Samsung says it is working on a fix for a potential security vulnerability found in the keyboard app of its Galaxy line of smartphones and expects to roll out a security policy update in the next few days.
The company announced the coming fix in a June 18 post on the Samsung Tomorrow Blog and said that no customers had reported any device attacks due to the issue as of June 16, when reports about the issue began to surface.
“Samsung takes all security threats very seriously,” the company said in its post. “There have been reports that there is a vulnerability when keyboard updates are carried out on Galaxy devices. We are aware of this issue and are committed to providing the latest in security on all of our devices.”
The vulnerability, known as CVE-2015-2865, was first reported by security firm NowSecure. NowSecure published a detailed technical analysis on the issue, which is a flaw in how the Swiftkey keyboard app validates language pack updates. The Swiftkey keyboard is installed by default in Samsung’s Galaxy phones.
According to NowSecure, Swiftkey periodically checks by design for language pack updates over HTTP. “By intercepting such requests and modifying the necessary fields, an attacker can write arbitrary data to vulnerable devices,” according to an alert about the issue.
Some 600 million Galaxy devices could be affected by the reported vulnerability, according to NowSecure.
Samsung said in its blog post that the vulnerability requires a very specific set of conditions for a hacker to be able to exploit a device, including that the phone user and the hacker have to be on the same unprotected network while downloading a language update. Samsung also said that its flagship Galaxy smartphones since the Galaxy S4 have the KNOX security platform installed and enabled and that it provides additional capabilities such as real-time kernel protection that can prevent a malicious attack from being effective.
Samsung said “the likelihood of making a successful attack [and] exploiting this vulnerability is low,” but that it will soon unveil a security policy update to correct it. “In addition to the security policy update, we will continue to work with related parties, such as SwiftKey, to address potential risks going forward,” the company said in the post. “Samsung KNOX has the capability to update the security policies of our devices, over-the-air, to invalidate potential vulnerabilities caused by this issue.”
When the updates are completed and made available, they will be automatically pushed out to Galaxy smartphone users, according to Samsung. The users, however, must agree to receive the security policy update on their phones for it to be installed.
To ensure that this occurs, Samsung is asking Galaxy phone users to check their phone’s settings to be sure that their devices are set to accept automatic updates. Users can go to Settings > Lock Screen and Security > Other Security Settings > Security policy updates where they can then confirm that the Automatic Updates option is activated. At the same screen, the user may also click Check for updates to manually retrieve any new security policy updates.
Samsung said it is also working on an expedited firmware update to address the vulnerability on earlier Galaxy devices that don’t come with KNOX by default. That update will be announced when it is ready, according to the company.
NowSecure said that if an attacker exploits the SwiftKey flaw, they could access the phone’s camera, secretly install apps and access user data. NowSecure said it informed Samsung of the issue in December 2014, giving the company plenty of time to resolve the issue.
