1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

LG Smartphones Affected by Two Severe Vulnerabilities

Discussion in 'Mobile Phones & Devices' started by starbuck, May 31, 2016.

  1. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    One can allow a crook to wipe devices clean

    9859cbc34bae6632d965e77fda69cafc.jpg

    Two researchers from Check Point's mobile security division uncovered two vulnerabilities in LG's custom modification of the Android OS, which enable attackers to take control of the device.

    The researchers presented their findings at this year's LayerOne security conference, but not before working with LG to address the issues.

    Despite Google's best efforts to secure the Android OS, changes made to the operating system by various OEMs introduced new vulnerabilities unique to those devices alone.
    In LG's case, these two vulnerabilities affected one in five mobile devices in the US, according to data from a recent comScore survey.

    CVE-2016-3117: Privilege escalation leads to device bricking

    The first issue the two presented is a privilege escalation in the Android LG service called LGATCMDService.
    The researchers discovered that a malicious app could connect to this service, regardless of its original access privileges and get "atd" user permissions.

    An attacker could read or even write new IMEI and MAC addresses, disable the USB connection, reboot the smartphone on demand, wipe a phone's memory, or even brick the device completely.

    "Ransomware would find these features very useful by locking a user out of a device and then disabling the ability to retrieve files by connecting the device with a computer via USB," the researchers said.

    CVE-2016-2035: SQL injection leads to phishing

    The second issue the researchers helped LG fix is as dangerous as the first one and can be found in the WAP Push protocol that's used to send URLs to mobile devices via the SMS protocol.

    The two FireEye researchers claim that an SQL injection in the components of this protocol can be used to allow attackers to control the links sent to user devices.

    The attacker can push URLs into unread SMS messages and distribute links to malicious apps or credentials-stealing phishing pages.



    Source:
    http://news.softpedia.com/news/lg-smartphones-affected-by-two-severe-vulnerabilities-504624.shtml
     

Share This Page