Millions of LG phones at risk, Israeli team discovers
For second time in a month, researchers at cyber-security firms BugSec and CyNet discover a major security problem that leaves tens of millions at risk
For the second time in a month, an Israeli team has uncovered a major security breach built in smartphone hardware that millions of users depend upon – and expect to be safe to use. A joint team of researchers from Israeli cyber security firms Cynet and BugSec announced their find on Thursday.
Just three weeks ago, the same team unveiled a security flaw allowing hackers to breach through firewalls and control computers and laptops.
“We were doing research on apps that we believed had vulnerabilities, and were using an LG G3 device to do it,” Idan Cohen, CTO of BugSec, told The Times of Israel exclusively. “But we noticed that there seemed to be a security hole in all the apps we were testing – and it was then we realized we were dealing with a security problem endemic to the device.”
That problem, called the SNAP vulnerability, takes advantage of a built-in feature on LG’s most popular model. “It uses a flaw in one of the LG applications, Smart Notice, which is pre-installed automatically on every new LG device. Smart Notice displays to users the recent notifications that can be forged to inject unauthenticated malicious code.”
The team has known about the vulnerability for several months, said Cohen, but waited until LG developed a patch to protect phones before going public with the information. It should be noted that there are no documented cases of a hacker using the vulnerability – but given the potential use, LG immediately began working on a fix, which was released this week, prior to the Cynet/BugSec announcement.
Although now superseded by the G4, LG’s G3 model remains very popular with its users. “The G4 has only been on the market for a few months, and most users haven’t upgraded yet, so there are still many G3s in use. Because the vulnerability is in the built-in Smart Notice application, any app that uses it – and almost every app that gets messages does – is a potential vehicle for hackers to use to reach an individual’s device, stealing data, sending revealing photos stored on the device to social media, grabbing saved credit card information, etc.,” Cohen said.
The vulnerability allows hackers to use a JavaScript routine to run server side code, allowing them to extend the reach of code to take control of a device. In a blog post, the researchers detail and demonstrate how they were able to grab phone numbers and ID information out of a phone’s memory, access a phishing site with a device’s browser to download malware, or even to run a denial of service hack attack against a web site – directly from the device, without its owner even being aware of what was going on. “The malicious code could be delivered by apps that utilize messaging services,” said Cohen. “We created two – one that informed users of WhatsApp messages, and one that prompted them to scan a QR code – but many other methods could be used as well.”
Upon discovering the problem, Cohen said that the team – led by researchers Liran Segal and Shachar Korot – did the responsible thing and informed LG. “They were very professional about it, and worked with us to understand the problem and ways to fix it,” said Segal. “As to how they allowed such a vulnerability into their device, they didn’t explain and we didn’t ask,” as the matter was an internal LG one. “I imagine they are doing their own internal reckoning right now,” he said.
Acknowledging the issue wasn’t necessarily the way firewall makers reacted last month when another team of BugSec and CyNet researchers informed them about the massive design flaw in next-generation firewalls, which examine application communications instead of port access to determine whether or not a hacker is trying to break through.
In that case, as well, a JavaScript flaw allowed hackers to waltz through the firewall’s protective shield and take control of computers and servers. “This vulnerability could potentially be a big risk for organizations,” said Stas Volfus, Head of Offensive Security for the team. “It’s built into all next generation firewalls, and if we were able to exploit it, hackers will be able to do so as well.”
Instead of thanking the team, though, some manufacturers – Cohen won’t say which ones – responded by saying that they knew all about the vulnerability, and they weren’t worried about it. The hacker community had been aware of the problem for several years, but no attacks using the vulnerability had yet been reported – meaning that other security measures were sufficiently protecting the systems.
“We were a bit surprised, too,” said Cohen, declining to elaborate. The criticism of the team’s “paranoia” was a topic of discussion among a (very geeky) segment of the cyber-security community last month, with experts weighing on both sides – and to bolster its arguments, the team released a video showing the potential damage that could result from the vulnerability, despite the other protective measures in a device.
With the discovery of two major breaches under their belt, the Israeli companies are on a roll. “Apparently there are other such ‘design flaws’ in products on different levels – hardware and software – and we are in the middle of working on several others, details of which we will reveal soon,” said Cohen. ‘This one was unique because it potentially could affect so many people.”