<- googleoff: index -> <- googleon: index ->
Some six hundred million Android smartphones are hit by a simple way to hack away at them unnoticed. The keyboard app SwiftKey built by Samsung gives a sneaky hole. A reconstruction
.
Samsung delivers SwiftKey Since 2013 it built on many of its Android phones. This addition turns malicious hacking the ability to give Android smart phones, without requiring users anything having to click. Timing and luck are absolutely crucial: the initial vulnerability is only at random when the built-in soft keyboard request an update, or if the device is rebooted
Versatile vulnerability
After a timely pick up on this event via a man-in-the-middle (MitM) attack may attackers will carry out its own code on vulnerable machines. These will eavesdrop, to track, monitor and to take over entirely. The sensors of hacked devices are accessible, but also can be optionally installed apps. This big hole was unveiled last week by security company NowSecure that the issue late last year has already registered with device manufacturer Samsung and Android maker Google.
The South Korean manufacturer of Android handsets in late March of this year patches for Android 4.2 and later transferred to telecom companies. Which fixes for this gaping hole are not transmitted by all mobile operators to all users of vulnerable Samsung smartphones. NowSecure last week have tested devices and found vulnerable. Furthermore, it is built SwiftKey according to security researchers do not have to uninstall and take off the keyboard, the vulnerability is not away
Advice: Avoid unfamiliar Wi-Fi
The discoverers at NowSecure advise users to avoid unprotected Wi-Fi networks, to use another phone and to ask their telecom providers to patches. The vulnerable devices are Samsung’s top-selling Galaxy S4, the derivative Galaxy S4 mini, flagship Galaxy S5 and the latest flagship device Galaxy S6, including the variant S6 Edge.
A few days after publicly revealing the vulnerability SwiftKey and Samsung took action. Both have published blog posts about the issue, said of SwiftKey is suddenly taken offline and later republished in modified form. SwiftKey passes in comments under his blog post advised to be cautious with unfamiliar Wi-Fi networks. However, it does not recommend to use temporarily other devices.
Samsung promises a few days to release a patch that active and will push off to the telcos to affected devices. Over-the-air (OTA) push is done through Samsung’s enterprise security software Knox, who will accompany them at all flagship models since the Galaxy S4, says the vendor. For devices that do not have standard onboard Knox, Samsung is still working on an accelerated firmware update after testing and approval is released
Debt Samsung
SwiftKey stressed that the vulnerability does not apply to its regular apps in Google Play (for Android) and Apple App Store (for iOS). NowSecure explains that the fault lies namely in the implementation by Samsung, which SwiftKey confirms the original blog post that later cleaned. ‘We supply Samsung’s core technology that drives the word in their predictions keyboard. It seems that the way in which this technology is built on Samsung devices has introduced the security vulnerability, “the initial blog post.
SwiftKey states that it is doing everything in order to help his partner Samsung in solving this important security issue. The quoted statement from Samsung that company also provided to various media. However, there is no mention of which party bears the responsibility for introducing the vulnerability
Two basic errors
.
The standard Samsung ingrained SwiftKey poses two fundamental errors, NowSecure reported in a technical blog post. Firstly, the soft-keyboard phone-maker digitally signed with its own key and is preinstalled with profound system privileges. This runs on the level of system user (uid 1000), which just is not root on Android, and has write access to large parts of the entire file system.
Secondly used SwiftKey an automatic and completely unprotected Update mechanism. That is, through plain text, language extensions and additional languages for download for the keyboard. These updates are packaged in a plain zip file which will be validated, but in an unsafe manner. The content and SHA1 hash of the compressed file before the download passed by a manifest file is simply read text.
Updating the integrated keyboard app falls missteps by the series ‘eavesdrop’ , analyze and then to abuse. Thanks to Samsung’s wrong with system rights abuse which comes right down to fundamental threat to the entire unit. User response is not necessary. An attacker need his victims not a cunning drawn phishing mail with malware attachment or a malicious link to dish
MitM and specific timing
.
Well must intercept an attacker who see through Android devices will hack the Internet of his victims. This is done through a MITM attack, the attacker provides a position in traffic between users and the Internet. Such MitM attack is easy to perform at local Wi-Fi networks, especially if they are unsecured. Then an attacker can own “updates” to send SwiftKey and there along intrusion on the Android system.
SwiftKey lulls in the offline fetched statement yet that the Samsung vulnerability is not easy to abuse. A user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools then lies in wait to gain access to a vulnerable device, explains the app-maker off. “That access is possible only if the user’s keyboard at that particular time performing a language update, while it is connected to the compromised network.” But abuse through DNS hijacking or packet injection is possible, Tech blog Ars Technica notes.
NowSecure sets a sequel post about detection and prevention of this vulnerability that the abuse actually is easy to commit. In addition, the security company notes that the soft keyboard every eight hours an update check seems to run and patches that have not been widely deployed. “We have not seen patched device.
The vulnerability in Samsung’s Android smartphones earlier this month demonstrated at the Black Hat -securityconferentie and previously recorded in this video:
No comments:
Post a Comment