Apple, Samsung Devices: Bug WarningsOver 600 Million Samsung Devices at Risk from Keyboard Flaw
Security researchers are sounding warnings about separate flaws that put millions of Android, iOS and Apple OS X devices at risk.
A keyboard-related flaw affects more than 600 million Samsung devices, and could be used to remotely run malicious code. Separately, researchers say they have identified a series of vulnerabilities - dubbed "Xara" - in Apple iOS and OS X devices that allow them to sidestep the OS X sandbox. The flaws could be exploited by malware to steal data and passwords, for example, by cracking the built-in Keychain password manager in OS X.
Apple's Xara Flaws
The Xara flaws - for "cross-app remote access" - were discovered by researchers from Indiana University, Georgia Institute of Technology, as well as Peking University and Tsinghua University in Beijing.
The flaws stem from both iOS and OS X failing to authenticate many types of app-to-app and app-to-OS interactions, the researchers write in a related research paper. "We found that the inter-app interaction services, including the keychain and WebSocket on OS X and URL Scheme on OS X and iOS, can all be exploited by [custom-developed] malware to steal such confidential information as the passwords for iCloud, email and [banks], and the secret token of Evernote."
The researchers have posted online demonstrations of how Xara could be exploited to steal iCloud tokens, passwords from the Google Chrome browser and private notes from Evernote users. They also demonstrated an attack using the WebSocket protocol - used to display Web content in apps - that allowed them to intercept all passwords from 1Password that get used in the Chrome browser. And while they have not given Xara its own logo - as so many firms now seem to do - other researchers quickly obliged.
Apple did not immediately respond to a request for comment about the Xara flaws. But the researchers say that hundreds of apps that they studied have these flaws, although they could be corrected if developers rewrite their apps (see Securing Homegrown Mobile Apps). Still, it's unlikely such moves would happen quickly. "Since the issues may not be easily fixed, we built a simple program that detects exploit attempts on OS X, helping protect vulnerable apps." The researchers have promised to release that program soon.
Samsung Keyboard Flaw
Researcher Ryan Welton from mobile security firm NowSecure - formerly known as viaForensics - has published proof-of-concept exploit code for a vulnerability in third-party keyboard app SwiftKey, which he says is installed by default on numerous Samsung mobile devices, including the Galaxy S4, S5 and S6.
"The Swift keyboard comes pre-installed on Samsung devices and cannot be disabled or uninstalled," he says. "Even when it is not used as the default keyboard, it can still be exploited."
The flaw does not exist in regular SwiftKey installations, but only on Samsung devices, thanks to how the OEM has configured the keyboard app, he says. That's because Samsung has programmed its variant of SwiftKey - called SamsungIME - to include "an auto-update 'feature' ... that doesn't do authentication or integrity," says security researcher Paul Ducklin at Sophos in a blog post. As a result, an attacker could abuse this feature, which is HTTP-based, to "update" devices with arbitrary code, essentially reprogramming them.
Details of the "highly reliable, completely silent" attack were first released publicly this week by Welton at the Black Hat Summit in London. Welton says he informed Samsung of the flaw in December, as well as CERT, which alerted Google's Android team, and which has classified the bug as CVE-2015-2865.
To date, it's unclear how many users remain at risk from the flaw. "While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network," NowSecure says in a related research report. "In addition, it is difficult to determine how many mobile device users remain vulnerable, given the [device] models and number of network operators globally."
Pending a patch, Welton says it will be difficult for Samsung device users to safeguard themselves against related attacks. "Unfortunately, the flawed keyboard app can't be uninstalled or disabled," he says. "Also, it isn't easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update. To reduce your risk, avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing."
Ducklin also recommends Samsung users avoid using untrusted networks, and potentially use a virtual private network, so that "all your network traffic is encrypted before it leaves your device, 'tunneled' back to a server at head office or at home, and only sent out onto the open Internet from there."