Security at NowSecure have revealed a SwiftKey vulnerability that threatens security for top Samsung devices such as the Samsung Galaxy S6. It reports, “Over 600 million Samsung mobile device users have been affected by a significant security risk on leading Samsung models, including the recently released Galaxy S6. The risk comes from a pre-installed keyboard that allows an attacker to remotely execute code as a privileged (system) user.” Samsung has acknowledged the issue and has promised a fix to the problem.
In a statement sent to PhoneArena, Samsung said, “Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security. Samsung Knox has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days. In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.”
In an update, Samsung said, “The likelihood of making a successful attack, exploiting this vulnerability is low. There have been no reported customer cases of Galaxy devices being compromised through these keyboard updates. But as the reports indicate, the risk does exist and Samsung will roll out a security policy update in the coming days. This vulnerability, as noted by the researchers, requires a very specific set of conditions for a hacker to be able to exploit a device this way. This includes the user and the hacker physically being on the same unprotected network while downloading a language update. Also, on a KNOX-protected device there are additional capabilities in place such as real-time kernel protection to prevent a malicious attack from being effective.”
The issue seems to affect units of the Samsung Galaxy S6 with US carriers Verizon, AT&T, Sprint, and T-Mobile. We are yet to hear of the security risk affecting units of the smartphone in the UK. Still, Phones LTD will let you know once the update is available.