• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • January 28th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Security

Researchers Found Critical Vulnerability in LG’s Update Center Application

July 13th, 2015 Waqas Security 0 comments
Researchers Found Critical Vulnerability in LG’s Update Center Application
Share on FacebookShare on Twitter

The LG Update Center Application faces yet another threat of cyber attack as was discovered by SEARCH-LAB Ltd in November 2014.

A loophole exists where the center’s SSL certificate lacks verification hence creating a loophole for man-in-the-middle attack on the connection between applications and the LG website (www.lgcpm.com).

This gap then exposes LG handset users to fake applications created by these attackers.

[must url=”https://www.hackread.com/lg-on-screen-phone-authentication-bypass-vulnerability/”]Critical Vulnerability Allows attacker to have full control over LG Smartphones[/must]

lg-smartphones-update-security-flaw

LG handsets are open for automatic installation of new updates and application in APK form and without authentication prompt. Attackers take advantage and interrupt this connection by installing their own created apps into users’ handsets. These bogus applications and the genuine ones have something in common. Both do not require any permission from victims before installation hence a victim is likely to install the fake applications. The only security feature that may prevent this from taking place is the sign-in requirement by a system.

Typically, a good number of smartphones are shipped with their own inbuilt applications whose updates are available on the vendors’ app stores. For LG users, such applications are run from the LG Update Center which doubles up as a detector for any latest versions of LG apps. Most of these applications, however, are not available on Google Play Store.

On discovering the weakness in LG’s Update Centre, SEARCH-LAB Ltd informed LG manufacturing company who responded that they were considering a solution that should affect only the new models of the handset with Android L operating system. This, in essence, means that all LG handsets already in the market remain at risk of having bogus application automatically installed on them.

Here is some technical explanation according to CVE-2015-4110. LG website (www.lgcpm.com) operates with JSON (JavaScript Object Notation) encoded data. In the process of installing new applications, one searches for the “appUrl” field that typically carries a base64 encrypted URL message. Part of this message is the encryption key depending on the certKey field which is symmetric. Due to the absence of integrity protection on the message, an attacker gets an opportunity to hijack the update response and exchange it with an arbitrary appURL which exposes a user to an APK that is not genuine. This explains how an unsuspecting victim can have his handset under the control of an attacker.

This can potentially affect the LG Update Center which will detect any new version of an app, the attacker’s version included. This updated version become available for automatic download by LG handsets as this is how they are configured.

Because of the decision made by LG manufacturers on existing smartphones, it is advisable to disable ‘app auto update’ on handsets and manually install new apps or updates only from genuine Wi-Fi networks or from LG Update Center Application Site.

SEARCH-LAB Ltd is the same IT security company behind reporting a critical vulnerability in LG smartphones which allowed hackers to take full control of the device.

Report typos and corrections to admin@hackread.com

[src src=”source” url=”https://www.search-lab.hu/about-us/news/109-security-vulnerability-in-lg-s-update-center-application”]Search Lab[/src]

  • Tags
  • Android
  • Flaw
  • LG
  • security
  • Smartphones
  • Vulnerability
Facebook Twitter LinkedIn Pinterest
Previous article Malaysian Police Facebook, Twitter Accounts Hacked by Pro-ISIS Hackers
Next article Scammers Targeting Facebook Users with Airline Scams
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
World's Most 'Resilient Malware' Botnet Emotet Taken Down

World's Most 'Resilient Malware' Botnet Emotet Taken Down

Top Cybersecurity Threats to Watch in 2021

Top Cybersecurity Threats to Watch in 2021

Database of 176 million Pakistani mobile phone users sold online

Database of 176 million Pakistani mobile phone users sold online

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
NetWalker ransomware disrupted - Cryptocurrency and domain seized
Cyber Crime

NetWalker ransomware disrupted - Cryptocurrency and domain seized

56
Transferring Whatsapp data from iPhone to Android with MobileTrans
How To

Transferring Whatsapp data from iPhone to Android with MobileTrans

31
World's Most 'Resilient Malware' Botnet Emotet Taken Down
Cyber Crime

World's Most 'Resilient Malware' Botnet Emotet Taken Down

130

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us