How to hijack MILLIONS of Samsung mobes with man-in-the-middle diddle

Touchscreen keyboard update leaves handsets vulnerable to remote-code execution

19 Reg comments Got Tips?

Samsung smartphones can be hijacked, infected with malware, and remotely controlled by malicious Wi-Fi hotspots in cafes, hotels, and so on, security researchers claim.

According to the bods at NowSecure, millions of handsets have a remote-code execution vulnerability that is a software design flaw. One workaround is to avoid untrusted wireless; use VPN to a trusted network; or simply use another phone.

Essentially, NowSecure claims, the touchscreen keyboard app bundled with Samsung Galaxy S6, S5, S4 and S4 Mini handsets automatically updates itself by downloading a ZIP file of new files from the internet using an unencrypted HTTP connection.

It makes no attempt to verify the authenticity of the archive, it's claimed, so someone in control of your network could intercept the download, and send the phone a malicious archive instead.

The update process runs with system-level access. It unpacks the ZIP file without checking the paths of the files inside, and with full read-write permissions on the device's file system. This means a malicious archive could overwrite arbitrary files on the handset, replacing the installed software with malware, or just cause havoc, we're told.

The ZIP archive is downloaded from...

http://skslm.swiftkey.net/samsung/downloads/v1.3-USA/az_AZ.zip

...and if, for example, it contains a file with the full filename...

../../../../../../../../data/payload

...then, when unpacked by the update process, it will create a system-owned file in the directory /data:

$ su -c "ls -l /data/payload"
-rw------- system   system          5 2014-08-22 16:07 payload

Which is bad.

The system keyboard app cannot be uninstalled, and if deactivated and replaced by another on-screen keyboard app, it will continue to run its update process in the background with full system privileges every so often.

"It’s unfortunate but typical for OEMs and carriers to preinstall third-party applications to a device," NowSecure researcher Ryan Welton wrote in a blog post. "In some cases these applications are run from a privileged context. This is the case with the keyboard on Samsung."

"This vulnerability is specific to Samsung devices, and we have observed it as far back as Android 4.2 and possibly even farther back," a spokesman for NowSecure added to The Register.

SwiftKey provided the software at the heart of Samsung's system keyboard, and said its standalone keyboard apps are not vulnerable.

"We’ve seen reports of a security issue related to the Samsung stock keyboard that uses the SwiftKey SDK," a spokesperson told El Reg on Tuesday.

"We can confirm that the SwiftKey Keyboard app available via Google Play or the Apple App Store is not affected by this vulnerability."

NowSecure has published a proof-of-concept exploit that it says will execute code remotely on affected handsets. There is no patch for the vulnerability.

"Unfortunately, the flawed keyboard app can’t be uninstalled or disabled," said Welton. "Also, it isn’t easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update."

Samsung was not available for comment. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

In a world where up is down, it's heartwarming to know Internet Explorer still tops list of web dev pain points

Incompatibilities and inconsistent standards support among browsers ensure an ongoing source of headaches

Azure DevOps Services reminds users that, yes, it really is time to pull the plug on Internet Explorer 11

Ignite Sure, it's still wedged in the OS, but maybe you'd prefer something shiny and Chromier?

We've come to wish you an unhappy birthday: Microsoft to yank services from Internet Explorer, kill off Legacy Edge by 2021

You need to give that plate back to us after you've finished your cake. Yes the fork too. We'll get your coat

If you're on invite-only tech-testing scheme, take care with Amazon's Alexa-powered answer to Google's Glass

iFixit reveals repair won't be trivial

Microsoft teases Azure Data Explorer connector for picking its Synapse analytics service's brains

What do you mean you're not on board the Big Data bus?

Amazon gets green-light to blow $10bn on 3,000+ internet satellites. All so Americans can shop more on Amazon

Jeff knows you've gotta spend money to make money

Big Tech to face its Ma Bell moment? US House Dems demand break-up of 'monopolists' Apple, Amazon, Facebook, Google

'These once scrappy, underdog startups have become the kinds of monopolies we last saw in the era of oil barons and railroad tycoons'

If you never thought you'd hear a Microsoftie tell you to stop using Internet Explorer, lap it up: 'I beg you, let it retire to great bitbucket in the sky'

We say take off and nuke the entire codebase from orbit. It's the only way to be sure

Biting the hand that feeds IT © 1998–2020