UPDATED 00:05 EST / MAY 11 2018

APPS

LG patches serious vulnerabilities in its phone keyboard software

Users of smartphones made by LG Electronics Inc. are being encouraged to update their phones quickly following the disclosure of two security vulnerabilities in the default keyboard.

First detailed by Check Point Security Software Technologies Ltd. in a report Tuesday, the two vulnerabilities could allow an attacker to remotely execute code with elevated privileges on LG mobile devices by manipulating the keyboard updating process. Once access is gained, hackers could then install a keylogger, allowing them to intercept keystrokes and hence private information such as account usernames and passwords.

The first vulnerability relates to how LG keyboards support different languages. When a new language is installed for the first time, or an existing language is updated, the device attempts to download the package from a server, but without encryption. The insecure HTTP request allows would-be hackers to intercept the request using a man-in-the-middle or eavesdropping attack and have their own, malicious version of the update installed instead.

The second vulnerability also relates to how LG phones deal with security, with a validation floor in the LG keyboard software open to modification. That allows hackers to gain permissions to other files on the phone itself, and having gained access using the first vulnerability, they can then easily manipulate other data on the phone.

“More than 20 percent of the Android mobile phone market in the US consists of LG phones,” a spokesperson from Check Point told SiliconANGLE via email. “These vulnerabilities were tested and proven exploitable on some of LG’s flagship devices, including LG G4, LG G5 and LG G6.”

The good news is Check Point informed LG of the vulnerabilities well before publicly disclosing them, allowing LG to design patches to address them.

Details of the patches are available from the LG Security site, but as is often the case with mobile phone updates, carriers distribute them to users. That means that though some LG phone users may be able to access and install the updates now, others may have to wait, leaving them vulnerable to attack.

Photo: LG/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU

Cookies

We employ the use of cookies. Find out more.