Last fall, researchers at cybersecurity firm NowSecure found a bug in most Samsung smartphones that could allow hackers to spy on users.
In March, Samsung told NowSecure it had sent a fix to wireless carriers that they could distribute to users. It asked NowSecure to wait three months before going public.
Last week, the researchers bought two new Samsung Galaxy S6’s from Verizon VZ +0.89% Wireless and Sprint S +0.43%. They found both were still vulnerable to the security hole, which involves how the phone accepts data when updating keyboard software.
NowSecure CEO Andrew Hoog shared his version of events with The Wall Street Journal as his company prepared to release its research Tuesday. The story helps illuminate why hacking is so hard to stamp out.
That’s particularly true in smartphones, with its diffuse system of device makers, software programmers and network operators. Things likely are only to get worse as Americans connect their thermostats, door locks and cars to the Internet and face the need to update their software.
Samsung, Sprint and Verizon didn’t immediately respond to requests for comment Monday.
NowSecure’s Ryan Welton was scheduled to present his findings on the bug at a Black Hat mobile security conference in London on Tuesday.
The flaw shows how hackers can take advantage of software updates for nefarious purposes. In this case, Welton found he could hijack the process of updating one of the virtual keyboards Samsung installs on many Android smartphones. From there, he could eavesdrop on phone conversations, rummage through text messages and contacts, or turn on the microphone to capture audio.
That was possible, Hoog said, because Samsung didn’t encrypt the update process.
NowSecure’s story also offers a glimpse of the behind-the-scenes talks that often occur when a security company finds flaws in consumer software used by millions. The security firms generally give software makers time to fix the bug before going public.
In this case, NowSecure said it contacted Samsung in November 2014. On Dec. 16, Samsung asked for more time, Hoog said. On Dec. 31, it asked for a year to fix it, he said.
Hoog thought that was too long, reasoning that if his researchers found the bug, hackers would too.
The companies went back and forth until March, when Samsung said it had crafted a patch and had sent it to wireless carriers. They agreed the bug could be made public in about three months.
“We had some heartburn” over the delay, Hoog said. He said he does not know of any incidents where hackers exploited the flaw.
It was then up to the carriers to push users to download updates. That doesn’t always happen, or a user, running an old phone, may not bother.
NowSecure says it is yet to find a patched phone as of this week. Though “we still have to go to a T-Mobile TMUS -0.28% store,” Hoog said
Source : NowSecure, WSJ, BlackHat
In March, Samsung told NowSecure it had sent a fix to wireless carriers that they could distribute to users. It asked NowSecure to wait three months before going public.
Last week, the researchers bought two new Samsung Galaxy S6’s from Verizon VZ +0.89% Wireless and Sprint S +0.43%. They found both were still vulnerable to the security hole, which involves how the phone accepts data when updating keyboard software.
NowSecure CEO Andrew Hoog shared his version of events with The Wall Street Journal as his company prepared to release its research Tuesday. The story helps illuminate why hacking is so hard to stamp out.
That’s particularly true in smartphones, with its diffuse system of device makers, software programmers and network operators. Things likely are only to get worse as Americans connect their thermostats, door locks and cars to the Internet and face the need to update their software.
Samsung, Sprint and Verizon didn’t immediately respond to requests for comment Monday.
NowSecure’s Ryan Welton was scheduled to present his findings on the bug at a Black Hat mobile security conference in London on Tuesday.
The flaw shows how hackers can take advantage of software updates for nefarious purposes. In this case, Welton found he could hijack the process of updating one of the virtual keyboards Samsung installs on many Android smartphones. From there, he could eavesdrop on phone conversations, rummage through text messages and contacts, or turn on the microphone to capture audio.
That was possible, Hoog said, because Samsung didn’t encrypt the update process.
NowSecure’s story also offers a glimpse of the behind-the-scenes talks that often occur when a security company finds flaws in consumer software used by millions. The security firms generally give software makers time to fix the bug before going public.
In this case, NowSecure said it contacted Samsung in November 2014. On Dec. 16, Samsung asked for more time, Hoog said. On Dec. 31, it asked for a year to fix it, he said.
Hoog thought that was too long, reasoning that if his researchers found the bug, hackers would too.
The companies went back and forth until March, when Samsung said it had crafted a patch and had sent it to wireless carriers. They agreed the bug could be made public in about three months.
“We had some heartburn” over the delay, Hoog said. He said he does not know of any incidents where hackers exploited the flaw.
It was then up to the carriers to push users to download updates. That doesn’t always happen, or a user, running an old phone, may not bother.
NowSecure says it is yet to find a patched phone as of this week. Though “we still have to go to a T-Mobile TMUS -0.28% store,” Hoog said
Source : NowSecure, WSJ, BlackHat
