Yesterday, a report stole headlines with talk of 600 million+ Samsung devices being vulnerable to a security flaw. The security flaw was tied to Samsung’s use of Swiftkey’s keyboard technology in most of their phones, including the recently launched Galaxy S6. The headline certainly looks scary, but understand that the chances of your phone being hacked are pretty damn slim. This also isn’t a Swiftkey issue, in case you were wondering, it’s a slow carrier update rollout or Samsung issue.
So the security vulnerability goes something like this. Your Samsung phone goes through a language update for its stock keyboard (which again, is powered by Swiftkey). During this process, a sneaky little hacker looks over your shoulder, notices that you are dumb enough to attach yourself to an insecure (or “rogue”) WiFi network that he/she likely setup to do hacker things on, and then starts doing hacker things that involve “modifying upstream traffic” while you update to gain access to your phone. Assuming all of those steps align and are timed precisely as you update, this hacker could then access your GPS, camera, or microphone, install malicious apps, eavesdrop on calls, and attempt to access your pictures and text messages.
Not to downplay the security bug, but man, that sounds like a lot of sh*t aligning at once (a perfect storm of sorts) in order for someone to hack your phone. Still, it’s an issue.
So who is at fault and is anyone going fix this crap? Probably everyone, and yes.
Samsung was apparently notified of the issue months and months and months ago by NowSecure, the group who identified the vulnerability, and claims to have sent patches to carrier partners. Of course, carriers are slow at rolling out updates or Samsung is lying through their teeth, so phones as recently as last week were tested and exploited. That’s not good. We can only assume that updates are coming. They should be coming. Please, Samsung, just come out and say that they are coming.
What does Swiftkey have to do with this? Not much, actually.
Swiftkey, in a statement posted this morning, says that Samsung is really at fault here for the way they have implemented Swiftkey’s keyboard technology in their phones. Still, they are working with Samsung to fix this issue, assuming Samsung hasn’t already fixed it. As for the consumer apps from Swiftkey, you have nothing to worry about. This issue has nothing do with the Swiftkey keyboard apps on Google Play or the App Store – it’s a Samsung keyboard thing.
First off, people not familiar with Swiftkey are reporting all over the place that the “Swift keyboard” on Samsung phones is vulnerable. Just know that these fools mean Swiftkey, except that we just told you Swiftkey isn’t the problem, it’s how Samsung integrated their tech into their stock Samsung keyboard.
Second, there is an issue here, but it would be insanely difficult for your phone to get hacked. Carriers supposedly have a fix, though, so we can only assume they will now push this bad boy through faster now that it has made headlines for two days.
Finally, until you get a security patch (which we will do our best to post about as it rolls out), stay off of insecure, “rogue” hacker-friendly public WiFi hotspots and networks. Seriously, why would you want to hop on one of those anyway? And if you do, don’t update the language pack on your Samsung phone.
Update June 17: Samsung had this to say.
“Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security. Samsung Knox has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days. In addition to the security policy update, we are also working with Swiftkey to address potential risks going forward.”
So all of that non-sense about them patching it ages ago and carriers being slow was well, non-sense. Samsung hasn’t issued anything. But, now they will, since it got enough publicity! That’s kind of scary and embarrassing if that’s truly how they operate with security vulnerabilities.