Following up on our story this week on Samsung’s stock keyboard security hole, Samsung has released an official statement regarding the issue.
As we noted in our story, Samsung acknowledges that there’s a hole but there’s also a specific set of circumstances that need to line up:
This vulnerability, as noted by the researchers, requires a very specific set of conditions for a hacker to be able to exploit a device this way. This includes the user and the hacker physically being on the same unprotected network while downloading a language update. Also, on a KNOX-protected device there are additional capabilities in place such as real-time kernel protection to prevent a malicious attack from being effective.
So the chances of this happening to you are slim. However the hole is real and Samsung is moving to patch that hole. In their official statement they say that the security policy updates will begin rolling out in a matter of days.
All flagship models since Galaxy S4 have the KNOX security platform installed and have the KNOX platform protection enabled when you turn the device on. One of these protections is Security Enhancements (SE) for Android which enforces a number of mandatory security settings on the device. Samsung KNOX has the capability to update the security policies of our devices, over-the-air, to invalidate potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days.
While the security policy will be pushed to devices with KNOX, you will need to make sure your device is set up to receive it. You will need to go to Settings > Lock Screen and Security > Other Security Settings > Security policy updates, and make sure the Automatic Updates option is activated. On my Galaxy Note Edge, “Lock Screen” and “Security” are separate options in the Settings menu, so you may need to look for that. While you’re in the Updates section, you can go ahead and do a manual check for updates as well.
If you have a device that does not have KNOX, then you’re going to have to wait for a firmware update. Samsung says they are expediting an update, but the little asterisk says that it’s going to be on the carriers for how fast it gets to the end users.
As long as there is software, there’s going to be holes found, and it’s good that Samsung is acknowledging it and fixing it. It’s also good that they can push the update to a majority of the affected devices without having to go through the carriers.
Have you seen any security policy updates come through on your Samsung device? Let us know in the comments.Source: Samsung