The Swift keyboard, installed by default on Samsung Android mobiles, exposes devices to a host of remote attacks that could be executed by attackers ranging from criminals sitting man-in-the-middle on local Wi-Fi networks, to a state actor in an upstream position at an ISP or backbone.
NowSecure researchers Ryan Welton yesterday at the Black Hat Mobile Summit in London disclosed a vulnerability in the keyboard’s update mechanism that occurs because of the way Samsung signs over-the-air updates with its private key granting the swipe-style keyboard system-user permissions.
NowSecure estimates that 600 million devices could be vulnerable, including the Samsung Galaxy S5 on Verizon and the S4 Mini on AT&T. Newer devices are also still affected, despite patches pushed out by Samsung.
The Swift keyboard updates (generally language pack updates) are sent over HTTP, and therefore an attacker with network access is able to access the update and inject a malicious app or tamper with other resources on the phone, giving him access to email, contacts, images and other personal data stored on the phone. A more sophisticated actor could also eavesdrop on phone calls or steal text messages from the device.
NowSecure CEO Andrew Hoog told Threatpost that Samsung communicated on March 20 that it had patched the issue on Android 4.2 and earlier and updates were pushed to carriers. Samsung also said that the Galaxy 6, for example, was not vulnerable, but Hoog said his company purchased a new device and found the vulnerability was still present.
“To date, we’re not seeing devices patched,” Hoog said. “Samsung said the Galaxy 6 running on Android 5 (Lollipop) were not vulnerable. On a pure whim, we spent $1,000 on new devices last week in order to verify and we were surprised to see the vulnerability still there. Even though it’s been patched since March by Samsung, it has not made it to new devices.”
Worsening the situation is that the keyboard is constantly requesting updates from Samsung, NowSecure said.
“The pre-installed Samsung keyboard app appears to request updates on its own with a frequency that can be variable, but is measured in hours,” NowSecure representatives said in a statement to Threatpost.
Jon Oberheide, CTO and cofounder of Duo Security, said the unpredictability of the automatic updates is one mitigating aspect.
“The vulnerable update mechanism only triggers upon reboot or periodically every few hours. So the victim would have to be on that untrusted network for hours to be exploited,” Oberheide said. “An immediate drive-by attack would not be possible.”
The Swift keyboard, developed by SwiftKey, cannot be uninstalled from Android devices, nor can it be blocked from running in the background, even though users may choose not to use it on their devices. Updates, too, cannot be prevented, Hoog said.
“The updates are downloaded all over HTTP, not TLS, which allows anyone on the network or upstream to tamper with the payload that’s been downloaded and insert their own,” Hoog said. “We’ve recreated this on multiple phones and verified it works. This is well within the reach of attackers.”
NowSecure has posted proof-of-concept code on its GitHub page.
“Anyone with upstream access–think about the capable groups out there whether they are criminal gangs or well-funded state actors–sitting on ingress or egress points upstream can swap the updates out at will. They can listen for the URL to be called for an update, inspect the properties of phone as they’re passed through, and then send their own manifest in a zip file.”
Hoog said NowSecure’s exploit uses a path traversal attack to overwrite a .dex file (a development file from Google) and insert executable code that is run on the device. An attacker would intercept the keyboard update, attach their own .dex file and take advantage of the system user privileges it is granted to execute code.
“Someone could then chain that with a privilege escalation attack to get full access to the device,” Hoog said. “This is not terribly difficult. What Ryan (Welton) found was novel and well done. But in terms of recreating this, it’s well understood and we don’t put the complexity all that high.
“There are enough actors out there with a privilege point on the network that this concerning to both individuals and enterprises.”
The reliance on carriers for this particular update is also worrisome to Duo Security’s Oberheide.
“However, the most serious aspect is that this vulnerability can’t be patched through the Google Play Store,” Oberheide said. “It will likely require a carrier OTA update to patch the vulnerability, which as we know from history, may not become available for many months or even years. In the meantime, there doesn’t appear to be even any temporary workarounds that a user can do to mitigate the vulnerability.”
NowSecure published extensive technical details on its website.
This article was updated June 17 with comments from Duo Security.