During BlackHat London, a vulnerability in the SwiftKey keyboard bundled by Samsung came to light. [1] There is a flaw in the way languages are updated and installed that allows an attacker to write an arbitrary file to an arbitrary location on the file system. Disclosed to Samsung in late 2014, to capitalize on the vulnerability, the attacker needs to be able to modify traffic en route to the update servers. While Samsung provided a patch early in 2015, [2] as of today, that patch has not made it in to an over-the-air (OTA) update for major carriers. [3]
This is baffling to many in the security community and to the end users, and unfortunately it is also laying the blame at the wrong doorstep. An HTC infographic demonstrates the rigorous process for how an update gets from Google to your phone (for this type of security update, the pertinent steps are on the orange line starting at step 10). After Samsung provides an update to the carrier, there is technical and regulatory testing that must be completed before the update can go out to the phones, and these tests can often take months.
That being said, I believe the carriers have dropped the ball. They should be able to package and test a small update that only affects the keyboard, and as long as they don't bundle other changes to things such as the modem, an abbreviated testing cycle should be able to get the update out much sooner than a more serious revision. I believe that this is a problem with the way carriers treat security updates—they do not have a process in place to cycle small changes out to device owners, which is a major problem.
Since this story came to light, Samsung has taken additional steps to close this security hole, and the company claims it is working on an update to the security policy of devices that will be provided via its Knox software.4 While this is positive news, it is not a complete solution as many people do not use Knox for reasons such as not wanting Samsung to be able to alter their phones without their permission. The best solution is for carriers to prioritize an OTA update that replaces the broken code with fixed code rather than relying on Samsung to “put a Band-Aid” on the problem through a security policy update that requires end users to be fully aware of the situation.
Additionally, original equipment manufacturers, such as Samsung, should provide the patches not only to carriers (e.g., AT&T, Verizon, etc.), but also to the modding community. This step would go a long way toward building good will with the community and would show concern for the security of all parties using their hardware.
At the moment, there are no known good mitigations for this bug. If you have an unlocked and/or rooted device, you can use an alternate rom such as CyanogenMod. Other than that, avoid using public WiFi.
Additional Information
Readers interested in further details about this topic can reach us at: contact@www.ise.io