fix?

[sad_]

fix it by installing a custom android rom, those samsung phones listed are well supported by many roms.
you won't regret it either because samsung-android is horrible!