- July 03, 2015
- Info notes
A vulnerability impacting a large number of Samsung mobile devices was disclosed mid-June by Ryan Welton (NowSecure). According to the latter, there are over 600 million vulnerable devices, including several Samsung Galaxy S4, S5, S6, and S4 mini smartphones across various mobile network carriers.
The origin of the problem is a keyboard application known as SamsungIME, pre-installed on the devices, cannot be disabled or uninstalled, and runs as the privileged "system" user. This application was built around a Software Development Kit (SDK) provided by SwiftKey.
Both Samsung and SwiftKey were quick to point out that even though a large number of devices are affected by this vulnerability, the associated risk is limited in the sense that it would not be easy for an attacker to be in the position to exploit it. For an attack to take place, the attacker would require the ability to intercept and inject network traffic through a man-in-the-middle (MitM) attack while the device is booting, or while the application is performing a language update.
Despite the low probability for such an attack to occur, its impact may be severe. By exploiting this vulnerability, the attacker could perform several tasks remotely such as: gain access to sensors and resources like GPS, camera and microphone; install malicious apps without the user's consent; eavesdrop on incoming/outgoing messages or voice calls; and gain access to sensitive personal data like pictures and text messages.
NowSecure also published a detailed technical description, including a proof of concept exploit outlining how this vulnerability can allow an attacker to obtain remote code execution capabilities as a privileged system user. The exploit takes advantage of the update mechanism adopted by the Keyboard application. During a standard update the device sends a request to the SwiftKey server. The server then returns a zip file with the updated package which is extracted on the file system with system privileges. However, during an attack:
- The attacker sets up a MitM attack with the ability to intercept and inject data into the victim's network traffic;
- The victim's device boots up or performs a keyboard language update triggering a request from the SwiftKey server;
- This request is intercepted by the attacker and the response is sent from the attacker's machine instead of the SwiftKey server;
- The response contains the malicious package that is sent to the device;
- The device extracts the malicious package on the file system with system privileges;
The standalone SwiftKey keyboard app available on the App Store or Google Play are not vulnerable to this attack.
As mentioned above, non-Samsung devices with Swiftkey installed from the store are not vulnerable to this form of attack. This is due to a difference between the app and the Samsung system keyboard. Samsung chose to give the keyboard update process high privileges. It is this choice which makes the vulnerability so severe.
What is also significant is that while Samsung was alerted in November 2014, and rolled out patches to some carriers in early 2015, SwiftKey claims to have learned about the vulnerability on 17th June 2015.
This case shows how complicated the relationship between developers and software integrators can be in the face of security issues.
The Swiftkey software must update its data from time to time but does so on an un-authenticated channel. The result is that an attacker can perform a MitM attack to mess with the updated data. In the Swiftkey case, the worst that probably could happen is a Denial of Service by making the keyboard unusable. However, depending on the application this can have very different consequences, ranging from mild annoyance to complete compromise of the application. Developers must authenticate properly and check the integrity of any data update process, in order to prevent a MitM to cause any damage to the application or its data.
ENISA recommendations for integrators are as follows:
- Samsung used a vulnerable piece of software. Integrators are in a unique position to make sure that the software they integrate is secure: they have the means, the power, and they see the global picture. They must continuously audit all software that they bundle for security vulnerabilities.
- Samsung provided its version of Swiftkey as system keyboard, with a high level of privileges. It is unclear as to why this was necessary, since the standalone software does not require such level of privilege. We recommend that integrators give bundled software the least privileges necessary for it to work.
- There is no way for users to uninstall or disable the vulnerable software. Users need to be able to choose whether bundled software adds value for them. As such, integrators must provide ways for users to easily disable or uninstall bundled software.
- There is currently no way to update the vulnerable software, except for devices where KNOX is enabled. The others have to wait for a full Operating System update to get a patch, which is both a lengthy and risky process. Integrators must provide ways to update bundled software as easily as if it was installed by the user.
- The researchers claim to have warned Samsung of the vulnerability in November 2014. SwiftKey itself was only made aware of the problem in June 2015. Integrators must react to vulnerability reports from researchers, and work with the respective providers as soon as possible.
About "Info Notes" from ENISA
With the “Info Notes” series ENISA aims at giving the interested reader some background and recommendations about NIS related topics. The background and recommendations are derived from past experiences and common sense, and should be taken as starting points for discussions on possible course of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more information on the “Info Notes” series (firstname.lastname@example.org).