A security flaw in the SwiftKey-developed keyboards pre-installed on Samsung smartphones is leaving at least 600 million devices vulnerable to hackers. The flaw, discovered by security firm NowSecure, could allow hackers to take control over those devices, which use unencrypted connections to update when users download new language packs.
Those unsecure connections leave a hole that hackers could exploit if users connect to the Internet over unsecure Wi-Fi networks, which users typically encounter when they're out and about.
Through this vulnerability, a hacker could potentially access a phone's GPS, camera and microphone; install malware; eavesdrop on phone calls or see text messages; or even access a user's personal data, such as their photos, NowSecure said.
The vulnerability applies to Samsung's latest flagship phone the Galaxy S6 as well as the Galaxy S5, Galaxy S4 and the Galaxy S4 Mini models from Verizon, AT&T, Sprint and T-Mobile, according to NowSecure, which said that more devices may also be impacted. If you're feeling particularly geeky, you can see how the hack plays out in the video below.
NowSecure reported the weakness to Samsung in December. Since then, Samsung has sent carriers a patch to fix the issue, Forbes reported, but its unclear how many carriers have delivered that update to their users. SwiftKey, meanwhile, has issued a statement saying the issue only affects the Samsung pre-installed version of its software, which means users that who downloaded the company's app from Google Play or the Apple App Store are not at risk.
If you own a Samsung device and are concerned about this bug, NowSecure advises that you do not use insecure Wi-Fi networks, that use switch to a different device entirely or that you reach out to your carrier for information about whether or not your device is at risk.