CyberWire Daily - LG smartphone keyboard vulnerabilities. [Research Saturday]
Episode Date: June 23, 2018Researchers at Check Point Research recently discovered vulnerabilities in some LG smartphone keyboards, vulnerabilities that could have been used to remotely execute code with elevated privileges, ac...t as a keylogger and thereby compromise the users’ privacy and authentication details. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Here in the research group, we investigate many attack vectors on mobile.
That's Jonathan Shimonovich. He's the mobile research group manager at
Checkpoint. The research we're discussing today is titled Remote Code Execution Vulnerability
on LG Smartphones. One of the attack vectors, popular attack vectors, is malware that we
investigate and the other is the OS itself. So specifically here, we're talking about an application that comes with a system
application that comes with LG phone. We have an automatic big data system that scans all the
app that we see, all known apps and search for interesting things, interesting phenomenon,
interesting vulnerabilities. If we see something interesting, then we might decide to hand it over to a researcher who might
do further investigation of this application. What we did here is we scanned many, many system apps
from many, many different vendors. We came across a couple of interesting ones,
and the LG keyboard is one of
them. So the first vulnerability you discovered had to do with the LG keyboard apps supporting
of handwriting modes. Describe to us what is that and what did you discover?
Okay, so basically LG patched it in May security update as a single vulnerability, but actually it's a set of vulnerabilities
that can be exploited together in order to gain remote code execution in the LG keyboard.
Basically, what we found is a breach in the update or install of handwriting languages
within the built-in LG keyboard.
We've tested it on many LG devices.
Specifically, we confirmed it exists on LG G4, G5, and G6,
the flagship devices of LG,
and we saw it on a variety of Android OS version from Android 4.4 to Android 8.
And what exactly is the vulnerability here?
Let's first talk about what the vulnerability allows. So it allows an attacker to gain what
is called RCE, which is a remote code execution, which means that an attacker will be able
to, if exploited correctly, will be able to run their own code payload within the LG keyboard
application context.
Since the LG keyboard is a pre-installed system application, it runs with system privileges.
is a pre-installed system application.
It runs with system privileges.
So basically, the code will have,
it's not root privileges, but it's pretty close.
And it will have permissions to install other application or to record all of your typing in the keyboard.
I mean, that alone is very serious
because it can wiretap everything that you type,
including your secret credentials,
username, passwords to banking sites,
take all of your pictures from your phone.
I mean, a high set of capabilities,
same as an advanced Python can be used.
So this is on the what can be accessed.
Now, if it's okay, we can talk a little bit technically about the how.
Sure.
The vulnerability itself.
Actually, this vulnerability is composed of a set of, let's say,
programming malpractices of bad security practices,
when combined together, can be joined to something very dangerous.
One more additional thing is that it's not, let's say,
the known type of buffer overflow or memory overflow in the memory.
It's more of a logical problem in the update mechanism of the languages that allow an attacker to use it in a malicious way.
So it starts with unsecured HTTP connection.
So this is the first building block for the attack because the update process is done over an unsecured channel,
is done over an unsecured channel, HTTP instead of HTTPS, which means that anybody that can serve as a proxy to your phone
or hijack your traffic or create a fake access point
can see your traffic.
And the basic assumption is that you use a secured connection.
So using unsecured connection is already a big series by itself,
but it still doesn't give us running code abilities,
just wiretapping to your traffic.
So this is the first one.
And this allows an attacker to interfere with the update process.
The second malpractice here is the lack of path traversal verification.
the lack of path traversal verification.
So I'll talk in a minute about the specific tech details here.
But basically, when the set of files to be updated is sent to the device,
no one verifies.
They're supposed to be written to a certain destination directory.
And the code doesn't check for directory traversal. So I can write dot, dot, slash, dot, dot, slash,
and put the files in a different directory.
This is the second problem.
And the third problem is that the LG keyboard allows dynamic code execution.
So this is probably part of the handwriting languages
as they probably require some more complex
or machine learning code
in order to recognize the handwriting
and transfer it to text.
So the keyboard allows dynamic code loading,
which means it gets pre-compiled
library from this code library from the server and it runs it. So this already is a bad practice,
specifically in Android, where Android application is called an APK and each APK is signed by
the developer certificate. So each part of the code is verified. And this is a workaround to update code
without updating the application.
So this is already not a good practice.
But additionally, no verification is done on the code,
on the dynamically loaded code.
So this code is not signed in any way.
It's not verified.
Moreover, you can also push a configuration to the application
that tells it which code to run.
So basically, you can manipulate the entire dynamic code loading process.
So if you'd like, I can dive into a bit more technical details.
Yeah, please go ahead.
The update or installation of a new language pack
starts with the downloading of a file called file.txt.
Files.txt.
This file is a text file containing a list,
basically where every file to be loaded
as part of the language pack is a new line.
So basically this file is downloaded first and then it is parsed
and then all the files listed in this file are downloaded in the following step.
So although each of these files has a cryptographic hash
that signs each of them, the file txt, the first file
in the process is not signed. So an attacker using a man in the middle can manipulate the
files txt by adding new records or replacing it entirely with its own file. For instance,
the attacker can add his own files as a new record to the files.txt file,
and then they will be downloaded by the keyboard. So this is the first stage. Now,
the files that you want to add are two files. First, you want to add the, let's call it,
the attacker wants to add the malicious payload. So he'll add an additional record to the files.txt with his native library, a.so file.
And this file will be downloaded and saved to the device.
This already enables the attacker to push a malicious code to the device.
But this is not enough because we need to take care of loading.
I mean, just putting a code
in some directory is not enough.
You need to make sure
someone calls it, someone loads
it to memory and runs it.
Luckily for the attacker,
there is an additional configuration
file called engine.properties,
which is part
of the LG keyboard configuration.
This file is not in the download directory,
but as we previously mentioned,
there is this matter of directory traversal.
So if you write dot, dot, slash, dot, dot, slash,
and then the relevant path,
you can override the engine properties file
of the keyboard.
Within this file,
there is a list of the libraries,
the code libraries that should be loaded
on keyboard restart.
So if the attacker will manipulate
not only the files tXT, I mean,
he can manipulate the file TXT. And in addition, two records, one is the malicious payload and the
other is the configuration file run over the configuration file telling the LG keyboard to
load the payload. So this is sufficient to execute the code,
the malicious payload, as the malicious payload,
as we mentioned earlier, is not signed
or verified in any way, and even it's enough
for the malicious payload to end with.so
for the keyboard to think that it is a code intended to be running
and it automatically gives it running permissions to the file.
Repeating the steps, first file to be downloaded is the files.txt,
which contained a list of the following files for the specific language pack.
So the attacker can add two records,
one for the malicious payload SO file
and the other for running over the properties file,
which is possible due to the directory traversal.
Then all that needs to be done is restart the phone
or the keyboard process,
whichever one is more comfortable,
but whichever one will
be rebooted first. And on the next load, the malicious payload will be loaded into
the LG keyboard memory and executed. And so given the permissions that they have there,
I mean, I guess the sky's the limit with the types of things they could do on the phone.
And I guess the sky's the limit with the types of things they could do on the phone.
Yes.
So as I mentioned at the beginning of the conversation,
I mean, just access to the keyboard already gives them access to everything that you write, including your private messages and banking credentials, your password and everything.
But in addition, it can also silently install additional apps, access images on the phone.
And I mean, as you said, it can do pretty harmful things.
Now, in your research, was there any evidence that anyone was actually doing this out in the wild?
Or was this more theoretical that you discovered in the lab?
We haven't seen it exploited in the wild.
We discovered it in the lab.
And the first thing that we do is disclose
it with LG. And only after LG issued a patch did we publicly disclose this vulnerability.
And has LG released patches for some of the legacy devices going back as far as this goes?
We haven't checked for every device,
but I think for a lot of devices, yes,
because the patch is easier.
You don't have to update the entire OS.
It's sufficient to update the LG keyboard. And we did see they issued new versions
for this specific app.
So what's your recommendation for folks
to protect themselves against this? Is it
as simple as making sure that you've got all your patches up to date? Yeah, so in this case,
it's even simpler. You need to see that if you have an LG phone, that all your LG or system apps
are up to date and updated. This is the first thing. If you're not sure, you can go to the
setting and try to force update instantly and that should resolve that.
I mean, until you do it, what else you can do is just avoid installing new languages, specifically handwriting languages on your LG keyboard until you update.
you update. I see. Yeah. So it's actually that it's when you reach out to try to update your languages or install a new language, that's when the vulnerability gets exposed. Yes.
Our thanks to Jonathan Shimonovich for joining us. The research is titled Remote Code Execution
Vulnerability on LG Smartphones. You can find it on the Checkpoint Research website.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening.