Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Bug Cellphones Encryption

Samsung Cellphone Keyboard Software Vulnerable To Attack 104

Adesso writes: A serious security problem in the default Samsung keyboard installed on many of the company's cellphones has been lurking since December 2014 (CVE-2015-2865). When the phone tries to update the keyboard, it fails to encrypt the executable file. This means attackers on the same network can replace the update file with a malicious one of their own. Affected devices include the Galaxy S6, S5, S4, and S4 mini — roughly 600 million of which are in use. There's no known fix at the moment, aside from avoiding insecure Wi-Fi networks or switching phones. The researcher who presented these findings at the Blackhat security conference says Samsung has provided a patch to carriers, but he can't find out if any of them have applied the patch. The bug is currently still active on the devices he tested.
This discussion has been archived. No new comments can be posted.

Samsung Cellphone Keyboard Software Vulnerable To Attack

Comments Filter:
  • That's stupid (Score:5, Insightful)

    by ArcadeMan ( 2766669 ) on Wednesday June 17, 2015 @08:08AM (#49928547)

    Samsung has provided a patch to carriers

    So if your carrier doesn't want to patch your phone to force you to buy yet another phone/switch to a costlier monthly package... well, you're screwed.

    I prefer the Apple method: they make the phones, they make the OS and the basic software, they push the updates directly to you. Letting the carriers in charge of anything but the actual communications is just insane.

    • Yeah, no kidding. WTF are we trusting carriers for?

      They don't care about your security, they want to sell you phones which have their custom shit in it to maximize their profits.

      Trusting carriers to spend the time and effort applying updates is utterly insane, because they're lazy and greedy -- which means you likely won't get the update at all.

      But since they have nothing to lose and no liability for failing to push the updates, what do you think will change? The carriers simply don't give a damn.

      Android

      • by Krojack ( 575051 )

        The carriers excuse is that the devices use 'their network' thus they need control over the software to prevent abuse and damage their 'their network'. Sure we all know it's total bullshit but can't do anything about it.

        I like as little as possible government regulation as possible but understand it's needed in some areas. This is one of them. I would love to see some regulation forcing phone manufactures and carriers forcing the to push out security fixes within at 30 days at the extreme from the time a

        • by Rakarra ( 112805 )

          The carriers excuse is that the devices use 'their network' thus they need control over the software to prevent abuse and damage their 'their network'. Sure we all know it's total bullshit but can't do anything about it.

          Everyone knows it's total bullshit too, as Internet service providers don't have any control over what computers and devices are hooked up on your home connection, nor should they.

    • Re:That's stupid (Score:4, Interesting)

      by nate_in_ME ( 1281156 ) <me@[ ]esmith.me ['nat' in gap]> on Wednesday June 17, 2015 @08:20AM (#49928619)
      HTC actually has come up with a good way to handle this. They've moved many of their "factory" apps into the Play Store, so they can push updates that way independent of the carriers. I've even received lock screen and Sense (their "home screen" for those unfamiliar with it) updates though this method. The only thing they can't push is updates to Android itself this way.
      • by mjwx ( 966435 )

        HTC actually has come up with a good way to handle this. They've moved many of their "factory" apps into the Play Store, so they can push updates that way independent of the carriers. I've even received lock screen and Sense (their "home screen" for those unfamiliar with it) updates though this method. The only thing they can't push is updates to Android itself this way.

        This is what Google did with its applications ages ago and recommends manufacturers do.
        b Google has solved the problem of carriers controlling updates to a large degree by uncoupling applications from the OS, I cant speak for HTC users as I've been on the Nexus phones for a few years now but for us, it's been a fantastic success (in fact Gmail updated itself last night). Like you said, the only thing they cant update this way is Android itself, but there are other ways around that (for nexus phones, the im

    • by donaldm ( 919619 )
      Yes you are right Apple do make their brand however so do other vendors. What apple and the other vendors don't control although they do have some say are the carriers and if an update is released IOS or Android then it is up to the carriers to push it out.

      There are other vendors that sell Android phones and so far it is only the Samsung brand that has the issue and not the Linux kernel, so basically it is a Samsung problem.
      • What apple and the other vendors don't control although they do have some say are the carriers and if an update is released IOS or Android then it is up to the carriers to push it out.

        Actually, I'm pretty sure Apple does control this.

        First, they don't allow carriers to customize iOS for their own purposes. Second, the updates for iOS come from Apple themselves.

        Which means carriers can't put shit on the Apple devices, and they can't fail to push out security updates. Because they're not part of the process

      • Actually, I believe that Apple's updates are pushed independently of the carrier - my wife's iPhone gets iOS updates just fine, even through we use Net10 (which doesn't distribute core Android updates for shit, since most of their customers do the 'bring-your-own-phone' thing or use one of the really oddball uber-cheap phones that Net10 sells.)

        IOW, I believe that Apple pushes all of their updates the same way that Google's Play Store does.

    • I am on the Alliance rom that bundles SuperSU, so I can fix this (unlike most unfortunate Samsung users).

      I used the "NoBloat" application from the Google Play store to disable the Samsung keyboard (after clearing the cache with the app manager).

      After doing so, I see the file /system/app/SamsumgIME.apk_ (note the underscore). I may try to copy the AOSP keyboard over from CM11 so there is a working keyboard in /system.

      I would like to congratulate Google and Samsung for their stunning incompetence in Android s

    • This dependency on carriers is the only thing I can't stand about Android, but at the same time, it was necessary to pique the interest of carriers to carry the phones.
    • you mean, it should work the way it has been working everywhere in the world (except the US) since cell phones have been invented?

    • by dos1 ( 2950945 )

      How is this "Apple method" different from just buying your phone instead of renting it from carrier on subsidized price?

      It's your, customers, choice, nobody forces you to do that.

  • Ouch. Presumably, if you're running an AOSP build this won't affect you.

  • About to switch away from the iUniverse to a Samsung. Many reviewers recommend installing better keyboard software than Samsung's default; would that address this problem?
    • As long as you freeze the included keyboard as well, yes. The ordinary google keyboard is pretty great these days. I also use anysoftkeyboard, specifically for its ssh layout which has control and tab.

      • by Krojack ( 575051 )

        As long as you freeze the included keyboard as well, yes.

        Which you can't do, at least not on my Samsung tablet. You can not uncheck the "Samsung keyboard" under Language and input in settings nor can you turn off (or disable/freeze) the Samsung keyboard app. Both options are grayed out.

        You would have to root your phone to get around this at which point you will no longer get OTA update and patches.

  • There's no known fix at the moment, aside from avoiding insecure Wi-Fi networks or switching phones.

    In other words, there are at least two known fixes.

    "Dear Samsung, I am returning my phone and buying another brand because...."

  • by danbob999 ( 2490674 ) on Wednesday June 17, 2015 @08:28AM (#49928671)

    Why is Samsung making a keyboard in the first place?

    • Branding, marketing, differentiation, integration with the rest of their crap, and probably analytics.

      The usual crap.

      • They should be able to do all that while making their keyboard available in the Play Store, and therefore easily updatable.

        • You do realize Samsung has their own store, and isn't interested in your access to Google's, right?

          A Nexus device is Android as Google envisions it. Anything else has been designed to steer you towards making money for someone else.

          So, Samsung makes a device, customizes the heck out of of Android for their own purposes. And then the greedy telcos add their shit.

          And the consumer gets left with a device which may or may not receive updates as both Samsung and the carrier have moved onto new things, and don

          • by Krojack ( 575051 )

            You do realize Samsung has their own store, and isn't interested in your access to Google's, right?

            You do realize that many of the pre-installed bloatware Samsung made apps are updated via the google play store right? Let me list just a few..

            These are pre-install bloatware that can be disabled but not uninstalled. They also show up while searching the app store.
            Samsung Link [google.com]
            Samsung Push Service [google.com]
            Samsung Print Service Plugin [google.com]

            These are pre-install bloatware that can NOT be disabled or uninstalled. They are also hidden on the app store to prevent non-samsung owners from installing them. They DO update via the n

          • Mod parent up! I have one other suggestion.. Root your beautiful piece of Samsung HARDWARE and replace its software with CyanogenMod which is updated every night and even better than Nexus because it is mostly stock Android but also has a neat feature called Privacy Guard which allows the user fine grained controls over app permissions. There are many more reasons to go this route but I won't go on. This is the best of both worlds IMO and I won't ever go back to Samsung bastardized Android ever.
    • by ArcherB ( 796902 ) on Wednesday June 17, 2015 @08:39AM (#49928733) Journal

      Because they can make a keyboard to fit the phones they design. For example, my ancient Note 2 keyboard had a number row because it had plenty of room for one. Since rooting and installing CM, I've had a difficult time finding a keyboard that has a number row and is as capable as the one made by Samsung.

      Frankly, I don't see this vulnerability being that big of a deal. The hacker would either need access to the root filesystem of your phone WHILE you are updating and have the perfect timing to insert the file AFTER it downloaded but before the update starts, or he would have to pull off a man in the middle attack, which means hanging out at a Starbucks, setting up the fake network, and waiting for someone to come in with a Samsung phone who just happens to download the update while in Starbucks and on your fake network where you can intercept the correct file and replace it with your own.

      Yeah... if I were still running sock, I wouldn't be worried.

      • by GTRacer ( 234395 )
        Have you tried the Google Keyboard, with the "English (US) (PC)" custom input style activated? That input style is a proper 4-row keyboard where shifted characters appear where they should. The only thing it lacks is navigation keys like Tab and arrows.
        • "Hacker's Keyboard" has a number row, tab, and arrows.

          • by GTRacer ( 234395 )
            It does, but so far as I can tell, it wouldn't work well on a phone in portrait orientation.
          • by Rakarra ( 112805 )

            Good for tablets, but I've found the Hacker's keyboards (which I use for my ssh connections) pack too many keys too closely, and I end up making a lot more spelling mistakes. Naturally, there's no spell correction like there is with the Samsung keyboard. I don't want ssh connections spell checked (that could never work), though I wouldn't mind other apps like sms messaging being spell checked.

        • by Alumoi ( 1321661 )

          Hackers keyboard: full PC layout, perfect for tablets.

      • Swiftkey has a checkable option under "Customize" in their settings for "Show a number row in all layouts."

        It also has options on larger screens to include a numeric keypad, not sure exactly what the settings are for that though.
    • This is not a keyboard: It is a program displaying a picture that looks like a keyboard, on a computer that masquerades as being a telephone, all controlled by people and companies you don't know and wouldn't trust if you did.
      • by Anonymous Coward

        I wish I coul read what you wrote, but... Those are not words. It's just a program displaying pictures that look like words.

    • Because it used to be Google didn't have a Korean keyboard for Android, and rather than direct customers in their home country to download a 3rd party one from the Play store, they decided to make one themselves that they trusted. That was one of the early advantages of Android over iOS - you could replace the keyboard if you didn't like the default one. Eventually they began adding extra features and keys to support features that were only in their phones.

      That's how innovation happens. It's not exclu
      • What innovation did Samsung bring with its keyboard? If I don't need Korean, why would I need it?
        Samsung make OS images specific to many countries/carriers. Most of these could do just fine without a Korean keyboard.

        Swype wasn't added by Google to the play store. It was added by Swype itself. They (and not Google) choose to sell directly to carriers/manufacturers instead of selling through the play store.

        • by KGIII ( 973947 )

          You do not have to personally need it for it to be innovation. But, to be honest, I am not sure a different keyboard language layout is all that innovative but the point remains the same - your personal needs do not determine innovation.

          • I understand Samsung is free to innovate. But my point was that for most people, Samsung's keyboard is a regression, not an innovation. Now that Google has a Korean keyboard, there is no reason left for Samsung to keep heir keyboard anyways. Especially if they can't maintain it, they should get rid of it.

    • Because not everyone likes the Google keyboard. Because when they started doing it the Google keyboard was lacking in features. Because when they started doing it they partnered with Swype to bring a unique experience and IMO a killer feature that differentiated their phones from the rest to their customers.

      Basically, why not make a keyboard? They already customise the rest of the Android experience, why not the keyboard too.

  • Oh this is mindblowing. Who writes software that just asks a remote server for a file, then blindly executes that file with system privileges, but doesn't put any checks and balances in place to make sure it's really the remote server and the file is legit? It's not even HTTPS for goodness sakes (not that that would make much difference).

    Samsung seems to still be a manufacturer at heart and like all manufacturers, they just don't get software security.Not even a little bit.
  • It occurs to me, that the crucial part is the signature of the update package for the keyboard. The article states, that "the keyboard was signed with Samsung's private signing key". How can the attackers fake the signature of the update? Isn't the signature checked?
    • I read it as saying that because the already-installed keyboard APK has been signed, it runs with high priveleges. And because of its weaknesses, it will download and run unsigned, tampered "updates." These aren't just updates to the keyboard APK itself, but also things like language packs.

  • Can this be used to root your phone (as in, install SuperSU), and can this be done without tripping Knox?

    Can this be then mitigated by a simple hosts entry for the domain used to check for updates? (Pretty sure the answer here would yes - if skslm.swiftkey.net points to 127.0.0.1, no rouge WiFi's DNS is going to be able to change that).

  • When the phone tries to update the keyboard, it fails to encrypt the executable file.

    Why would the phone be trying to encrypt the executable (? article also says it's a ZIP file) file?

    I think what's trying to be said is that the phone fails to verify the signature on the update file - a ZIP file which may contain an executable - which it then unzips without a care.

    • by jo_ham ( 604554 )

      When the phone tries to update the keyboard, it fails to encrypt the executable file.

      Why would the phone be trying to encrypt the executable (? article also says it's a ZIP file) file?

      I think what's trying to be said is that the phone fails to verify the signature on the update file - a ZIP file which may contain an executable - which it then unzips without a care.

      No, it verifies the hash on the file, but you can trick it by sending a fake hash too.

  • I have an S6, and the Samsung keyboard would disappear as soon as it appeared, making text entry impossible. Fortunately I could use voice recognition to find another keyboard in the Play store to make the phone usable.
  • by Tyrannosaur ( 2485772 ) on Wednesday June 17, 2015 @10:09AM (#49929411)

    When the phone tries to update the keyboard, it fails to encrypt the executable file.

    So this only happens when I have a keyboard update available and waiting for me? How often does this happen, anyway? To be honest, this is a problem, but not that big of a problem....

    • I haven't dug into the details, but I suspect it's more "It only happens when the phone checks for a keyboard update and the server tells it there's one available."

      The problem in that statement is if it's "the server" not "Samsung's verified server." If the signature on the downloaded file isn't verified but it's checked and downloaded only over a secure connection to a valid server then I'm less worried. If it's checking over a secure signed connection but downloading over an insecure channel that's a prob
      • by jo_ham ( 604554 )

        That's exactly what it's doing, according to Ars.

        It's a serious hole. The update check mechanism can be fooled. It doesn't require that a genuine update is available, just that something that claims it is the server says there is.

        It polls the server, the spoof replies and sends a fake hash and the payload and the phone executes it with elevated privileges.

    • by jo_ham ( 604554 ) <joham999@gmail.cTIGERom minus cat> on Wednesday June 17, 2015 @08:01PM (#49933823)

      No, it can happen if there's no keyboard update available.

      The system periodically polls the server to check for an update, so it can happen as frequently as that check occurs. They don't say how often that is, but that if the keyboard is installed (i.e., if you have a non-rooted Samsung phone) even if you're using a different keyboard, you're vulnerable on an unsecured network to a MITM attack with arbitrary privileged code execution.

      I would say it's a very serious problem, albeit one that can only occur when the phone does a periodic update check. It doesn't require that an actual update be available to work.

  • So disable update on keyboard now, because you're probably fine at the moment. Wait for fix, then update.
    • by emil ( 695 )
      The keyboard application launches at boot and regularly downloads .ZIP files of json objects. This download happens as the system user, and is vulnerable to directory traversal. Disabling updates for this .APK will not halt this activity, and it is unlikely that all vendors will bother to patch this.
  • With My Samsung S5 or any mobile device I use a Blue-Tooth keyboard, as it's just down right easier (of course I don't travel). So a keyboard exploit shouldn't be a problem. I do have the keyboard, and other services I don't use updates disabled.

    My new LG (the Samsung S5's service is in limbo at this time), while it's a version of Android, it's tactile is so weak as to making it unusable. There is a feature to highlight then double click the screen, opening a function (whatever it may be), and now the only

  • fix it by installing a custom android rom, those samsung phones listed are well supported by many roms.
    you won't regret it either because samsung-android is horrible!

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...