Samsung Promises Patch For Galaxy Keyboard Hack
Samsung will push out a software fix for the recently-identified keyboard hack, patching at least some of the affected Galaxy smartphones. The new security policy will be first released for KNOX-enabled Samsung devices, though Samsung maintains that there have been no reported cases of the exploit being carried out in the wild. The company is also working with third-party keyboard providers, like SwiftKey, to make sure future gaps in security aren't left open.
SwiftKey is preloaded on certain Samsung phones, including the recently-released Galaxy S6 flagship. Security researcher Ryan Welton from NowSecure discovered that, because the keyboard searches for language pack updates in unencrypted plain text, a malicious server could also inject some compromised code into the phone at the same time.
Welton conceded that the process was relatively convoluted, and Samsung leans on that point in its statement today.
"This vulnerability, as noted by the researchers, requires a very specific set of conditions for a hacker to be able to exploit a device this way," the company wrote. "This includes the user and the hacker physically being on the same unprotected network while downloading a language update. Also, on a KNOX-protected device there are additional capabilities in place such as real-time kernel protection to prevent a malicious attack from being effective."
Nonetheless, Samsung says, the security loophole needs to be filled, and hence the upcoming policy update.
Not every susceptible phone will be patched in this initial sweep, however, since not all of the devices come with KNOX preloaded. Those that don't will have to wait for an "expedited firmware update" that Samsung says will be ready as soon as its own testing and that of carriers is completed.
Meanwhile SwiftKey points out that the issue only affects the software provided to Samsung, rather than the consumer version of its keyboard offered through the Google Play store.
If your Samsung device has KNOX, you'll need to either have automatic updates enabled or to check manually for the patch in order to have it installed.
SOURCE Samsung