UPDATED 00:05 EDT / MAY 11 2018

APPS

LG patches serious vulnerabilities in its phone keyboard software

Users of smartphones made by LG Electronics Inc. are being encouraged to update their phones quickly following the disclosure of two security vulnerabilities in the default keyboard.

First detailed by Check Point Security Software Technologies Ltd. in a report Tuesday, the two vulnerabilities could allow an attacker to remotely execute code with elevated privileges on LG mobile devices by manipulating the keyboard updating process. Once access is gained, hackers could then install a keylogger, allowing them to intercept keystrokes and hence private information such as account usernames and passwords.

The first vulnerability relates to how LG keyboards support different languages. When a new language is installed for the first time, or an existing language is updated, the device attempts to download the package from a server, but without encryption. The insecure HTTP request allows would-be hackers to intercept the request using a man-in-the-middle or eavesdropping attack and have their own, malicious version of the update installed instead.

The second vulnerability also relates to how LG phones deal with security, with a validation floor in the LG keyboard software open to modification. That allows hackers to gain permissions to other files on the phone itself, and having gained access using the first vulnerability, they can then easily manipulate other data on the phone.

“More than 20 percent of the Android mobile phone market in the US consists of LG phones,” a spokesperson from Check Point told SiliconANGLE via email. “These vulnerabilities were tested and proven exploitable on some of LG’s flagship devices, including LG G4, LG G5 and LG G6.”

The good news is Check Point informed LG of the vulnerabilities well before publicly disclosing them, allowing LG to design patches to address them.

Details of the patches are available from the LG Security site, but as is often the case with mobile phone updates, carriers distribute them to users. That means that though some LG phone users may be able to access and install the updates now, others may have to wait, leaving them vulnerable to attack.

Photo: LG/Flickr

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.