Advertisement

Samsung announces a fix for wide-reaching Galaxy keyboard exploit

Samsung is finally responding to a major security bug that affects the keyboards on its Galaxy smartphones and tablets. The security firm NowSecure revealed the exploit earlier this week, which gives hackers the ability to execute code on Samsung's mobile devices. Today, Samsung announced that it's issuing a fix to its mobile security policies over the next few days. The company also stressed that it didn't think the exploit wasn't much of a threat, since it required a hacker being on an unsecured network with your phone. Also, the company's Knox security software offers kernel protection to prevent malicious code from running. Still, this isn't the sort of exploit any company can ignore, especially when a research firm has already detailed exactly how it works.

Samsung says most of its users have Knox enabled by default and will get a prompt to apply a new security policy automatically. The company is also working on issuing an expedited firmware update to protect devices that don't have Knox enabled already.

You can make sure your phone is ready to receive the security update by following Samsung's instructions below:

Go to Settings > Lock Screen and Security > Other Security Settings > Security policy updates, and make sure the Automatic Updates option is activated. At the same screen, the user may also click Check for updates to manually retrieve any new security policy updates.

So what happened? NowSecure noted Samsung's implementation of SwiftKey's predictive keyboard left a major opening for an exploit. The firm also made it clear the issue doesn't affect SwiftKey's standalone apps -- it was entirely Samsung's fault, since it gave SwiftKey's keyboard privileged user status on all of its devices.

Even worse, TechCrunch notes that Samsung was warned about the exploit months ago by NowSecure. At the time, it told the security firm that a fix was already sent to carriers. But after NowSecure discovered Galaxy S6 phones from Verizon and Sprint were still vulnerable, it decided to announce the vulnerability at a hacker conference, forcing Samsung to respond.