Tag Archives: Samsung

Fix for 600 Million Galaxy Phones Available Soon

You might have heard of the security issue with Galaxy phones that was everywhere in the media this week. If not, let me fill you in:

Samsung phones come preinstalled with SwiftKey, a very popular alternative keyboard for Android and iOS. Security researchers from NowSecure discovered a vulnerability in the update mechanism for the customized version the company uses and which is being distributed on most of the Galaxy phone models.

According to NowSecure „a remote attacker capable of controlling a user’s network traffic can manipulate the keyboard update mechanism on Samsung phones and execute code as a privileged (system) user on the target’s phone. This can be exploited in a a manner that requires no user interaction — a user does not have to explicitly choose to download a languagePack update to be exploited.“

Samsung itself played the issue down and stated that a “very specific set of conditions” needs to be met in order for the attack to be successful. Nonetheless a patch will be made available soon – after all more than 600 million Samsung Galaxy phones are affected. The drawback is that only devices that have Samsung’s Knox security platform installed will profit from the updates. “For the devices that don’t come with KNOX by default, we are currently working on an expedited firmware update that will be available upon completion of all testing and approvals” the company says in their statement.

The post Fix for 600 Million Galaxy Phones Available Soon appeared first on Avira Blog.

Internet of Things still not taking privacy seriously

It seems that companies developing the connected devices that make up the Internet of Things are in a constant race to release new technologies while potentially compromising on privacy.

It emerged this week that certain models of Samsung’s smart TVs are able to record conversations while voice recognition is active.

Samsung’s Terms and Conditions read:

“Samsung may collect and your device may capture voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features.”

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.”

So while voice recordings will only be made while the feature is active, the Terms and Conditions do state that:

“If you do not enable Voice Recognition… while Samsung will not collect your spoken word, Samsung may still collect associated texts and other usage data so that we can evaluate the performance of the feature and improve it.”

I have blogged and spoken on privacy and the Internet of Things several times and it is disappointing to find that privacy and security are still not part of the design process for most consumer IoT devices.

First, in 2013 I highlighted the amount of data that is being generated by each and every user of connected devices, often without their knowledge or understanding.

Then, in 2014 I revealed how voice activated technology could be used to manipulate devices into executing unauthorized commands such as sending emails, or controlling a smart TV.

Video

How Voice Activated devices can be hacked

 

Here we have the two issues combined into one

  • End users are likely unaware that their data is being collected while using the voice command feature. Likewise they don’t understand that this data is used and shared.
  • The dangers of voice activated technology and how they can be used in potentially harmful ways. If you entered sensitive data such as a password via voice recognition, it may seem safe. Voice command records can be stored and stolen just like written files.

 

Users may not understand that while Samsung’s privacy policy contemplates the use of active voice commands, voice activation features can be used both actively and passively, meaning that devices can be constantly recording sound and identifying activation commands.

There is, as such, a potential for privacy issues here.

It’s about time that manufacturers of smart devices started taking the privacy and security of its users seriously. Only a few weeks ago a wireless baby monitor was hijacked and the attacker communicated directly with the nanny through the device.

After CES 2015, I commented that privacy should be at the very heart of the Internet of Things, a sentiment echoed by the FTC and its Chairwoman Edith Ramirez in their report on the Internet of Things.

Hopefully, it will not be too long before the public and electronics producers realize that going online should not mean surrendering your privacy.