June 17, 2015

Normally, I don’t cover vulnerabilities about which the user can do little or nothing to prevent, but two newly detailed flaws affecting hundreds of millions of Android, iOS and Apple products probably deserve special exceptions.

keychainThe first is a zero-day bug in iOS and OS X that allows the theft of both Keychain (Apple’s password management system) and app passwords. The flaw, first revealed in an academic paper (PDF) released by researchers from Indiana University, Peking University and the Georgia Institute of Technology, involves a vulnerability in Apple’s latest operating system versions that enable an app approved for download by the Apple Store to gain unauthorized access to other apps’ sensitive data.

“More specifically, we found that the inter-app interaction services, including the keychain…can be exploited…to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote,” the researchers wrote.

The team said they tested their findings by circumventing the restrictive security checks of the Apple Store, and that their attack apps were approved by the App Store in January 2015. According to the researchers, more than 88 percent of apps were “completely exposed” to the attack.

News of the research was first reported by The Register, which said that Apple was initially notified in October 2014 and that in February 2015 the company asked researchers to hold off disclosure for six months.

“The team was able to raid banking credentials from Google Chrome on the latest Mac OS X 10.10.3, using a sandboxed app to steal the system’s keychain and secret iCloud tokens, and passwords from password vaults,” The Register wrote. “Google’s Chromium security team was more responsive and removed Keychain integration for Chrome noting that it could likely not be solved at the application level. AgileBits, owner of popular software 1Password, said it could not find a way to ward off the attacks or make the malware ‘work harder’ some four months after disclosure.”

A story at 9to5mac.com suggests the malware the researchers created to run their experiments can’t directly access existing keychain entries, but instead does so indirectly by forcing users to log in manually and then capturing those credentials in a newly-created entry.

“For now, the best advice would appear to be cautious in downloading apps from unknown developers – even from the iOS and Mac App Stores – and to be alert to any occasion where you are asked to login manually when that login is usually done by Keychain,” 9to5’s Ben Lovejoy writes.

SAMSUNG KEYBOARD FLAW

Separately, researchers at mobile security firm NowSecure disclosed they’d found a serious vulnerability in a third-party keyboard app that is pre-installed on more than 600 million Samsung mobile devices — including the recently released Galaxy S6 — that allows attackers to remotely access resources like GPS, camera and microphone, secretly install malicious apps, eavesdrop on incoming/outgoing messages or voice calls, and access pictures and text messages on vulnerable devices.

The vulnerability in this case resides with an app called Swift keyboard, which according to researcher Ryan Welton runs from a privileged account on Samsung devices. The flaw can be exploited if the attacker can control or compromise the network to which the device is connected, such as a wireless hotspot or local network.

“This means that the keyboard was signed with Samsung’s private signing key and runs in one of the most privileged contexts on the device, system user, which is a notch short of being root,” Welton wrote in a blog post about the flaw, which was first disclosed at Black Hat London on Tuesday, along the release of proof-of-concept code.

Welton said NowSecure alerted Samsung in November 2014, and that at the end of March Samsung reported a patch released to mobile carriers for Android 4.2 and newer, but requested an additional three months deferral for public disclosure. Google’s Android security team was alerted in December 2014.

“While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network,” Welton said. “In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices models and number of network operators globally.” NowSecure has released a list of Samsung devices indexed by carrier and their individual patch status.

Samsung issued a statement saying it takes emerging security threats very seriously.

“Samsung KNOX has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days,” the company said. “In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.”

A spokesperson for Google said the company took steps to mitigate the issue with the release of Android 5.0 in November 2014.

“Although these are most accurately characterized as application level issues, back with Android 5.0, we took proactive measures to reduce the risk of the issues being exploited,” Google said in a statement emailed to KrebsOnSecurity. “For the longer term, we are also in the process of reaching out to developers to ensure they follow best practices for secure application development.”

SwiftKey released a statement emphasizing that the company only became aware of the problem this week, and that it does not affect its keyboard applications available on Google Play or Apple App Store. “We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this important security issue,” SwiftKey said in a blog post.

Update: SwiftKey’s Jennifer Kutz suggests that it’s incorrect to use the phrase “pre-installed app” to describe the component that Samsung ships with its devices: “A pre-installed app is definitely different from how we work with Samsung, who licenses/white-labels our technology – or prediction engine – to power their devices’ default/stock keyboards,” Kutz said. “The keyboard is not branded as SwiftKey, and the functionality between our Google Play app, or pre-installed SwiftKey app, is different from what Samsung users have (in short, the official SwiftKey app has a much more robust feature set). The SwiftKey SDK powers the word predictions – it’s a core part of our technology but it is not our full app.”


51 thoughts on “Critical Flaws in Apple, Samsung Devices

  1. Jon Marcus

    Any information on whether SwiftKey’s keyboard replacement app (which runs on all Android devices, not just Samsung ones) is also vulnerable?

    1. boondox

      The Makers of Swift key said that the other versions don’t contain the flaw found in Samsung devices.

    2. CFWhitman

      The flaw is in Samsung’s update mechanism for the feature rather than in the feature itself, so other SwiftKey implementations are not affected.

  2. I'm So Secure

    Ever since Steve passed, so has the glory of apple and all that he made secure. RIP Steve and Apple of yesterday.

    1. The Sketpic

      This OSX vulnerability requires that the user install a malicious app explicitly first. The malicious app must then masquerade as another app for the purpose of obtaining keychain data. It is a significant vulnerability, but you can manage it by being very careful with what you download and install until Apple designs a fix.

      On iOS the curated App Store remains as your best (and quite strong) protection.

      Apple is taking a long time over the fix because it is a deep design flaw that has been in OSX since the beginning. Simply patching the problem will not work, although it can be mitigated with a scanning tool. Apple needs to design a more reliable inter-process authentication mechanism, somehow without breaking every piece of software out in the wild. That’s not an easy ask.

  3. AndyB

    Good thing I keep my passwords in LastPass..

    oh wait… n/m.

    1. Alex

      Actually is a good thing you use LastPass, their vulnerability is their server infrastructure not their method of securing your password. This despite the latest.

    2. Dana Taylor

      I thought that LastPass hack one of the funniest things I’ve ever seen on the internet. 😎

  4. Izzy

    Forgive me for being completely technologically unsavvy, but for those of us who just aren’t that up to it, if my iPhone’s iCloud Keychain feature is turned OFF, does that mean this bug would not affect me?

    1. SeymourB

      It would, because the problem isn’t in the cloud, it’s on your local device. In effect they have to trick you into unlocking your keychain for their rogue app, at which point they can read anything in your keychain. iCloud keychain is the abortion of a security nightmare but keychain has existed as a local app for years.

      On the other hand, if you don’t use Safari and steer clear of other apps that use keychain (e.g. Mail.app), it’s possible to avoid putting data into it, so even if the malicious app takes advantage of the exploit there can be little data for it to retrieve. Firefox, for instance, maintains its own independent password repository. It sounds like Chrome has gone back to doing that on OS X as well.

  5. Lisa

    I found this response on AgilBits user forum:
    discussions.agilebits.com/discussion/42900/osx-and-ios-1pw-keychain-vulnerability-report-on-the-register

  6. Jamie

    This is the last straw, Samsung. If I stick with Android, my next phone is going to be a Nexus device with direct OTA patching from Google AOSP.

    Android M is already in wide testing, and I don’t even have Android L yet because of the whole Google -> Manufacturer -> Carrier song and dance. I can’t even find information about whether my particular Galaxy S4 variant will get an L update at all, ever. After all, it’s a 2 years old $700 device, so it’s clearly already useless and obsolete. Ugh.

    Phones are becoming one of our most used and targeted computing platforms–it’s unacceptable that security patches have to sit on the back burner (or never get rolled out at all) because the pack-in bloatware and sweetheart pre-installation deals take top priority over user security.

    It almost makes me want to get a Windows phone or suck it up and pay that 30% profit premium for an iPhone… Almost.

    1. John

      Hi, I share your sentiments but I hate Google for not putting an external micro sd card slot on their Nexus phones. I am really contemplating now to get a Blackberry

    2. iMeToo

      Get real…. it was fixed within hours of it’s discovery and only affected those using Swiftkey in the first place. This is all about Apple backdoor funding FUD and Misinformation about Samsung. When in this case it was the App developer of Swiftkey, not SAMSUNG!!!

      And most of all if you were running Samsung’s full KNOX 2.x Suite in the first place, you have absolutely nothing to worry about in the first place. The larger problem here has to do with Apple’s Keychain and App Password Zero Day exploit that still doesn’t have a fix. Even though it was discovered around the time Celebrities got hacked last year!!!

      1. CFWhitman

        If any fix for the Samsung keyboard flaw has actually been rolled out, I haven’t heard of it yet. Also, it’s the default keyboard, so most people are using it. Finally, it doesn’t matter if you use it or not since you can’t remove it and it checks for updates whether you use it or not (which is when the flaw becomes active). Really, the biggest mitigation to this flaw is that it’s a “man in the middle” attack, and you won’t usually be susceptible to that sort of thing as long as you are not on a public LAN (like an unsecured WiFi network), though it’s technically possible even on your cell network.

    3. meh

      Yep I ditched Samsung for this very reason. The S6 looks nice but I am pretty darn happy with the Nexus 6 instead. Its nice and fast and I can pull down the factory images and update/re-root in about 5 minutes.

  7. Winski

    WHY OH WHY, hasn’t Apple stepped up to a fix for this system break ??? Not vary profeesional…

  8. coakl

    Swift is that “word predictor” that guesses what you intend to type. It stinks…on my S5 phone, it refused to recognize that ETA was short for estimated time of arrival. Swift finally gave in when I added periods (E.T.A.).

    The flaw is that when Swift auto-updates itself, it does no validation that the update server or its inbound data is legitimate. It’s as if Windows Update didn’t bother to check that it was connecting to genuine Microsoft servers or that the “updates” weren’t malware. If you connect to fake wi-fi access, such as the malicious ones that mimic Starbucks, hotel, Comcast, or AT&T wi-fi, a criminal could set up a fake Swift update server and directly attack your phone, when your phone goes looking for a Swift update.

    And since Swift has OS-level access, you’re gonna get whacked. The really amazing thing is that there’s no way shut off Swift on the phone’s menus, at least none that I’ve found. Why can’t I disable a spell checker, like I can in Microsoft Word?

    Connecting to strange Wi-fi is a given, people do it all the time to save on their data plan. But with a weakness like this, hooking up with strangers could get you an STD (Samsung Transmitted Disease).

  9. Todd Smith

    Brian, great article! Which keyboard do you recommend for a Samsung device?

    1. MattyJ

      I personally would recommend the one on the iPhone.

    2. meh

      Doesn’t matter which you use, the problem is Samsung dumps this one in system apps and also did a broken update method which is basically impossible to fix unrooted and even rooted will involve tinkering with apps that they daisy chain together and often breaks other functionality if you freeze or delete.

    3. Mario Lacroix

      I personally like the “hacker’s keyboard” for Android, as it is able to emulate all PC keys, including Fn keys. This is useful when remote connecting to a PC using Citrix, exporting X, …
      Please, keep in mind that changing your Samsung keyboard DO NOT SOLVE THE ISSUE, as it’s related to the auto update feature from the Samsung version.

  10. VPN Romania

    If more people who ask their phone provider pointedly but politely what has been done, the more likely we will collectively get the answers we need!

  11. Mike

    Thank you Brian for the splendid article.

    Now….How am I supposed to react to this?
    oh, I know……..DUHHH!

    As I’m getting more and more MAC users than seem to demand their Mac desktop PC’s be put on WiFi instead of a more secure, more reliable, and faster wired (ethernet) connection. So, While they are getting upset about their slow speeds, all I can do is laugh a little inside for their outright refusal to let me put them on a wired connection.

    I’ve always heard so much about how much safer a MAC is……well, I don’t think so!

    Let’s all just put these very same phones (that this article is about) in the hands of our six year old children. LOL….try telling THEM to be cautious about what app they install. That is IF they don’t end up with their phone getting a run through the washing machine and dryer. Does anyone really think the more intimate pictures their 15 year old daughter is taking of themselves (for what ever reason) ISN’T being seen by who-knows-who because of vulnerabilities like these? Ah yes, but that’s just life now….isn’t it?

    Does anyone really wonder about how a baseball team gets hacked? (supposedly by another team?)

    Does anyone really wonder how the “fappening” happens?

    These things “might” be designed by Apple, but they are made by people who consider capitalism to be a method of the devil.

    When I read things like this…..How can I honestly take seriously anything I hear or see that ridicules Windows XP? Atleast I can take complete control over what XP does. There isn’t a person alive on this planet that can say the same with regards to their so-called “smart” phones.

  12. Brian Fiori (AKA The Dean)

    Quick question. Do you actually have to be using that keyboard with the Samsung phone for it to be a security risk? I use the stock Android keyboard on my phone. Thanks in advance.

    1. Matt

      No. By virtue of just being installed with the privileges Samsung give it, the keyboard will periodically check for language updates. The attacker just gives it some fake updates, which Samsung process without verifying. You don’t need to use or even enable the keyboard for this to happen.

  13. Sylvain Gil

    My understanding is that the IOS vulnerability will only be exploited if the user installs a malicious app. Apple may have decided to step up its code review practice for App Store submissions, around the usage of to the inter-app communication API. They may come up with a fix but according to AgileBits it is going to be tough to solve without impacting the user experience.

    Samsung on the other end is vulnerable out of the box, but the attacker has to be physically ‘near’ the victim in order to exploit the vulnerability. That is if the attacker isn’t a government that can control carrier level network traffic and compromise thousands of phones at once.

  14. Linda

    Because of past articles on Kreb, I keep all my password data on DataVault. As far as I know, I’ve never used Keychain on my Mac. However I just checked it and it has recent data in it. Can I safety delete everything in Keychain, then lock it?

  15. jim

    Samsung makes apple parts in its Chinese facility’s. How is a machine better then its parts? OK my apple rant is over. But all these companies get money for selling consumer information. So, to spy on the consumer, the involve tracking and other technology that creates a trail. Why is this called a vulnerability? It’s part of the system. Is this calling a kettle black? Just because some one other then, is probably monitizing their track? And back?

  16. surfer100

    Just got off the phone with Apple support tier 2. No surprise, they “don’t have anything on our system about this issue.” They did agree to “report the issue up the chain.”

  17. steven

    I’m not very surprise that both iOS and various favor of Android has such serious security flaw. These popular OS introduce new features with every new iteration makes it almost impossible to get rid of serious bugs. I use a Blackberry Classic and I hope it’s unpopularity will make it less likely to have hacker’s attention. Of course, all OS are never bug free.

  18. Just wondering then...

    What type of phone then would you say is most secure for communicating (calls, text, maybe email)?

    A cheap flip-phone perhaps?

    And what carrier would you consider most secure? A small MVNO?

    And lastly, what phone OS would you consider the most secure?

    Not trolling – I’m genuinely curious given all these breakins and forced upgrade business models that imply lots of recent, still used, but now insecure phones out there.

    1. Daniel Montcalm

      I am of the tinfoil hat-wearing variety, but regardless it always astounds me how many people dismiss BlackBerry.

      In terms of security, they are best in class, period, no questions asked. Their newest phones with the secure BB10 OS run Android apps in an even more secure fashion than on Android phones. Governments use them to handle top secret communications, and Sony went to BlackBerry when they were recently hacked and all of their “upgraded” equipment was rendered useless.

      I use a BlackBerry Classic. Give one a shot, and you might very well find you like it.

      1. Canuck

        Read the Snowden files – BB is open too.

    2. timeless

      Interesting question.

      A few problems…

      If your phone is willing to speak to a 2G network, it can probably be tricked into talking to a fake (cellular) basestation.

      Any device with a web browser that doesn’t get periodic updates of its web browser is bad news.

      Any device at the mercy of carriers for OS updates is bad news.

      Historically, most flip phones or similar technically had OS updates, but you couldn’t actually get those updates either…

      Right now, there are a number of disclosed issues in iOS, the other is:

      http://9to5mac.com/community/the-latest-iphone-security-vulnerability-imessages-bug/

      Note: in general, the bigger your userbase, the more people will research/attack it. — iOS has a large userbase, Android has a large userbase, specifically Samsung’s userbase is very large.

      You could try to go w/ Cyanogenmod or possibly Silent Circle’s Blackphone (I know nothing about Blackphone).

      You could try “security by obscurity”, but unfortunately, most of these vendors fail to maintain/ship updates in a timely manner, and most likely they have at least as many vulnerabilities as everyone else, but are less likely for them to be publicly disclosed.

      You could choose Microsoft’s platform, but I wouldn’t until Windows 10…

      If I were picking something today, I’d probably go for Google Voice on an x86-64 tablet (using WiFi, probably w/o a cellular modem) running Windows 10 beta. Google Voice lets me make/receive phone calls using any data connection, and send/receive SMS messages. Windows 10 will receive support for a fairly long time, and by not being a phone, you don’t have to worry about operators delaying your OS updates. You can choose to update on your schedule (I’d recommend fairly promptly). I’d stick w/ Windows Defender. You might install antimalware. I’d limit the number of apps I’d install. Doing almost everything using just a web browser (you can pick from Firefox, Chrome, or Edge). You can use a web based Office Suite. With a tablet, you can use a Yubikey — https://www.yubico.com/faq/yubikey/

      Note: while 2FA is important, technically SMS based authentication is risky — you’re at the mercy of the SMS path, including your Carrier — who can probably be socially engineered. So, using a yubikey or similar instead would probably be better.

      https://www.bestvpn.com/blog/14482/windows-10-will-include-fido-u2f-support/

  19. R0007

    Apparently the Swift keyboard vulnerability is ultimately due to the keyboard app downloading updates via HTTP and not doing a good job at verifying what it’s getting.

    This is pretty facepalmworthy. In today’s mobile environment how can you NOT care about data integrity?

  20. Carling

    It’s time you all learned that Apple, Google and Microsoft are NOT the only mobile or computer operating systems in the world, when you all wake up to that fact you will all benefit financially from that knowledge.

    Apple, Google and Microsoft the MASSIVE for PROFIT companies lock their systems down to control their users, Where has Free Linux Open Source Operating Systems and Software allow users to control their own devices, be it smart phones, laptops/desktops/tablets.

    For those of you that don’t know Free Linux Operating System is the world fastest system, it’s supported and developed by the worlds top 200 plus largest hardware manufactures If you can’t except that? then visit the Linux Foundations website, and learn who is behind the Linux Operating system.

    http://linuxfoundation.org/about/members/

    For the latest June 2015 free Linux operating system(s) go to
    http://distrowatch.com/

    For over 72,600 Free Linux professional application software packages and 1,700 Free Games check out this website.
    http://sourceforge.net/

    Now the rest is up to You!

    1. No

      Linux is free – if your time is worth nothing.

      1. Mike

        Meanwhile, the web (in general) continues to overflow with all kinds of time wasters, bandwidth wasters, and distractions.

        How much is a persons time actually worth as they go through patch Tuesdays acquiring flawed updates to fix last months’ flawed updates that were meant to fix flawed programs that were not all that productive in the first place?

        Just how much is a persons time really worth as they deal with such tremendous amounts of idiocy/non-sense within social media?

        Employers have asked about the worth that employees have attached to them when they spend more time on Facebook than actually doing their job.

        How much is a persons’ time worth watching major media organizations fawn over certain politicians while ridiculing other politicians when almost all politicians are self-serving buffoons?

  21. Tom Olzak

    Let’s be fair to both LastPass and Swiftkey. (Disclaimer: I use both.) First, passwords stored IN LastPass vaults were NOT stolen. Only the hashed values of the vault passwords were taken. If you used the vault password at other sites (not very smart) you were vulnerable to other sites being accessed by the thieves. As for the Lastpass vault, use of two-factor authentication provides an almost insurmountable wall for even the most experienced hacker.

    As for Swiftkey, the Swiftkey downloadable apps ARE NOT affected.

    All of this information was either in Brian’s post or the recent Security Now webcast in which this was discussed in deep technical detail.

    As for Apple, I use LastPass, not the keychain. Further, I don’t use any browser-based password store. Risk is too high for me.

    1. Jerry Leichter

      The Swiftkey downloadable apps are not affected, but installing them does *not* replace the one that Samsung ships, and does not eliminate the vulnerability,

      It’s impossible to completely avoid the Keychain on Apple equipment as some stuff has to go there. On MacOS, your login password is there. I’m not sure if it is in iOS, but all kinds of stuff is. Many applications store stuff information in Keychain: It’s offered by Apple as the appropriate place for applications to store “sensitive” information. You can use replacements like LastPass for many use cases – in general, where you would normally *type* a password – but not where applications invisibly save information for you. (For example, Keychain stores WiFi passwords so that you don’t have to type them each time.)

      So while you might avoid *some* of the risk, you can’t avoid *all* of it. This is a deep and complex bug; Apple will have to fix it and application developers may need to change the way they code to work within whatever new design Apple comes up with.
      — Jerry

  22. Rubin Thayne

    It’s a long time since I was directly involved with systems administration and support (back when OS X was still very new), and my recollection is that Macs were relatively easy to administer unless you had to integrate them into Windows environments (or possibly vice versa).

    The little network I run now is really not the place to try his suggestions out.

Comments are closed.