Samsung on Thursday said it will soon send out an update to fix a vulnerability found in the SwiftKey-developed keyboard technology in up to 600 million of its devices, including its flagship Galaxy S6 model.
"There have been no reported customer cases of Galaxy devices being compromised through these keyboard updates," Samsung said in a blog posted Thursday. "But as the reports indicate, the risk does exist and Samsung will roll out a security policy update in the coming days."
The vulnerability was uncovered by cybersecurity firm NowSecure, which informed Samsung of the issue late last year. It became public news earlier this week when NowSecure showed a demo of it at a cybersecurity conference. SwiftKey, which developed the keyboard, has said that the bug was a result of Samsung's software and does not affect the SwiftKey app found in the Apple App Store or Google Play.
The vulnerability rests in how Samsung updates the keyboard, which uses a plaintext connection that can be exploited by hackers if they are connected to the same, unsecure Wi-Fi network as one of the affected devices, which also include the Galaxy S5 and Galaxy S4. "This vulnerability, as noted by the researchers, requires a very specific set of conditions for a hacker to be able to exploit a device this way. This includes the user and the hacker physically being on the same unprotected network while downloading a language update," Samsung said.
The South Korean company said its fix will be issued in the coming days. Users who want to receive the fix should make sure they update their settings to receive updates automatically. "To ensure your device receives the latest security updates, go to Settings > Lock Screen and Security > Other Security Settings > Security policy updates, and make sure the Automatic Updates option is activated. At the same screen, the user may also click Check for updates to manually retrieve any new security policy updates," Samsung said.
Unfortunately, this update will not resolve the issue for all Samsung smartphones, only its Knox-enabled devices, which include the Galaxy S6, S5 and S4. For users with other devices, Samsung said "we are currently working on an expedited firmware update that will be available upon completion of all testing and approvals." Until then, it's best to avoid connecting to unsecure networks like the ones you might find in public spaces, like a coffee shop.