back to article Pew, pew, pew! Sammy shoots out updates to plug mobile keyboard snooping bug

Samsung has promised to deploy updates to resolve a serious mobile keyboard snooping bug, with security policy fixes expected in the coming days, the company said on Thursday – while simultaneously downplaying the issue. As previously reported, researchers at security firm NowSecure warned that a problem involving the keyboard …

  1. Anonymous Coward
    Anonymous Coward

    "This includes the user and the hacker physically being on the same unprotected network while downloading a language update."

    Such as both the user and the attacker being 'on the Internet'?

    1. John G Imrie

      I think he means subnet.

      So both being connected through the same wifi hot spot will do.

      1. Anonymous Coward
        Anonymous Coward

        "I think he means subnet."

        I don't think he did.

        1. MrFrizzle

          RE: I don't think he did

          If you read any of the articles on the exploit he definitely did. You need to be on the same unprotected network, as in a Wi-Fi Hotspot.

    2. Anonymous Coward
      Anonymous Coward

      "Such as both the user and the attacker being 'on the Internet'?"

      No, the attacker must have control of either a gateway, transparent proxy, DNS server, etc. between the target and the update server. This is why this is more of a threat on dodgy WiFi networks where setting this up would be easy for a technically literate person.

      While we're both 'on the Internet', you are using all of the above from your ISP and I'm using them from mine, so there is no way we can interfere with each other.

      That said there is nothing stopping someone at our ISPs interfering with either of us.

    3. SuccessCase

      "Such as both the user and the attacker being 'on the Internet'?"

      Actually the AC is perfectly correct and Samsung have given out bad/misleading advice. What Samsung should have said is that there must be another compromised device on the same network/subnet - quite significantly different to saying the attacker has to be on the same subnet or network. Attacks by any miscreant hacker worth his salt are almost always conducted using a proxy devices and there are plenty of bad/old routers that can be exploited and/or compromised and run remotely and left waiting for a Samsung phone to join. To describe such a common scenario as the attacker having to be on the same network is at best misleading spin (most likely) at worst revealing of a worrying ignorance on Samsung's part. A release relating to a security compromise is no place for spin or propaganda.

  2. This post has been deleted by its author

    1. Lee D Silver badge

      Your devices getting updates depend on your carrier re-jigging them and pushing them. Blame your carrier. This is why Kies works - because that's the Samsung update mechanism. Samsung have no direct control on if/when/how your carrier pushes published updates to your phone.

      Security policy updates are pushed all the time, however. It's an option in the menus for Samsung Android devices. It happens in the background and - I believe - is basically SELinux profiles.

      That the device does not update from non-Windows? That's an issue but that's true of basically EVERYTHING. Try and reinstall/update/unlock an iPhone from anything other than a Mac, for instance.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        The fact that Samsung has little control over their own updates highlights a glaring weakness with Android - one never knows whether they will get the updates pushed by Samsung. Consider the number of people who are eligible for Android upgrades but never get them. This fractured system Google has created is annoying at best & dangerous at worst. Google seriously needs to rethink the way Android & its updates are controlled. The present system clearly isn't working.

        1. Law

          "The fact that Samsung has little control over their own updates highlights a glaring weakness with Android - one never knows whether they will get the updates pushed by Samsung"

          Except this isn't an android issue, same way it isn't a Swiftkey issue - it's a Samsung issue. Samsung made sloppy decisions when integrating third party software, Samsung are the ones who network and region lock device updates, and Samsung are the ones who decide to drop supporting year old phones.

          Samsung have complete control over their updates... in reality they've spent a good amount of resources to add the capability to their update system to pick and choose which ones your phone will install - based on decisions like if it's signed by the operator that owns the phone, what region your phone is from, etc... rather than Samsung not having enough control, to get the utopia you're suggesting in android land we'd need less control - no 3rd party keyboards, updates to google keyboard pushed out by the only allowable app store on android (play store). Not just keyboard... we'd need it for everything - one unified platform that manufacturers are not allowed to skin / modify in any way other than that sanctioned by google. But then we have things like that, they're called iPhone, and to a lesser degree, WinPhones.

    2. John Robson Silver badge

      @1980s_coder

      Either you're vulnerable since your keyboard downloads updates, and it will be autopatched, or you're not because it doesn't and it doesn't matter...

      1. This post has been deleted by its author

        1. John Robson Silver badge

          @1908s_coder

          No - I feel your pain (still have Android 2.3 on my phone)

          But *in this case* the cure is actually likely to be applied via the vulnerability - so it should self close pretty quickly.

    3. Michael Wojcik Silver badge

      Samsung just tell me to use Kies to update it myself. Right. Where is the OpenBSD version of Kies?

      Certainly, there doesn't seem to be any reason why Samsung couldn't make updates available as APKs1 for download using Plain Old HTTP, so tech-savvy users who don't have a Windows system handy could upgrade from Linux, BSD, etc. I'm not expecting them to port Kies to *ix platforms, but then I wouldn't expect most *ix users to want that anyway.

      Unfortunately the economic incentives are all against providing decent support for smartphones. Root-and-flash seems to be the best option for people with the requisite knowledge and time.

      1Or whatever format is appropriate for the update in question.

  3. Anonymous South African Coward Bronze badge

    Quite easy to spoof DNS and have the keyboard software update itself from a malicious server...

    One of the many reasons why I'm going to ditch Samsung and look at something different. (Not Apple or Microsoft/Nokia).

  4. chasil

    Amateurs

    They really used near-root powers to blind-download and extract a .ZIP, allowing full directory traversal into the Java cache.

    This is a stunning security standards lapse. Samsung phones cannot be trusted. Code this bad should not be sold.

    1. Michael Wojcik Silver badge

      Re: Amateurs

      Plenty of professionals make equally serious and dumb security mistakes in software every day.

      Directory traversal attacks, as an example, are common enough to merit specific mention in Howard et al's The 19 Deadly Sins of Software Security (under Sin 14, "Improper File Access"; note the book has since been upgraded to 24 sins). That means they're very common indeed.

      Code this bad should not be sold

      True. Unfortunately that leaves us with very little software that should be.

  5. Andrew Tyler 1

    One of my old PC keyboards had something like this.

    Seemed like a bad idea, so I disabled it, but anyone who got that info would be guessing that my password was WASD anyways.

  6. eitancaspi

    This issue can be solved using a simple workaround if the device is rooted - see here:

    http://fudie.net/how-to-protect-yourself-from-the-samsung-keyboard-vulnerability-in-android-devices/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like