Samsung phones at risk from keyboard, how to avoid issues

If you’re the owner of one of those brand spanking new Galaxy S6 or S6 Edge smartphones, you might want to skip accessing WiFi the next time you’re at a coffee shop, because it could just break your phone.

You might not realise it, but accessing an insecure wireless network or one you don’t trust could have some pretty severe consequences if you’re doing so on a Samsung Galaxy S6 or S6 Edge, or any number of phones that have SwiftKey keyboard preinstalled out of the box.

This week, researchers at security firm NowSecure published information citing that they had found a way to break into Samsung phones simply by planting malware at the time SwiftKey tries to grab some language packs updates, which it can do generally without letting the user know something more malicious is going on.

Even worse, because this is the keyboard that Samsung preinstalls to its phones, it can’t be removed or disabled, and even if you use a different keyboard, you’re still technically at risk.

From what we’re hearing, the hack only appears to be made through wireless networks, requiring someone to deliver that terrible payload over WiFi, and not through 4G. This means securing your device from this threat is as simple as not using wireless networks you’re not sure about, such as the free WiFi at the airport or the local coffee shop, relying instead on your 3G or 4G internet connection.

The good news is that your computer is still good for access the free WiFi, with this hack only applying to Android phones that have SwiftKey’s keyboard preinstalled, which includes the Samsung Galaxy S6 and S6 Edge, but may also include the Samsung Galaxy S5, Galaxy Note 4, and Galaxy Note Edge. Your Windows and Mac laptop is therefore safe from this, but we’d still have some security software running there, too. It’s only logical.

As for other smartphones, Samsung is one of the only providers relying on SwiftKey being preinstalled, and from what we’re hearing, it’s not a problem with SwiftKey, but rather the way Samsung set up the keyboard upon install.

In fact, as far as we’ve heard, SwiftKey’s keyboard app lacks this flaw, meaning SwiftKey downloaded for your Android phone and tablet, as well as SwiftKey for iPhone and iPad are not affected by this hack. We’re not sure how many phones and tablets use SwiftKey natively, but they may not have that problem either, as SwiftKey has been setup by Samsung to work as a “privileged” app, meaning it can basically do what it wants in the background.

According to the researchers, Samsung was informed about this hack last year and that patches dealing with this should have been sent to the various telcos that issue the independent patches for carrier specific phones, of which most Australians rely on (a Telstra S6 if you’re a Telstra customer, a Vodafone S6 if you’re a Vodafone customer, etc).

We’re checking with Samsung to find out whether Samsung’s preinstalled Knox security system will go on the defence against any hacks that are installed in this way, as well as if or when the updates will be rolled out to Samsung owners. We’ve seen an update is available as of now on the Telstra Galaxy S6 Edge, so this could be a fix, but because neither the operator (telco) or manufacturer generally tell you what the patch fixes, we can’t say whether this is what the patch is for.

In the meantime, if you’re at all concerned, stay off WiFi networks that you don’t know and can’t trust. Home is fine, and work should be okay depending on the size of your organisation, but wireless networks you don’t know you should stick to 4G with. It’s just an easier way of being secure.

UPDATE (3.18pm): Samsung has a comment on this whole thing, and it’s this:

Samsung Electronics Australia takes security threats very seriously. We are committed to providing the latest mobile security and we are working quickly to investigate and resolve the matter. We will provide further information as it becomes available.

So there you go. Updates are more than likely coming, though it would be nice to see if the patches mention this bug when they’re delivered. They most likely won’t, but it would be nice.