Are 600 Million Samsung Android Phones Really at Risk?

A report alleges a significant risk to Samsung phones, but the threat may be overstated. It is just one of many risks Android device users face. Samsung is facing accusations that it has a vulnerability in its Android phones that could be leaving more than 600 million users at risk. Security firm NowSecure first disclosed the vulnerability, known as CVE-2015-2865.

While the vulnerability poses risks, the simple truth is that it is just one of many that could potentially impact Samsung's Android users.

NowSecure has published a detailed technical analysis on the issue, which is a flaw in how the Swiftkey keyboard app validates language pack updates. The Swiftkey keyboard is installed by default in Samsung's Galaxy phones.

"By design, Swiftkey periodically checks for language pack updates over HTTP," the CERT vulnerability note on the issue states. "By intercepting such requests and modifying the necessary fields, an attacker can write arbitrary data to vulnerable devices."

NowSecure warns in its own advisory that if an attacker exploits the SwiftKey flaw, they could access the phone's camera, secretly install apps and access user data. NowSecure claims that it informed Samsung of the issue in December 2014. That means that NowSecure waited six months before publicly disclosing this issue, which is significantly longer than NowSecure's stated responsible disclosure policy terms of only 30 days that the company normally uses. 

There is indeed a risk of a potential man-in-the-middle (MiTM) attack in which an attacker intercepts the update traffic for SwiftKey. As a result of the interception, and SwiftKey's elevated system privileges, the attacker can then do what he or she wants with a user's device. In principle, this attack sounds scary, but it's neither unique nor novel. 

Despite the researchers' claims of 600 million Samsung users at risk, the simple truth is that likely most of the same users (if not more) are already at risk from any number of different Android issues. At the core of the SwiftKey flaw is the incorrect use of an update mechanism. I've written on this topic at great length, and it is well-known. In August 2014, FireEye, for example, published a report noting that 68 percent of the 1,000 most downloaded free applications available in the Google Play store have some form of SSL-related security risk. 

Secure Sockets Layer/Transport Layer Security (SSL/TLS) is the encrypted data transport technology used to prevent snooping of traffic sent over the Internet. In February, Intel Security's McAfee Labs published a threat report that came to the same basic conclusion, namely that many of the most popular Android apps have SSL-related risks. 

Any of those apps could have potentially been victimized in a MiTM attack. It's true that not all of those apps have system privileges like SwiftKey, but the risk to users is still there. NowSecure suggests that users avoid non-secure WiFi networks and ask their carriers for a patch. 

Both those suggestions are always good ideas and can limit risks to Android, in general. The biggest risk to Android in my opinion isn't unpatched Android vulnerabilities, but rather a lack of patches from carriers or even Google for older non-supported devices. 

Most devices are only supported for two years from the time the device is first released, leaving many millions of unpatched Android devices in use today. 

Jeff Forristal, CTO of mobile security vendor Bluebox Security, explained that older Android vulnerabilities that he first disclosed at the Black Hat 2013 and 2014 conferences still pose risks in 2015. 

So, while this new SwiftKey vulnerability is a concern, Android users need to be concerned about a lot of other things.

No comments:

Powered by Blogger.