CVE-2018-21060 in Samsung
Summary
by MITRE
An issue was discovered on Samsung mobile devices with N(7.x) and O(8.x) software. There is a Keyboard learned words leak in the locked state via the emergency contact picker. The Samsung IDs are SVE-2018-11989, SVE-2018-11990 (September 2018).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/07/2020
This vulnerability affects Samsung mobile devices running android versions 7.x and 8.x operating systems where the keyboard's learned word functionality can be accessed through the emergency contact picker even when the device is locked. The flaw represents a significant privacy and security concern as it allows unauthorized access to personal data that users would normally expect to remain protected within the device's locked state. The vulnerability stems from improper access controls within the keyboard application's implementation, specifically how it handles learned words and predictive text functionality when the device is secured with a lock screen.
The technical implementation of this vulnerability exploits a design flaw in the emergency contact picker interface which fails to properly enforce security boundaries between the lock screen and keyboard services. When users access the emergency contact picker from a locked device, the system incorrectly grants access to the keyboard's learned word database, which contains personal information such as names, phrases, and other frequently used words that the user has typed. This occurs because the keyboard service does not properly validate the security context when accessed through the emergency contact picker, allowing unauthorized data extraction. The vulnerability is particularly concerning as it bypasses the expected security model where lock screen applications should not have access to sensitive personal data stored within system services.
The operational impact of this vulnerability extends beyond simple information disclosure to potentially enable more sophisticated attacks. An attacker with physical access to a locked device could extract personal information that might be used for social engineering, identity theft, or targeted attacks against the user. The learned words database contains intimate details about the user's communication patterns and personal preferences, making it valuable for attackers seeking to craft convincing phishing attempts or impersonate the user in various contexts. This vulnerability directly violates the principle of least privilege and demonstrates a failure in the security architecture of the device's lock screen implementation. The issue affects a substantial number of devices given the widespread adoption of android 7.x and 8.x versions, making it a significant concern for enterprise security and individual privacy protection.
Mitigation strategies should focus on implementing proper access controls and security boundary enforcement within the emergency contact picker and keyboard service interactions. Device manufacturers should ensure that applications accessing system services from a locked state properly validate security contexts and enforce appropriate access controls. Security patches should be deployed to fix the underlying implementation flaw in how the keyboard service handles learned word data access through the emergency contact picker interface. Organizations should also consider implementing device encryption and additional security measures such as biometric authentication to provide defense in depth. This vulnerability aligns with CWE-284 which describes improper access control, and relates to ATT&CK technique T1552.001 for unsecured credentials and T1552.006 for data from cloud storage. Users should be advised to keep their devices updated with the latest security patches and to consider additional security measures such as strong authentication mechanisms and encryption of sensitive data.