|[Image: Maurizio Pesce]|
As many as 600 million Samsung phones, including Galaxy S5 and S6, are currently at risk of being hacked. A vulnerability due to the pre-installed SwiftKey keyboard enables an outsider to listen to conversations; explore contacts, text messages and photos; install unwanted apps; change settings; and access GPS, camera and microphone.
Cybersecurity company NowSecure alerted Samsung to the vulnerability in November of 2014, beginning four months of negotiations between the two entities: NowSecure wanted to publicize the issue as soon as possible to protect consumers while Samsung hoped to keep quiet until able to offer a solution. The companies finally reached agreement in March, when Samsung was able to send a fix to wireless carriers, and a decision was reached to go public in June.
In the last three months, carriers’ attempts to patch phones via user downloads have yielded questionable results. According to the WallStreet Journal, NowSecure researchers found the security flaw in new Samsung Galaxy S6s earlier this month, prompting NowSecure CEO Andrew Hoog to state that “there are many, many phones that will never get updated. And that’s why we have to raise this visibility.”
Such is the furtive world of cybersecurity politics. If you don’t talk about it, it doesn’t get fixed; if you talk about it before you fix it, you could make it worse.
So far, going public has motivated Samsung to directly address the glitch. On June 18, Samsung’s blog reported that the company would provide security policy updates in “a few days.” Samsung additionally provided instructions for users to enable their phones to automatically accept all security policy updates, a reminder that ultimately, the success of these updates remains in the hands of users.
To counter NowSecure’s fears, Samsung acknowledged that as of June 16, no users had reported compromised security on their phones and expressed that “the likelihood of making a successful attack, exploiting this vulnerability is low,” largely because it would require a hacker to be on the same unprotected network as a user while the latter is downloading a specific update.
Regardless, if there were a perfect time to take advantage of the Samsung weakness, that time is now. Between Samsung’s blog describing the conditions under which to exploit the vulnerability and NowSecure’s blog providing a step-by-step breakdown of how the glitch was found, hackers currently have a wealth of suggestions at their fingertips.