Issues on Samsung Phones Remote Code Execution Vulnerability

Recently, a security research company reported that remote code execution vulnerability was identified in Samsung Phones, which are pre-installed with a version of SwiftKey keyboard. When SwiftKey keyboard is checking for updates, attacker conducting a man-in-the-middle attack may be able to write arbitrary data. To evaluate the risk and apply the best protection for user, HKCERT provides the following summary and advisories.

Summary

• NowSecure security research company [1] reported that remote code execution vulnerability was identified in Samsung Phones.
• The affected phones are customized Android system, pre-installed SwiftKey keyboard with system privileges.
• Swiftkey keyboard periodically checks for language pack updates over HTTP.
• An attacker conducting a man-in-the-middle attack may be able to write arbitrary data to vulnerable devices.

Video of Samsung keyboard exploit demo

Advisories

• Avoid using untrusted networks, including public WiFi, to decrease the chance of falling victim to a MITM attack.

Remarks [2]

• The affected Samsung phones are including the S4 Mini, S4, S5, and S6.
• Depending on the frequency of Swiftkey update checks, such an attack may have a low likelihood of occurring.
• SwiftKey has confirmed the SwiftKey Keyboard app available on Google Play and Apple App Store is not affected.

[1] Reference: https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/

[2] Reference: http://www.kb.cert.org/vuls/id/155412

For this vulnerability, HKCERT has issued a Security Bulletin. For more detail, please refer to /my_url/alert/15061801