Samsung Device Vulnerability Explained by Rapid7
Recently Tod Beardsley, security engineering manager at Rapid7, gave several words on his views on the Vulnerabilities effecting Samsung devices. Below is a rundown of this:
“After the initial report of the integrated keyboard vulnerability on Samsung devices, it’s good to hear that Samsung is being creative about rolling out a solution using Samsung Knox. Knox allows Samsung to bypass the often very slow over-the-air (OTA) OS update process. It’s unclear from Samsung’s statements, however, if this strategy will cover only Knox enterprise users, or through the personal My Knox platform. We’ll know for sure in the coming days.
With regards to the vulnerability, it’s important to stress that this is not necessarily a cause for panic among Samsung’s user base. Yes, the vulnerability provides a path to system-level access for an adversary, which can ultimately compromise all personal data on a phone, including login passwords, stored files, and other personal information. That said, it’s not simply a matter of blasting out millions of phishing e-mails or texts and pointing victims to an evil download or website. The attacker, in all cases, needs to be in the path of the vulnerable keyboard update process. This means one of two criteria for the adversary must be met:
- The attacker must have control over the wireless network the target is on. This means either the attacker has already thoroughly compromised the local network, or has set up his own network. In the latter case, the device (and nearly always the attacker) needs to be physically close to the target.
- Alternatively, the adversary must be “upstream” from the target; for example, have thorough access to, or be, the ISP and have the ability to poison domain name services (DNS) with falsified information. This attack is typically limited to organisations with warrant power or sophisticated technical reach, such as a law enforcement, intelligence, or military organisations. This is, understandably, a less likely scenario, and considers an adversary which is already difficult to defend against for most people.
So, while the vulnerability is absolutely real, the threat of exploit is fairly low. If someone wanted to exploit the vulnerability on your phone in particular, that adversary would need to be sophisticated enough to get you to join a network he controls, wait for the update process to kick off, then deliver the attack. Attacks of opportunity can happen on public networks, but the attacker still needs to get lucky and hope for a reboot or otherwise uncontrollable update procedure to start while victims are on his network.
Given the unlikely nature of the attack, it’s good to see that Samsung is taking this exposure seriously, for at least their enterprise Knox customers, and hopefully for all Knox users. I imagine a proper operating system patch will be released in the coming weeks and months for everyone else. In the meantime, users should be aware of the networks they habitually connect to, routinely remove “remembered” networks they don’t often use, and ensure that they reboot their Samsung devices only while associated to networks they normally trust.”
Image source: Samsung