Electronics giant Samsung has yet to issue a fix for a a security vulnerability existing on Samsung Galaxy devices, 7 months after the company was first alerted to it.
A hacking vulnerability affecting S3 to S6 models of Samsung Galaxy phones was identified that could potentially allow the phones to be hijacked by hackers, permitting information entered or sent via the phones to be accessed.
The security weakness is in relation to the software used for the phones keyboard, according to researchers at NowSecure. What is most worrying is the owner or user of the phone does not need to take any actions for hackers to gain access the mobile phone; the security vulnerability can be taken advantage of remotely.
Fortunately, the hack is not simple to pull off. It requires strong technical skill and can only be executed at specific times; when the keyboard software is being updated. The researchers point out that a hacker who can access to Wi-Fi networks, or with the ability to otherwise manipulate a user’s network traffic, could access the phone’s storage by manipulating the keyboard update mechanism. Once the code is changed it becomes live after rebooting.
The vulnerability is with the Swift keyboard, which is factory-loaded and cannot be removed or taken off the phone. The Samsung version of the software – SamsungIME- differs from the Google Play version of the keyboard, which has increased protection as software updates cannot be run by a privileged user.
Hackers could possibly use Wi-Fi networks, cellular base stations, ARP poisoning, DNS hijacking, packet injections and other hacking techniques to affect the keyboard updates. SwiftKey, the British-based firm responsible for providing the software, pointed out that the vulnerability exists only at very specific time points, so in order for the hacker to gain access network traffic, that person would have to be monitoring networks.
SwiftKey was only made aware of the issue on Tuesday last week; although Samsung was warned in November. NowSecure has reported that it took more than a four weeks for the vulnerability to be acknowledged, and allegedly, Samsung asked for a year to solve the issue.
Samsung argues that the security issue was not explained properly back in November, which delayed the response and the fix for the software glitch, according to a recent CNN report. Now the extent of the issue is known, the vulnerability will be tackled. Samsung will be updating all devices via its KNOX service, with the updates expected to be released in the next few days. Unfortunately for users, with 600 million devices affected, it will take some time for the updates to completely roll out. However, Galaxy phone users will not be able to simply tell if their phone has been updated with the new patch and if the security vulnerability has been fixed.
Healthcare suppliers wishing to take advantage of the convenience and practicality of Smartphones can either buy units for the staff or allow workers to bring their own devices and use them at work. The term BYOD has been nicknamed to as “Bring your Own Doom”, due to the heightened risk of privacy violations and the difficulty IT departments have controlling the use of personal mobile phones.
Healthcare providers that have pit in place BYOD schemes have been able to gain considerable benefits; productivity is improved, workers do not need a separate work device and outdated communication systems, such as pagers, can be prevented.
Since mobile phones are not completely safe, a secure text messaging service – such as a secure healthcare text app – must be used in order of PHI to be communicated using the devices. Data encryption means that even if the phone is used via an insecure Wi-Fi network, it is not possible for the messages to be read or intercepted.
Despite this, even with a secure texting app, this Samsung Galaxy security vulnerability could allow data on the phone to be read. The hack is particularly difficult to pull off- but a security risk does remain until users have the patch installed on their devices.
In the meantime, NowSecure recommends all users of the phones – almost 600 million of them – “avoid insecure Wi-Fi, ditch their phones, and call their cell phone carriers to pressure them into a quick fix.” Samsung may be about to release an update, but the speed at which this is rolled out to users may be dictated by the cell phone carrier. Updates to the phones could therefore be delayed for some time.