Search-Lab Ltd. discovered a serious security vulnerability in the On Screen Phone protocol used by LG Smart Phones. A malicious attacker is able to bypass the authentication phase of the network communication, and thus establish a connection to the On Screen Phone application without the owner’s knowledge or consent.
Once connected, the attacker could have full control over the phone – even without physical access to it. The attacker needs only access to the same local network as the phone is connected to, for example via Wi-Fi. The LG On-Screen Phone application (OSP) makes it easy to access and control LG’s Android smartphones through a PC.
The connection can be established either by using an USB cable or wirelessly through Wi-Fi or Bluetooth. When attempting to connect to the phone via OSP, a popup dialog is displayed on the phone and it is to be confirmed and accepted by the owner. Once the channel is established, the screen contents of the device are being transmitted to the PC as a motion stream, mouse clicks on the PC are turned into touch events on the phone. By using OSP one can control an LG Smart Phone just like it was in their hands.
Watch the video below for live proof:
The application is available through the manufacturer’s custom store for install, and is preinstalled on many LG Smart Phones, including G1 & G2. SEARCH-LAB Ltd. responsibly reported this threat to the manufacturer in September 2014 who confirmed the severity of the issue and started working on the fix in turn.
The patched version of the application is now available to download through LG’s Update Center and/or will be available in form of Maintenance Release for some models. LG smartphone users should make sure to have at least version 4.3.010 of the On Screen Phone (OSP) application installed. Please note that when OSP is pre-installed, the device is vulnerable by default – OSP is started automatically and cannot be disabled in Settings.
Read technical details here.