600 million Samsung Galaxy phones exposed to hackers

Here's how you can profit from hacking
Here's how you can profit from hacking

Every Samsung Galaxy device -- from the S3 to the latest S6 -- has a significant flaw that lets in hackers, researchers have discovered.

The vulnerability lives in the phones' keyboard software, which can't be deleted. The flaw potentially allows hackers to spy on anyone using a Samsung Galaxy phone.

You can be exposed by using public or insecure Wi-Fi. But some researchers think users are exposed even on cell phone networks.

Researchers at NowSecure, a cybersecurity firm, say they told Samsung (SSNLF) about the vulnerability in November. Seven months later, nothing has been fixed. That's why NowSecure made its findings public on Tuesday.

How serious is this problem? NowSecure CEO Andrew Hoog said that, on a well-established system that ranks cybersecurity problems from 1 to 10, this vulnerability stood at 8.3.

NowSecure said it tested several Galaxy models on many different cell phone carriers. All were vulnerable. Assuming every Galaxy out there is the same, NowSecure estimates 600 million devices are affected.

galaxy note 2
Researchers say nearly every Samsung Galaxy phone -- going back to the S3 in 2012 -- is vulnerable to hackers.

The problem involves the word prediction software used by Samsung devices. It's made by British tech firm SwiftKey, which Samsung installs in devices at the factory.

Last year, NowSecure researchers discovered that the SwiftKey keyboard can be tricked to accept a malicious file when the software updates. Because of the way the keyboard is installed, that virus can access some of the deepest, core parts of the phone's computer system.

With that level of access, a hacker can then do pretty much anything to your phone.

This hack isn't easy. But it's a tactic for cyberattackers on a mission with lots of money and access WiFi or cell networks. One possible target? Company executives traveling to countries, such as China, where the government routinely spies on visitors to steal their business plans.

It also exposes high-level U.S. government officials. Samsung just earned the NSA's blessing for its Galaxy devices, which were approved for use by government employees. And the latest hack of federal employees -- allegedly by the Chinese government -- shows they are valuable targets.

Neither Samsung nor SwiftKey have claimed responsibility for inserting the flawed computer code. In a public statement, SwiftKey said it only found out about the flaw on Tuesday. SwiftKey said "the way this technology was integrated on Samsung devices introduced the security vulnerability."

To calm down worried users, the British firm argued that this hack isn't easy to pull off. It involves particular timing. A hacker can only sneak into a device when the keyboard software is applying a software update.

In a statement to reporters, Samsung said it "takes emerging security threats very seriously... and [is] committed to providing the latest in mobile security."

The company also said it's about to patch the issue through its Samsung KNOX service. "Updates will begin rolling out in a few days," the company said, although it's unclear whether all devices will receive the fix.

Part of the incredibly long delay to fix this problem is due to the way phone manufacturers work with cell phone carriers like AT&T (T), Sprint (S), T-Mobile (TMUS) and Verizon (VZ). Samsung could race to create a fix, but people must wait until carriers get around to distributing them.

This fractured system causes frequent complaints from users, who must patiently wait for all new software: everything from new features to patches for dangerous computer bugs.

NowSecure said it notified Samsung in November -- and as evidence of how slow this system is -- on December 31, Samsung asked for a year to fix it.

In its defense, Samsung said cybersecurity researchers at NowSecure didn't fully explain the problem in November.

"We learned about the full extent this past week," Samsung told CNNMoney.

NowSecure advised Samsung Galaxy users to avoid insecure Wi-Fi, ditch their phones, and call their cell phone carriers to pressure them into a quick fix.

Hoog said they made the vulnerability public because the pressure was just too great. The cybersecurity firm had advised companies for half a year, unable to tell them that their employees and managers were are serious risk of being spied on by hackers.

"We needed to inform them about the risk," he told CNNMoney. "It would be naive to think other entities [such as governments and cybermafias] would not be capable of finding this and executing it."

Watch a hacker steal encrypted passwords
Watch a hacker steal encrypted passwords

CNNMoney Sponsors