LG has issued a patch to resolve two security vulnerabilities in LG smartphone keyboards which can lead to remote code execution.
Several months ago, Check point researchers uncovered two security flaws which impact the default keyboard system present in all current mainstream LG smartphone models.
When exploited, both vulnerabilities can be utilized to remotely execute code with elevated privileges on LG mobile devices, potentially leading to the theft of user and account information, session hijacking, and more.
The first vulnerability has been caused by the use of an insecure connection for a sensitive process.
LG keyboards support handwriting modes in multiple languages, and while English is defined as default, users are able to download and install additional language packages.
When users request a new language pack or for a language update, the system reaches out to a hardcoded server to retrieve language files. However, this download is made over an HTTP connection, which is far less secure than HTTPS and exposes users to Man-in-The-Middle (MiTM) attacks and network eavesdropping.
If the connection is tampered with, users may unwittingly download, install, and execute malicious packets and software in place of the request language file. Given such a pathway into a victim's mobile device, attackers have free reign to cause havoc, whether this is installing additional malware, keylogging, conducting surveillance, or stealing data.
The second vulnerability is a validation error in LG's file system. The location of a downloaded file on a disk is controlled by a MITM proxy and the location depends on metadata and file names.
Articles Archive
Top Categories
ABOUT IFI TODAY
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum
Comments