Last week, NowSecure security researchers revealed that nearly 600m Samsung mobile devices are vulnerable to a type of MitM attack.
Samsung devices have a virtual keyboard that automatically updates its language package. Even if you don't use the default keyboard on your Samsung device, this keyboard will still update itself.
This update can be hijacked by an attacker who is positioned on the same network to upload any malicious software they want. This could be a malicious payload like Netcat or a Metasploit payload that would give the attacker complete control over the Samsung device. The attacker could then download photos, text messages, email, etc. or take control of the microphone or camera on the device.
This is very similar to the EvilGrade attack I demonstrated here. In this attack, we hijacked the software upgrade of Notepad++ and installed our own malicious software that gives of control of the system. In addition, the NSA has used this technique in activating and upgrading Stuxnet and some of their other malicious espionage software.
The Samsung keyboard upgrade has at least two key issues in its upgrade process. First, it fails to encrypt the upgrade process making it rather easy for the attacker to identify and intercept the upgrade process. Second, the updates are given root privileges, meaning that the attacker who installs malicious software on these devices immediately has all privileges on the device.
As of yet, no one has developed a tool to exploit this vulnerability and Samsung has not yet patched it. Exploiting this vulnerability won't be easy, as it would require a MitM attack waiting for the keyboard to update its language package and then replace it with malicious software. Given the number of vulnerable devices, though, I'm sure someone will have an exploit out soon!
Want to help support Null Byte and start making your own money as a white hat hacker? Jump start your White-Hat Hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from Ethical Hacking Professionals.