An update on the Samsung keyboard security vulnerability

17th June 2015

Updated 12.50pm PDT 6/18/15 to add clarification and details of imminent Samsung keyboard security fix

On Tuesday, we learned that a security vulnerability exists in Samsung’s Android keyboard software. This was publicly revealed yesterday in a statement in The Wall Street Journal by NowSecure.

This vulnerability is unrelated to and does not affect our SwiftKey consumer apps on Google Play and the Apple App Store.

We supply Samsung with the core technology that powers the word predictions in their keyboard via an SDK – which is distinct from a pre-installed app (you can learn more about this here). We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this important security issue.

The vulnerability in question is not easy to exploit: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.

A Samsung spokesperson issued the following statement on Thursday (which you can read in full here):

“Samsung takes all security threats very seriously. There have been reports that there is vulnerability when keyboard updates are carried out on Galaxy devices. We are aware of this issue and are committed to providing the latest in security on all of our devices … as the reports indicate, the risk does exist and Samsung will roll out a security policy update in the coming days.”

If you own a Galaxy device with Samsung KNOX, you will be able to receive an over-the-air update to invalidate any potential vulnerabilities caused by this issue. For this to work, you need to make sure your device automatically receives security policy updates. To do this, go to Settings > Lock Screen and Security > Other Security Settings > Security policy updates, and check that the ‘Automatic Updates’ option is activated. At the same screen, you can also click ‘Check for updates’ to manually retrieve any new security policy updates.

For devices that don’t come with KNOX by default, Samsung said it is currently working on an expedited firmware update that will be available upon completion of all testing and approvals.

We are absolutely committed to maintaining world-class standards in security and privacy practices for our users. For absolute clarity, this issue does not affect SwiftKey’s consumer keyboard applications on Google Play or the Apple App Store.

87 responses to “An update on the Samsung keyboard security vulnerability”

  1. FoxBlackcinder . says:

    This is a terrible risk for those of us who type several languages, don’t keep our keyboards updated for those languages, and do updates from untrusted network connections. What ever shall those of us who do all of those things do?

  2. StevetheHun says:

    ” … and we are absolutely committed to maintaining world-class standards in security and privacy practices for our users.”

    I’m a bit cynical about that statement and your commitment, given the obvious circumstances. Time to shop for a new phone that doesn’t have your content.

    • Just out of curiosity, how often do you find yourself using an unsecured wireless network to update your language packs?

      • StevetheHun says:

        You do know, right, that your phone will upgrade software without asking you.

        And if you didn’t know that there was crappy software on your phone that could be exploited, then you wouldn’t avoid such wireless networks right?

        Your hindsight is a perfect 20/20. Yeah, use up your data plan is the way to go, which is why cell phone companies love this.

        • Let me rephrase: Why would any sensible person be on an unsecured wireless network on their phone if they have it set to automatically update (you can change that)?

          Your lax security does not constitute an emergency for the rest of the world.

          • StevetheHun says:

            Wait… you’re trying to blame the USERS for crappy software on phones they spent hundreds of dollars to buy? Really?

            If you want to get right down to that, then they should never have bought the phone with the crappy software, eh? Caveat emptor, and all that?

            No problem at all for the software vendor, eh? Your answer is that they were stupid enough to buy it, so it’s okay?

          • Josh, SwiftKey Community Team says:

            @StevetheHun:disqus and @deadlyserious:disqus This is an issue that we take seriously. We are committed to helping Samsung fix the vulnerability with their keyboard on the impacted devices. As mentioned above, the likelihood to be impacted here is slim but until we see an update its best to be aware of untrusted wifi networks.

          • StevetheHun says:

            If it was taken seriously, then wouldn’t something be said when the vulnerability was first discovered?

            I mean, all software has bugs and despite all efforts, bugs end up in the user’s hands. I understand that. But why weren”t the users warned not to set automatic updates and to not connect to untrusted wifi networks when the bug was first discovered?

            I think the answer is that the end users are not swiftkey’s customers, that swiftkey’s customers is Samsung, and Samsung is not well known for a concern for the customer’s privacy. My beef should not be with Swiftkey, it should be with Samsung. Samsung appears to have thrown Swiftkey under the bus for keeping the users ignorant of the problem.

          • Kevin Dobo says:

            @StevetheHun:disqus
            Your response is like saying, “I won’t buy another “crappy car” from [insert crappy car company here] because it might overheat when the temperature exceeds 120 degrees outside, and oh, by the way, I haven’t bothered to have the cooling system checked in a decade.”

            Allow me to correlate:

            Car: First part – overheating due to temperature – highly unlikely in nearly all environments. Second part – maintaining car – OWNERS responsibility.

            Samsung Phone: First part – software vulnerability – highly unlikely in nearly all
            environments/circumstances. Second part – maintaining phone thru updates – OWNERS responsibility.

            (News flash: If you allow software updates while using unsecured public wifi networks then, yes, YOU would be to blame for your own problems.)

          • StevetheHun says:

            You can talk about cars (okay, where did that come from!?) but blaming unsuspecting customers for buying crappy software they don’t even realize is on their phone, much less understand the dangers of having, is still a fail.

          • No. My argument is that a vulnerability that is only exploitable in an extremely rare situation (which would only happen if someone was already being lax about their phone security) is not a national crisis. If you’re dumb enough to use unsecured wi-fi, then you’ve already opened your phone up to attack.

          • StevetheHun says:

            Do you really want to go on Swiftkey’s website and call their customers dumb and showing complete contempt for their customers for trusting their software?

            Are there any other features of smart phones you want to say is “dumb” ahead of time, instead of with 20/20 hindsight?

            No one called it a “national crisis”.

            Do you feel you win argument by being rude and calling people who use their phones in good faith, “dumb”?

          • 1. Swiftkey’s software isn’t vulnerable (which anyone who read the article would know). Actually, those of us who use Swiftkey instead of the standard Samsung keyboard aren’t vulnerable to this particular avenue of attack. Swiftkey developed the predictive model for Samsung’s keyboard, which is the app that actually has the issue.
            2. Yes, I’m perfectly happy to call you dumb if you use unsecured wi-fi networks to do anything. That’s not a feature of your smartphone; that’s you not using your brain.
            3. The situation is so unlikely to happen that it took security professionals to spot it before customers even complained. Hence the lack of an issue.

          • jon_marcus says:

            The vulnerability is exploitable in a moderately rare situation which impacts phones with default settings. (All phones I’ve owned default to WiFi on, and Samsung’s keyboard does auto-update.)

          • “Moderately” rare? When is the last time you updated your keyboard over an unsecured network?

            And yes, all phones have wifi on by default. Last I checked, none of them default to connecting to an unsecured wifi without the user specifically allowing it. Being on unsecured wifi has always been a security risk. This is just a specific vulnerability that Samsung found. The hacker would still have to find you and compromise your phone in a very short window of time to make use of the vulnerability.

        • Steve says:

          If you’re worried about your phone updating apps automatically, simply turn off the option in settings. It’s easy to do and puts you in control of which updates get updated when. I don’t understand why anyone would want their carrier or their phone making update decisions for them.

          • StevetheHun says:

            Your 20/20 hindsight is quite clear, isn’t it? But as an excuse for a software problem that shouldn’t exist, it is still quuite poor.

  3. RSDCyber says:

    Am I right in assuming that it only really affects those who use predictive typing? I don’t use this feature and type everything manually. To my knowledge I’ve never updated a keyboard on my Galaxy S3.

    • Anastasia Rose says:

      This is only going to affect those who are messaging in multiple languages. If your switching your phone from English to say french and your keyboard needs an update on an unsecured network then your at risk.

      • RSDCyber says:

        Hi, thanks for that. I do write in English and German but again put everything in manually in both languages without using the predictive function.

        • Josh, SwiftKey Community Team says:

          @RSDCyber:disqus this should not impact typing in multiple languages. For the time being, if you are using a Samsung device with their keyboard just stay away from connecting to untrusted networks. That will keep you safe until Samsung release an update.

      • disqus_CwRmTk5b6L says:

        LOL. Sorry, but I’ve never seen “your” and “you’re” used in the same sentence, twice each, using the same spelling all four times.

      • Jason Bryan says:

        This has already been dis-proven. You do not have to be on a spoofed Wi-Fi. You do not even have to have a “real” keyboard language update.
        So Anastasia…. now what ya got? :)

  4. Paul Beauregard says:

    For the six people who live on planet Earth who write in the multiple keyboard versions of Thai and are constantly updating them on an unsecure network… Be afraid… Be VERY afraid. (“The vulnerability in question is not easy to exploit: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”)

    • Andrew Phillips says:

      You know what though – we’re all having a laugh at this, but I’m glad that the company is being up-front about it and telling people what they’d have to do to be affected and isn’t just blowing it off.

      Kudos to SwiftKey for that.

    • Craig D. says:

      You should check out the Ars article on the exploit and realize how bogus that press statement is. The exploit can be executed without being connected to an un-secure network.

      http://arstechnica.com/security/2015/06/new-exploit-turns-samsung-galaxy-phones-into-remote-bugging-devices/

      “For the time being, there’s little people with vulnerable phones can do
      to prevent attacks other than to avoid unsecured Wi-Fi networks. Even
      then, those users would be susceptible to attacks that use DNS hijacking, packet injection, or similar techniques to impersonate the update server.”

      “The attack is also possible whether or not a legitimate keyboard update is available.”

    • Christopher E. Stith says:

      Actually the Galaxy S series is one of the most common items on the market. I wouldn’t need to target yours. If I wanted a bunch of compromised phones I could put a laptop bag in the corner of any Starbucks with a fake access point and route all the update checks for everyone that autoconnects to it to wherever I wanted.

      Further, if I knew of a company with a fleet of these things, I could sit outside their office and get one or two phones out of their dozens to hundreds to do this.

      MiTM attacks via WiFi are not a difficult thing to do.

  5. ChasNorrisJr says:

    “The vulnerability in question is not easy to exploit: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”
    Seems like a very low vulnerability for me, I don’t connect to public Wi-Fi networks and the chance of a language update is extremely low…

    • Jason Bryan says:

      This has already been dis-proven. You do not have to be on a spoofed Wi-Fi. You do not even have to have a “real” keyboard language update.
      So Chas…. now what ya got? :)

  6. YoKasta Martinez says:

    Gee thanks. I have a Galaxy S5 and my life is on my phone – nice to know you made it easy for hackers to get to it using the one thing you absolutely need for communicating.

    • crispyhihats says:

      did you even read the article? the chances of this exploit happening are slim to none.

      • RB says:

        This person is an idiot. Reading is clearly not their forte.

        • YoKasta Martinez says:

          No, I read the article – and I guarantee I read better than you. FYI, I type in English, Spanish, AND Portuguese for my job and in my personal life, so this *DOES* affect me until a) a bug is rolled out to fix it, or b) I can successfully program my phone at the command prompt level to remove this software entirely and use Swype instead.

          When you assume, you make an ASS out of U, not ME!!!

          • Ryan G. says:

            Just….don’t connect to unsecured wireless networks, and you’re fine. You really appear to have not read the article at all.

      • YoKasta Martinez says:

        YOU obviously don’t work in IT or Information Security – there’s NO SUCH THING as “slim to none” chances in the technological world. The moment you assume that is when all kinds of Bad. Things. Happen.

        Idiotic thinking like that is the reason why “I Love You” worms and other devastating malware manages to hose up networks and devices everywhere.

        • Kelderic says:

          There IS such a thing as slim to none. You have to be updating a language pack over an unsecured network that has already been compromised. It’s certainly a hole that needs to be fixed, but the number of people this is going to affect is tiny.

    • RB says:

      Gee thanks for reading the article at all. Here are the events that have to happen for someone to do this to you:

      A) Connected to a VULNERABLE wifi
      B) The hacker has to be prepared to gain access
      C) At that VERY SAME TIME, you have to performing a language system update.

      So, lets put this to a test for you. How can you make yourself NOT vulnerable to this? Hm. This one is a tough problem right? It’s almost as if I can READ THE ANSWER.

      Oh that might be one. Don’t do a LANGUAGE UPDATE until the issue is resolved.

      Wow. That took me a whole 4 seconds to think up. Please remove yourself from the internet.

      • Paul says:

        Oh man!!! Priceless!!!

        • YoKasta Martinez says:

          Obviously neither of you are aware that your wireless carrier can – and often does – force software updates on phones and other connected devices OTA, quite frequently, in fact.

          And since when is Wi-Fi NOT vulnerable? The very nature of Wi-Fi makes it inherently vulnerable – as is any man-made technology that the bad guys are determined to get into.

          Perhaps YOU should be the ones to remove yourselves from the Internet (as MY answer only took 1 second to recall as opposed to your 4.)

          • Jay says:

            OTA are pushed out by your providers ONLY. If your phone is messed up then only the provider are to blame. No one can “hack” the OTA band.

            There are two types of Wi-Fi. Secured (home and work) or Unsecured (Starbuck and public places). I have a very secure Wi-Fi network at home that only allowed certain MAC address to be in. If you have read the article it said: “The vulnerability in question is not easy to exploit: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”

          • Paul says:

            If you’re that worried about hackers then the internet is not the place for you.

          • YoKasta Martinez says:

            I work in Information Security. IT’S MY JOB to be worried about hackers.

          • Paul says:

            So then you’d know everything is vulnerable, not just Samsung and posting what you posted makes you sound like a bitter person. Companies make mistakes.

          • RB says:

            Then you should know how specific the circumstances are. Coincidentally, you’ve made it this far. Gee, I wonder how you’ll continue with your life. I mean, I’ve seen your name all over the headlines everywhere so, thank goodness no one has stolen anything from you. By the way, if you can’t tell, I’m rolling my eyes at you.

      • tjc says:

        Or just don’t update the software while on a non secure wifi connection….

    • ADarkShadow says:

      Umm, don’t have your life on a phone?

  7. cypherdoc says:

    using a VPN on public wifi should protect me?

  8. PatrickInBama says:

    Unsecured networks are everywhere and for the business traveler is a killer. You stay in a hotel that provides Wi-Fi. It could be unsecured. You sure don’t want to download big updates via data but now you need to speak to their IT staff since I bet the front desk won’t have a clue about this.

  9. flyslinger2 says:

    Lots of what if’s to actually make the hack work. However, if you are silly enough to travel and use unsecure networks…oh well. I know my data is safe.

  10. mary miller says:

    Are you going to send us a new phone? This is why Metro PCS is trying to get my phone back?

    • Lori M says:

      They probably won’t they’ll put some patch on it with a disclaimer and we’ll be left with the option to deal with the patch and hope it works or buy a new expensive phone. I have T-Mobile and I don’t see them giving any decent credits for buying a new phone.

  11. Thank goodness I always use SwiftKey’s keyboard instead of the stock keyboard whenever I get a new Android phone. Don’t really like the stock Samsung keyboard on my Note 4. :)

    • Major Sceptic says:

      It sounds like the chances of getting hacked are pretty small, never the less a patch will be nice, if i read it right your keyboard has to be updating for the hacker to gain access ??? So if we disable updates on the keyboard that should kill the risk ??

  12. Latheryin says:

    Wow like most people needed another reason to remove the internet permissions on apps. Samsung thinks Knox will help? Not likely. Knox is as insecure as anything. Main reason I never fully trust 3rd party keyboards. Mainly ones preinstalled.

  13. Dana says:

    You know, if we had stuck with physical keyboards, this wouldn’t even be an issue.

    • Latheryin says:

      Agreed that is why I am really looking forward to the Blackberry android device with a slide out keyboard. Keyboard apps will never compare to a hardware keyboard.

    • Daniel Gomez says:

      Yeah, and if we had stuck with landlines, we wouldn’t have to worry about charging our phones overnight.
      That’s the worst argument I’ve ever heard for a minor issue like this.
      “You know what would be great? Going back to half the usable size we have now.”
      Phones went to full screen touch because that’s what people buy. The users decide the market. Nobody wants a giant useless keyboard.

      • Latheryin says:

        You would be amazed at the people that want a hardware keyboard back. The main reason oem thought that was what people wanted was the iPhone. Which should never have been compared to a real smart phone. It is nothing more then a child’s learning tool that is the first steps to a real smartphone.

    • Mohamad Wahba says:

      then ur next move should be the bb passport running Android L… i miss physical qwerty keyboards.. we re pretty close to get them back.. cheers ✌

  14. Susan Heider says:

    Are all Samsung phones affected? I use the swype keyboard but other family members that have the same phone use the standard keyboard. I honestly have no clue if the standard keyboard is a swiftkey.

  15. joe1 says:

    Private internet access VPN! you can have it on 5 devices simultaneously.

  16. Ahnaf Mahmud says:

    On my Tab 4 7.0 SM-T231 the recent firmware update removed the security update option. How will I get the fix now

  17. dj says:

    Why dont they just let us installed the keyboard from the phone as the fix?

  18. Anon says:

    Has anyone answered the questions: 1) Exactly what has to happen on the Samsung device to trigger a language update? 2) If the language update occurs randomly on it’s own, how often does that occur?

  19. Raiza Bettis says:

    Hi, I just installed swiftkey in my Samsung S5, my regular keyboard was freezing on me. With swiftkey I can swype, but i can’t swype my password when I am unlocking the screen. Do you know why?

Leave a Reply

You must be logged in to post a comment.

This website uses cookies. By continuing to use this site, you consent to our use of cookies