Another security story misses the point, and your phone isn’t likely in any real danger.
Samsung’s stock keyboard — as in the one that ships on its phones — is the subject today of a piece from security firm NowSecure that details a flaw that has the possibility of allowing code to be executed remotely on your phone. Samsung’s built-in keyboard uses the SwiftKey software development kit for prediction and language packs, and that’s where the exploit was found.
NowSecure has headlined the entire thing with “Samsung Keyboard Security Risk Disclosed: Over 600M+ Devices Worldwide Impacted.” That’s scary-sounding stuff. (Especially when it includes bright red backgrounds and scary-looking images of what generally is known as a dead face.)
So do you need to worry? Probably not. Let’s break it down.
First thing’s first: It’s been confirmed to us that we’re talking about Samsung’s stock keyboard on the Galaxy S6, Galaxy S5, Galaxy S4 and GS4 Mini — and not the version of SwiftKey that you can download from Google Play or the Apple App Store. Those are two very different things. (And if you’re not using a Samsung phone, obviously none of this applies to you anyway.)
We reached out to SwiftKey, which gave us the following statement:
We’ve seen reports of a security issue related to the Samsung stock keyboard that uses the SwiftKey SDK. We can confirm that the SwiftKey Keyboard app available via Google Play or the Apple App Store is not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.
We also reached out to Samsung earlier in the day but have yet to receive any comment. We’ll update if and when we get one.
Reading through NowSecure’s technical blog on the exploit we can get a glimpse of what’s going on. (If you read it yourself, do note that where they say “Swift” they mean “SwiftKey.”) If you’re connected to an unsecure access point (such as an open Wifi network), it’s possible for someone to intercept and alter the SwiftKey language packs as they’re updating (which they periodically do for obvious reasons — improved prediction and what not), sending your phone data from the attackers.
Being able to piggyback that is bad. But, again, it’s dependent on you being on an unsecure network in the first place (which you really shouldn’t be — avoid public hotspots that don’t use wireless security, or consider a VPN). And someone being there to do something nefarious in the first place.
And it depends on you having an unpatched device. As NowSecure itself points out, Samsung’s already submitted patches to the carriers. It just has no idea how many have pushed the patch, or ultimately how many devices remain vulnerable.
Those are a lot of variables and unknowns that ultimately add up to another academic exploit (as opposed to one that has real-world implications) that indeed needs to (and has been) patched, though it does underscore the importance of the operators that control updates to phones in the U.S. to get updates pushed out more quickly.
Source : androidcentral
Tags = about, don't, exploit, keyboard, need, Probably, Samsung's, worry
Tidak ada komentar:
Posting Komentar