Just a few days after a researcher at the Blackhat Mobile Security Summit in London disclosed a keyboard vulnerability that put upwards of 600 million Samsung Galaxy devices at risk, Samsung announced that it plans to roll-out a security fix to address the issue.
The vulnerability itself stems from the stock Swiftkey keyboard that comes pre-installed on Samsung Galaxy smartphones. Because the Swiftkey keyboard will periodically look for and download additional language packs, security researchers at NowSecure figured out a way to spoof a proxy server and send down malicious code to a device.
DON’T MISS: The Man Who Reveals All of Apple’s Secrets
As for Samsung’s fix, the company will be rolling out a security update that users can make sure they get by following the steps below:
The security policy update will be pushed to the user. The user must agree to receive the security policy update. To ensure your device receives the latest security updates, go to Settings > Lock Screen and Security > Other Security Settings > Security policy updates, and make sure the Automatic Updates option is activated. At the same screen, the user may also click Check for updates to manually retrieve any new security policy updates.
Note that this security fix will only work for Samsung devices with the KNOX security platform installed by default. To this end, Samsung notes that “all flagship models since Galaxy S4 have the KNOX security platform installed and have the KNOX platform protection enabled when you turn the device on.”
For any devices that don’t come with KNOX enabled by default, Samsung says it’s working on a firmware update that will hopefully come down the pipeline sooner rather than later.
All the same, Samsung makes a point of mentioning that the odds of the hack being carried out in the real world are quite slim.
This vulnerability, as noted by the researchers, requires a very specific set of conditions for a hacker to be able to exploit a device this way. This includes the user and the hacker physically being on the same unprotected network while downloading a language update.
So the likelihood of making a successful attack, exploiting this vulnerability is low. There have been no reported customer cases of Galaxy devices being compromised through these keyboard updates. But as the reports indicate, the risk does exist and Samsung will roll out a security policy update in the coming days.
Notably, NowSecure initially told Samsung about the hack in late 2014. By March, Samsung had come up with a fix that it provided to its carrier partners. But thanks to the wonderful world of Android fragmentation, the update seemingly sat there on the laps of carriers too encumbered to pass it along to end users. Samsung didn’t press the matter, and the issue was largely forgotten until NowSecure publicly disclosed it earlier this week.
As for who’s ultimately to blame, TechCrunch notes that all roads lead back to Samsung, not Swiftkey.
“Our sources have told us that Samsung “screwed up” how they implemented Swiftkey’s SDK into their keyboard,” TC writes. “Why? because they crazily gave the keyboard system level permissions.”