Vulnerabilities found in smartphones from LG

Check Point Research has discovered two vulnerabilities in the pre-installed virtual keyboard of flagship smartphones LG (LG EIME). Check Point has confirmed the vulnerability by testing flagship devices LG G4, LG G5 and LG G6.

It is reported that the discovered vulnerabilities could be used to remotely execute code with elevated privileges on mobile devices LG. With their help, it was possible to exploit the processes of updating the keyboard, use a keylogger, thereby gaining access to confidential user data.

The first security flaw is related to the handwriting feature. It turned out that to update the interface language, the device connects to an external server over an insecure HTTP connection, through which a Man-in-the-middle (MITM) attack could be carried out. Such an attack allows downloading a malicious file to a smartphone instead of a legitimate language update.

The second vulnerability concerns the location of the language file. Through the 'directory traversal' mechanism, a hacker could change the file extension and inject malware into the keyboard directory configuration file LG.

Check Point researchers promptly reported the found vulnerabilities to the company LG, which released a patch with the May security update. The company has combined the discovered vulnerabilities into one – LVE-SMP-170025 and strongly recommends updating the OS of smartphones of the G series (G5, G6), V series (Q10, Q10, V8), X series (X300, X400, X500).

Rate article
About smartphones.
Add a comment