The Samsung Galaxy S4, S5, and S6 are vulnerable to near complete takeover due to a flaw in the code that authenticates keyboard updates.
What’s the worst that could happen?
According to the official report from the researchers who discovered the flaw (which is worth reading, BTW):
If the flaw in the keyboard is exploited, an attacker could remotely:
- Access sensors and resources like GPS, camera and microphone
- Secretly install malicious app(s) without the user knowing
- Tamper with how other apps work or how the phone works
- Eavesdrop on incoming/outgoing messages or voice calls
- Attempt to access sensitive personal data like pictures and text messages
This is just a drop in the bucket. If a hacker can do these 5 things, he can do a whole lot more. If he’s particularly destructive he can wipe your phone. Or collect the passwords you type. Or rack up SMS charges to paid text services.
How can a keyboard bug open up my phone to total takeover?
Here’s what’s wrong: The phones periodically ask their home base if there is a code update for the keyboard. If there is, it installs it. Big deal? Well, it’s a big deal if somebody intercepts that message and pretends to be your carrier’s home base – something that is trivial to do if you are on an unprotected WiFi network.
They can install whatever code they want. It doesn’t have to be keyboard code. It can be erase-your-phone code, or modified keyboard code that reports back to the hacker everything you type (such as passwords).
It doesn’t matter if you use a 3rd party keyboard app instead of Samsung’s. The old Samsung keyboard code is still there and will still ping for updates.
Come on, I’m not going to be hacked, am I?
No, you won’t be hacked. Just like you’ll never be the victim of a local theft or act of violence. It always happens to the other guy. Until you are the other guy.
People forget that the internet removes the obstacle of physical proximity. A hacker can be anywhere in the world and still access the correctly compromised router (there are millions) and hang out for a Samsung Galaxy S4, S5, S6 to show up and check for a keyboard update. Very possible to automate the process.
What can you do?
There are 3 things you can do to prevent a hacker from using the Samsung Galaxy S4, S5, S6 keyboard vulnerability from taking over your phone:
- Turn off WiFi on your phone. Keep it turned off until you know you are in the presence of a secure network connection. Use the 4G connection to access data instead.
- When you connect to a secure network, go to the WiFi settings screen and long-tap to delete any other available saved networks. If you ever connected via a generic, unsecure network before (like Linksys), your phone remembers the name. All a hacker has to do is present his own compromised generically-named router and your phone could automatically connect.
- Use a Virtual Private Network (VPN) when using public WiFi. These are services that can be had for $40-$75/year that ensure all of your WiFi traffic is encrypted so that no eavesdropper can ever interrupt or peep. Later this year I’ll be demonstrating how to setup your own VPN with a spare computer.
- Contact your carrier and ask when this will be fixed on your phone. Samsung released a patch in early 2015, but very little information exists as to which phones have been updated. Carriers just don’t take Android-related fixes and send them out when they get them. Carriers first go through a whole battery of testing to make sure nothing else was broken.
- Get a new phone. Not recommended if you are just going to sell or give your phone away since it pushes the problem to someone else who is not informed. Plus it’s expensive.
As the Naked Security blog explains (also well worth reading):
The silver lining, if that’s not too strong a way to describe it, is that a crook can’t exploit this hole just whenever he likes: you have to be on his dodgy network when an IME update happens, and he has to notice in time to jump in as a man-in-the-middle.
However, I think with a lot of hard work a lot of the waiting around for an IME update can be automated and spoofed. Don’t take any chances.