Aplicaţia de tastatură a Samsung, o versiune customizată a aplicaţiei Swiftkey, care rulează pe telefoanele Samsung Galaxy S4, S5 şi S6 are o problemă, în sensul că nişte oameni răi vor putea face cam orice cu telefonul tău. Totul din cauză că dezvoltatorii Samsung au considerat de cuviinţă să ruleze aplicaţia cu drepturi de root, lucru care nu se întâmplă la alte implementări de Android.
The flaw, discovered by a Ryan Welton, a researcher at the cybersecurity firm NowSecure, lets attackers wreak havoc on Samsung mobile device models. It can give a hacker covert control over a phone’s microphone and camera, access to text messages, and the ability to download malicious apps, among other things.
The issue arises from a defect in the software updater for Samsung’s default virtual keyboard, a customized version of the word-prediction technology developed by SwiftKey. When a device downloads a language pack update, any man-in-the-middle attacker—a bad actor positioned on the same network as the user—can swap out the real file with malware, thus compromising the device.
Samsung Galaxy S phones, including the S4 Mini, S4, S5, and S6, are pre-installed with a version of Swiftkey keyboard that is signed by Samsung to operate with system privileges. By design, Swiftkey periodically checks for language pack updates over HTTP. By intercepting such requests and modifying the necessary fields, an attacker can write arbitrary data to vulnerable devices.
According to a report by Ars Technica, SwiftKey has confirmed the SwiftKey Keyboard app available on Google Play and Apple App Store is not affected and is different from the Samsung implementation included on phones.
A remote, unauthenticated attacker conducting a man-in-the-middle attack may be able to write arbitrary data to vulnerable devices checking for updates. Depending on the frequency of Swiftkey update checks, such an attack may have a low likelihood of occurring.
Bineînţeles că nu ajută nici dacă folosiţi alte aplicaţii de tastatură, gen Google Keyboard, pentru că:
The default keyboard program checks for updates automatically, so even people who use other keyboard apps are vulnerable.
Aplicaţia originală Swiftkey nu este vulnerabilă:
SwiftKey pointed out in a statement that its other apps are unaffected by the exploit, and that the current vulnerability—labeled CVE-2015-2865 in the industry’s taxonomical parlance—takes a bit of skill and a lot of good timing to pull off: “a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”
Evident că sunt şi nişte sfaturi cum anume te poţi proteja. Cel mai tare este al doilea: “Utilizează un alt telefon“.
For now, NowSecure recommends that users of Samsung Galaxy smartphones affected by the bug (a list of the vulnerable models can be found here) should:
– Avoid insecure Wi-Fi networks
– Use a different mobile device <-- :):):) - Contact carriers for patch information and timing Al treilea sfat nu poate fi considerat serios. Imaginaţi-vă sunând la Orange, Vodafone sau unde vreţi voi şi întrebând când anume au de gând să lanseze un update pentru un telefon mobil vândut, codat, de ei.