Vulnerabilities Found in LG Mobile Devices

lgmobile-vulnResearchers from security firm Check Point has uncovered two vulnerabilities in LG’s mobile devices running a custom Android OS that can be used to elevate privileges on LG smartphones, allowing hackers to perform remote attacks and steal a user’s credentials and install malware.

The vulnerabilities are unique to LG mobile devices, which accounts for more than 20% of the Android OEM (original equipment manufacturer) market share in the U.S according to media measurement and analytics company comScore.

The first vulnerability, CVE-2016-3117, is a privilege escalation issue in the Android LG service LGATCMDService, which is used by LG software to connect the mobile device to a computer. Check Point’s mobile security research Adam Donenfeld explained, “This service was not protected by any bind permission, meaning any app could communicate with it, regardless of its origin or permissions. By connecting to this service, an attacker could address ‘atd,’ a high-privileged user mode daemon and a gateway for communications with the firmware.”

By exploiting this security flaw, attackers can read and overwrite identifiers such as the device’s MAC address and International Mobile Equipment Identity (IMEI) number, remotely reboot and wipe the contents of the device as well as disable USB connection, or even completely brick the device. Donenfeld noted that these would be useful especially to mobile ransomware by locking the user out of the device while also preventing the user from retrieving the files by connecting it with a computer via USB connection.

The second vulnerability, CVE-2016-2035, is a security issue in LG’s implementation of WAP Push, a type of text message containing URLs that directs the recipient to certain web pages via the user’s WAP (Wireless Action Protocol) browser. Donenfeld cited that LG’s implementation has an SQL injection vulnerability which can enable hackers to send messages to the device as well as modify or even delete text messages stored on the device.

Donenfeld said, “A potential attacker could use this vulnerability to conduct credential theft or to fool a user into installing a malicious app. The attacker could modify a user’s unread SMS messages and add a malicious URL to redirect the user to download a malicious app or to a fake overlay to steal credentials.”

Last February, one of LG’s flagship smartphones, G3, was discovered to have a critical security flaw in LG’s own Smart Notice notification app and exposed millions of G3 owners to data theft as well as denial-of-service (DDoS) and phishing attacks.

Dubbed ‘SNAP,’ security firm Cynet reported that the vulnerability allowed attackers to inject and run arbitrary Javascript codes in G3’s Smart Notice widget to get unfettered access to the device’s SD card, including the ability to overwrite and remove its contents as well as install malicious apps from the SD card itself.

[From the Security Intelligence Blog: Exploiting Vulnerabilities: The Other Side of Mobile Threats]

The consistent growth of consumer smartphone and mobile device usage has consequently made their adoption to corporate environments a growing trend. However, this has exposed enterprises to more security risks.

For instance, researchers Uri Kanonov and Avishai Wool from Tel Aviv University in Israel has uncovered a slew of critical vulnerabilities affecting the KNOX software (versions 1.0-2.3) running on devices with Android Jellybean OS (4.3) or older.

Samsung KNOX is a security feature offered in Samsung devices that are mainly used in BYOD (Bring Your Own Device) workplaces. It works by adding a toggle on the device’s screen and allows the user to separate personal and professional data—providing the advantage of using a ‘work phone’ without the need to carry a separate device.

According to their report, the security flaws enabled attackers to easily decrypt user passwords, conduct man-in-the-middle attacks, and steal data on KNOX's clipboard.

The first vulnerability (CVE-2016-1919) relates to weak encryption for user passwords, and “a vulnerability that allows an attacker to decrypt KNOX encrypted data without knowing the user’s password.” A second vulnerability (CVE-2016-1920) allows a user’s application running outside KNOX to perform man-in-the-middle attacks against KNOX’s SSL/TSL traffic. Computer traffic intercepted by the attacker can then steal data such as passwords, payment information and other important credentials. The third major bug (CVE-2016-3996) is found in one of KNOX’s proprietary service clipboardEx which gives access to both Android and KNOX’s clipboard apps. Its lack of encryption enables the attackers to steal the contents of the clipboards without needing to know the user’s passwords.

Samsung was already notified of the vulnerabilities and was able to issue patches to mitigate the security flaws. Check Point has also privately disclosed the security flaws to LG, and patches have been issued to prevent them from being exploited. The best course of action for KNOX users and owners of LG mobile devices would be to update their software and devices to their latest versions.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.