Samsung promises security update to patch dangerous keyboard exploit
Samsung has promised to deliver an over-the-air security update in the coming days to patch a serious flaw with the SwiftKey keyboard baked into its Android-powered Galaxy devices.
Its announcement comes just one day after a security researcher exposed the vulnerability, which affects around 600 million Samsung handsets — including its new Galaxy S6 and S6 edge.
“Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security,” the South Korean company said in a statement issued today.
“Samsung Knox has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days.”
Samsung has also promised that it is working with SwiftKey “to address potential risks going forward.”
What we all want to know now is this: If Samsung already knew about this update, which it did, according security firm NowSecure, which first uncovered the exploit this week, why hasn’t it already patched it over-the-air via Knox?
Instead, the company is thought to have issued an update via carriers (in the U.S., at least), and it seems hardly any of them have made that available to customers as yet.
The flaw took advantage of SwiftKey’s update mechanism to allow hackers to remotely install malicious code on Galaxy smartphones via a rogue Wi-Fi network. Because SwiftKey is baked into Samsung’s firmware and afforded privileged access, it made the vulnerability even more dangerous.
Around 600 million Samsung customers are affected by it, NowSecure says, and because Samsung doesn’t allow users to uninstall SwiftKey, there is no way to disable or eliminate manually. Even if SwiftKey isn’t selected as the default keyboard, the handset is still at risk.
It’s great to see Samsung is addressing this right now, but it’s a shame it didn’t do anything sooner — if indeed it could have issued a background update via Knox when it was first made aware of the flaw.