Vulnerability Note VU#155412
Samsung Galaxy S phones fail to properly validate SwiftKey language pack updates
Samsung Galaxy S phones, including the S4 Mini, S4, S5, and S6, fail to properly validate Swiftkey language pack updates.
CWE-345: Insufficient Verification of Data Authenticity - CVE-2015-4640
Samsung Galaxy S phones, including the S4 Mini, S4, S5, and S6, are pre-installed with a version of SwiftKey keyboard that is signed by Samsung to operate with system privileges. By design, SwiftKey periodically checks for language pack updates over HTTP (CVE-2015-4640). By intercepting such requests and modifying the necessary fields, an attacker can write arbitrary data to vulnerable devices.
A remote, unauthenticated attacker conducting a man-in-the-middle attack may be able to write arbitrary data to vulnerable devices checking for updates. Based on the frequency of SwiftKey update checks, which "appears to be every 8 hours" according to NowSecure researchers, such an attack may have a low likelihood of occurring.
Apply an update
Avoid untrusted networks
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Samsung||Affected||02 Mar 2015||16 Jun 2015|
CVSS Metrics (Learn More)
Thanks to Ryan Welton and Ted Eull of NowSecure for reporting this vulnerability.
This document was written by Joel Land.
- CVE IDs: CVE-2015-4640 CVE-2015-4641
- Date Public: 16 Jun 2015
- Date First Published: 16 Jun 2015
- Date Last Updated: 25 Jun 2015
- Document Revision: 32
If you have feedback, comments, or additional information about this vulnerability, please send us email.