Samsung has this week confirmed security vulnerabilities that affect Galaxy S8, S9, S10, S10e, S10 Plus, S10 5G, Note 9, Note 10 and Note 10 Plus users as the October routine security maintenance release (SMR) rolls out to users of Galaxy devices. Amongst these is a critical vulnerability and three that are rated as "high." In all, there are some 21 security issues covered; 17 related to Samsung's "One" user interface and four concerning Android. Here’s what you need to know and what you need to do.
Let's look at the Android vulnerabilities first
You can read about the Google Android vulnerabilities in this report from Kate O'Flaherty on Forbes. The patches to fix these, including a critical rated vulnerability, started rolling out to Google phone users on October 8, and the advice is to update as soon as possible.
The Samsung Galaxy specific security warnings
The October SMR includes patches from Google, which affect Galaxy 10 users as well as those with earlier devices from Samsung. There are also a whole bunch of vulnerabilities that specifically impact Galaxy 8 and Galaxy 9 device users. Amongst these, there is a Galaxy 9 vulnerability that is rated as being critical: SVE-2019-15435. This affects both the Galaxy S9 and Note 9, although details are sketchy as to the exact technical nature of the vulnerability as it has been "privately disclosed" to protect users until patches are installed. With around 30 million Galaxy 9 smartphones sold, and another 10 million Galaxy Note 9 devices, that's a potential 40 million users who need to take notice of this warning.
What is the critical Galaxy 9 and Note 9 vulnerability?
What is known about SVE-2019-15435? As I say, not a lot. The only information that Samsung has published is as follows: "Enhancement in IMEI security mechanism is required for improved protection against potential IMEI manipulation." It has been suggested this relates to a method of circumventing the IMEI blacklist which prevents stolen devices from being easily resold. Anything that gets around this kind of protection makes the devices involved more attractive to criminals who could get a better profit by selling them on with a "clean" IMEI number.