THE GALAXY S6 is putting user data at risk of being stolen owing to a security problem with the handset's SwiftKey-developed, pre-installed keyboard.
US security firm NowSecure outed the glitch, which affects older handsets such as the Galaxy S5 and Galaxy S4 as well as the Samsung Galaxy S6, putting more than 600 million Samsung smartphone users at risk.
The vulnerability is down to the keyboard's use of unencrypted connections when downloading new language packs, a flaw which "allows an attacker to remotely execute code as a privileged [system] user".
Hackers could use this to access features such as the smartphone's camera and microphone and install malicious apps without the user knowing, and to eavesdrop on calls and messages.
It it is thought that it affects only those on the AT&T, T-Mobile, Sprint and Verizon networks in the US.
In a statement sent to The INQUIRER, a Samsung spokesperson said: "Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security.
"It is important to note that the phone’s core functions (kernel) were not affected by the reported issue due to the protection of the Samsung Knox platform in all S4 models and above.
Samsung Knox also has the capability to update the security policy of the phones, over-the-air, to invalidate any remaining potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days.
"In addition to the Security Policy update, we are also working with SwiftKey to address potential risks going forward."
SwiftKey said in a statement sent to Forbes: "We've seen reports of a security issue related to the Samsung keyboard.
"We can confirm that the SwiftKey keyboard apps available via Google Play or the Apple App Store are not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.”
NowSecure reported the weakness to Samsung in December. Samsung sent mobile operators a patch, but it's unclear how many carriers have delivered that update to their customers.
"Also, it isn’t easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update," NowSecure said.
NowSecure advises owners of affected handsets who are concerned about this bug to avoid using insecure Wi-Fi networks, switch to a different device or contact their carrier for information about whether the smartphone is at risk.
A full list of affected devices can be viewed on the NowSecure website. µ
Hold the front page
Bluesky's the limit
Might need to come up with a better name though
There's an app for *that*