![](https://d15shllkswkct0.cloudfront.net/wp-content/blogs.dir/1/files/2018/05/32988238642_70d27873ff_z.jpg)
![](https://d15shllkswkct0.cloudfront.net/wp-content/blogs.dir/1/files/2018/05/32988238642_70d27873ff_z.jpg)
Users of smartphones made by LG Electronics Inc. are being encouraged to update their phones quickly following the disclosure of two security vulnerabilities in the default keyboard.
First detailed by Check Point Security Software Technologies Ltd. in a report Tuesday, the two vulnerabilities could allow an attacker to remotely execute code with elevated privileges on LG mobile devices by manipulating the keyboard updating process. Once access is gained, hackers could then install a keylogger, allowing them to intercept keystrokes and hence private information such as account usernames and passwords.
The first vulnerability relates to how LG keyboards support different languages. When a new language is installed for the first time, or an existing language is updated, the device attempts to download the package from a server, but without encryption. The insecure HTTP request allows would-be hackers to intercept the request using a man-in-the-middle or eavesdropping attack and have their own, malicious version of the update installed instead.
The second vulnerability also relates to how LG phones deal with security, with a validation floor in the LG keyboard software open to modification. That allows hackers to gain permissions to other files on the phone itself, and having gained access using the first vulnerability, they can then easily manipulate other data on the phone.
“More than 20 percent of the Android mobile phone market in the US consists of LG phones,” a spokesperson from Check Point told SiliconANGLE via email. “These vulnerabilities were tested and proven exploitable on some of LG’s flagship devices, including LG G4, LG G5 and LG G6.”
The good news is Check Point informed LG of the vulnerabilities well before publicly disclosing them, allowing LG to design patches to address them.
Details of the patches are available from the LG Security site, but as is often the case with mobile phone updates, carriers distribute them to users. That means that though some LG phone users may be able to access and install the updates now, others may have to wait, leaving them vulnerable to attack.
THANK YOU