News: Samsung Keyboard Vulnerability Exposes 600M Mobile Devices!

Samsung Keyboard Vulnerability Exposes 600M Mobile Devices!

Last week, NowSecure security researchers revealed that nearly 600m Samsung mobile devices are vulnerable to a type of MitM attack.

Samsung devices have a virtual keyboard that automatically updates its language package. Even if you don't use the default keyboard on your Samsung device, this keyboard will still update itself.

This update can be hijacked by an attacker who is positioned on the same network to upload any malicious software they want. This could be a malicious payload like Netcat or a Metasploit payload that would give the attacker complete control over the Samsung device. The attacker could then download photos, text messages, email, etc. or take control of the microphone or camera on the device.

This is very similar to the EvilGrade attack I demonstrated here. In this attack, we hijacked the software upgrade of Notepad++ and installed our own malicious software that gives of control of the system. In addition, the NSA has used this technique in activating and upgrading Stuxnet and some of their other malicious espionage software.

The Samsung keyboard upgrade has at least two key issues in its upgrade process. First, it fails to encrypt the upgrade process making it rather easy for the attacker to identify and intercept the upgrade process. Second, the updates are given root privileges, meaning that the attacker who installs malicious software on these devices immediately has all privileges on the device.

As of yet, no one has developed a tool to exploit this vulnerability and Samsung has not yet patched it. Exploiting this vulnerability won't be easy, as it would require a MitM attack waiting for the keyboard to update its language package and then replace it with malicious software. Given the number of vulnerable devices, though, I'm sure someone will have an exploit out soon!

8 Comments

Wow ... Its just amazing how the exploit is been triggered.

Just incredible.

All what an attacker needs is to be on the same network and intercept the request and replace it. How can SAMSUNG be this irresponsible ?

I first though it was some kinda of Overflow, after I saw netcat at the beginning of this I thought that it caused a telnet server to open, now I am just amazed how easy this was overall...

Master OTW, where do you find all those latest vulnerabilities and stay up to date? (i know Microsoft bulletin, but that isn't really useful when looking for the latest vulnerabilities in non-microsoft products)

-Phoenix750

Phoenix:

There are many sources on the latest vulnerabilities. First, there are many vulnerability databases such as mitre and securityfocus. Second, I belong to various email services that are always informing us of new exploits and vulnerabilities. Third, I have many friends within the industry that share information.

can we sign up for those email services too? i'd like to stay updated on the latest vulnerabilities.

thanks

-Phoenix750

Try ciuffy's twitter feed he sources from over 300 feeds on the topic. As well as Norse, Fireeye, US-Cert and NVD.

Share Your Thoughts

  • Hot
  • Latest