New research from NowSecure indicates a critical flaw in Samsung handsets that’s left an estimated 600 million devices vulnerable to simple man-in-the-middle-style hacks. This isn’t the first time Samsung’s poor security practices have been in the news this year, but this mobile flaw dwarfs the Smart TV encryption issues we covered this spring. The problem, however, has the same root cause — nonexistent encryption practices and poor security measures.

In this case, Samsung shipped its own version of SwiftKey, an Android keyboard. SwiftKey’s developers have stated that the bug is not present in their own version of the code, meaning Samsung is responsible for creating and distributing the flaw.

SwiftKey’s update process runs invisibly in the background, but it’s run at the System User permission level. That’s just one step away from root access and it gives the process permission to bypass security checks and safeguards that might otherwise prevent its operation. There’s very little in the way of file-checking or confirmation — the update process performs a hash check on the ZIP file it downloads, but researchers have already discovered how to bypass it.

Because Samsung performs all of this in plain text, it’s trivially easy for anyone on the same WiFi network to perform a classic man-in-the-middle attack and serve up an infected file with an identical SHA1 hash. This can then be used to monitor the camera, microphone, read messages, and install applications, all without the user being aware of it. Because SwiftKey can’t be uninstalled, any Galaxy S5 or S6 owner is potentially affected. Not using the keyboard doesn’t help, either — it still can check for background updates and it’ll be vulnerable every time it does so.

The Android ecosystem is fundamentally inadquate

A few months ago, we covered Google’s decision to stop patching older versions of Android, despite how devices that use these versions are still being sold. One of the most common defenses of the company is that Google shouldn’t bother writing patches for its own operating system because it doesn’t control the distribution platform and can’t force OEMs to actually roll out an update.

Samsung is now stuck in a similar boat. By all accounts, the company actually fixed the SwiftKey bug back in January, but not a single carrier has yet included the fix. That means everyone with one of these devices is now vulnerable to a fairly trivial MitM attack. While Samsung deserves a significant chunk of the blame for failing to check its own security measures, it’s not the only institution at fault. What we see here is the end result of no one taking security seriously at any particular level.

This lack of security best practices is one reason why the Internet of Things could fail to take off. In a world where devices are incredibly easy to tamper with or hack, the benefits of “dumb” products could quickly overwhelm the bells and whistles manufacturers try to stick on their various “smart” hardware. As things stand, devices ship with incredibly broken security implementations, and the only response from wireless carriers is to sit on their collective thumbs.

If you own a Samsung Galaxy device, as of today, there’s absolutely nothing you can do to close this security hole. Rooting the device to remove the keyboard or installing Cyanogen might take care of the problem, but short of that, everyone is stuck with it.