Samsung have just announced that their Galaxy phones may have a security risk. Samsung Galaxy’s keyboard software and how it accepts data as it is updating seems to be the problem. You also need to be connected to a compromised network to be affected.
However, according to the Wall Street Journal, this Samsung Galaxy keyboard fault has been an issue since November 2014. Apparently, researchers at NowSecure found a bug in many Samsung Galaxy phones that could allow hackers to spy on Galaxy phone users. This security issue was apparently reported to Samsung and their reply was the issue had been rectified and a patch for the keyboard program had been sent through to Samsung Galaxy users. The Wall Street Journal also claim Samsung asked them to “wait three months before going public.”
The researchers from NowSecure did this and after the time was up, purchased new Samsung Galaxy phones to see if the patch worked on the compromised keyboard software. Apparently, it did not and NowSecure CEO Andrew Hoog decided to share his findings with the Wall Street Journal as well as distributing a report on the fault.
Samsung was quick to respond with a statement on their Galaxy phones, claiming the two instances were “unrelated.” You can view the full statement from Samsung below.
“On Tuesday, we learned that a security vulnerability exists in Samsung’s Android keyboard software. This was publicly revealed yesterday in a statement in The Wall Street Journal by NowSecure, which they claim was reported to Samsung in November 2014.”
“This vulnerability is unrelated to and does not affect our SwiftKey consumer apps on Google Play and the Apple App Store.”
“We supply Samsung with the core technology that powers the word predictions in their keyboard. It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability. We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this important security issue.”
“The vulnerability in question is not easy to exploit: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”
A Samsung spokesperson issued the following statement on Wednesday: “Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security.
“Samsung KNOX has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days.”
“In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.”
For clarity, this issue does not affect SwiftKey’s consumer keyboard applications on Google Play or the Apple App Store, and we are absolutely committed to maintaining world-class standards in security and privacy practices for our users.”
Do you own a Samsung Galaxy phone? How do you think this vulnerability will affect you? Let us know by commenting below!
[Image credit: NowSecure screen capture]