The LG Update Center Application faces yet another threat of cyber attack as was discovered by SEARCH-LAB Ltd in November 2014.
A loophole exists where the center’s SSL certificate lacks verification hence creating a loophole for man-in-the-middle attack on the connection between applications and the LG website (www.lgcpm.com).
This gap then exposes LG handset users to fake applications created by these attackers.
Critical Vulnerability Allows attacker to have full control over LG Smartphones
LG handsets are open for automatic installation of new updates and application in APK form and without authentication prompt. Attackers take advantage and interrupt this connection by installing their own created apps into users’ handsets. These bogus applications and the genuine ones have something in common. Both do not require any permission from victims before installation hence a victim is likely to install the fake applications. The only security feature that may prevent this from taking place is the sign-in requirement by a system.
Typically, a good number of smartphones are shipped with their own inbuilt applications whose updates are available on the vendors’ app stores. For LG users, such applications are run from the LG Update Center which doubles up as a detector for any latest versions of LG apps. Most of these applications, however, are not available on Google Play Store.
On discovering the weakness in LG’s Update Centre, SEARCH-LAB Ltd informed LG manufacturing company who responded that they were considering a solution that should affect only the new models of the handset with Android L operating system. This, in essence, means that all LG handsets already in the market remain at risk of having bogus application automatically installed on them.
Here is some technical explanation according to CVE-2015-4110. LG website (www.lgcpm.com) operates with JSON (JavaScript Object Notation) encoded data. In the process of installing new applications, one searches for the “appUrl” field that typically carries a base64 encrypted URL message. Part of this message is the encryption key depending on the certKey field which is symmetric. Due to the absence of integrity protection on the message, an attacker gets an opportunity to hijack the update response and exchange it with an arbitrary appURL which exposes a user to an APK that is not genuine. This explains how an unsuspecting victim can have his handset under the control of an attacker.
This can potentially affect the LG Update Center which will detect any new version of an app, the attacker’s version included. This updated version become available for automatic download by LG handsets as this is how they are configured.
Because of the decision made by LG manufacturers on existing smartphones, it is advisable to disable ‘app auto update’ on handsets and manually install new apps or updates only from genuine Wi-Fi networks or from LG Update Center Application Site.
SEARCH-LAB Ltd is the same IT security company behind reporting a critical vulnerability in LG smartphones which allowed hackers to take full control of the device.
Report typos and corrections to [email protected]
Search Lab
