SAN FRANCISCO – Millions of Samsung Galaxy smartphone owners may be at risk
of eavesdropping of calls, theft of data and installation of malware – and
there isn’t much they can do about it.
The flaw is found in Swiftkey keyboard software preinstalled on 600 million
of the South Korean electronics giant’s smartphones, mobile security company NowSecure said Wednesday.
Affected users are powerless to address the vulnerability because they cannot
uninstall the software.
Affected devices include the recently released Galaxy
S6, as well as the S5, S4, and S4 Mini on all major carriers, NowSecure
said.
Samsung said it will release a fix for the problem in the next few days,
accessible through its service Samsung Knox. It will come in the form of a
security policy update that can be downloaded onto the phones.
“Samsung takes emerging security threats very seriously,” Samsung
said in a statement. “In addition to the security policy update, we are
also working with Swiftkey to address potential risks going forward.”
Consumers can be forgiven for feeling whipsawed by security flaws and
breaches that compromise their data held by retailers and banks and now on the
mobile devices they use. Target in 2013 reported 40 million people had their
credit card numbers stolen from its point of sale terminals, and followed up
that report with news that another hack got the names, email addresses and
phone numbers of 70 million customers. JPMorgan Chase, the largest bank in the
country, reported last year that 76
million households and 7 million small businesses had their account information
stolen. And on Monday, password manager service LastPass announced hackers
had stolen the email addresses and master password clues of its users.
NowSecure said Samsung was notified in December 2014 of the problem.
“While Samsung began providing a patch to mobile network operators in
early 2015, it is unknown if the carriers have provided the patch to the
devices on their network,” NowSecure said in its report. All of the phones
either have no patch available or the status of the patch is unknown, according
to the list.
The phones are vulnerable to attack from a variety of fronts, according to
NowSecure’s technical analysis of the flaw. A less sophisticated hacker who’s
nearby a phone might gain access through unsecured Wi-Fi connections. Or a
serious attacker could use a more involved approach to gain access from much
farther away, according to NowSecure.
As a result, the flaw would appear to be a pervasive and serious problem
until fixed.
“To reduce your risk, avoid insecure Wi-Fi networks, use a different
mobile device and contact your carrier for patch information and timing,”
NowSecure said in its report.
However, some security professionals noted that an attack might have limited
returns for hackers.
“It appears there needs to be a lot of things in place for this to work
properly,” Nathan Collier, senior malware intelligence analyst at
Malwarebytes Labs, said in an email about NowSecure’s description of how an
intruder could break into a phone.
Noting that he didn’t expect to see anyone carrying out such an attack,
Collier said it wasn’t the typical route taken by people trying to take over
computers and devices.
“Malware authors are looking for big returns using the path of least
resistance, and having to write code for several different phone models is
quite tedious. Samsung is aware of the issue. Hopefully they will be providing
a patch for their customers shortly.”
