Skip to content
Menu
  • Original Short Fiction
Menu

Device OPSEC: If You Use an LG Device, Read This!

Posted on 28 January 2016 by The Tactical Hermit

lg-635x357

Millions of LG phones at risk, Israeli team discovers

For the second time in a month, researchers at cyber-security firms BugSec and CyNet have discovered a major security problem that leaves tens of millions of users at risk

For the second time in a month, an Israeli team has uncovered a major security breach built in smartphone hardware that millions of users depend upon – and expect to be safe to use. A joint team of researchers from Israeli cyber security firms Cynet and BugSec announced their find on Thursday.

Just three weeks ago, the same team unveiled a security flaw allowing hackers to breach through firewalls and control computers and laptops.

“We were doing research on apps that we believed had vulnerabilities, and were using an LG G3 device to do it,” Idan Cohen, CTO of BugSec, told The Times of Israel exclusively. “But we noticed that there seemed to be a security hole in all the apps we were testing – and it was then we realized we were dealing with a security problem endemic to the device.”

That problem, called the SNAP vulnerability, takes advantage of a built-in feature on LG’s most popular model. “It uses a flaw in one of the LG applications, Smart Notice, which is pre-installed automatically on every new LG device. Smart Notice displays to users the recent notifications that can be forged to inject unauthenticated malicious code.”

The team has known about the vulnerability for several months, said Cohen, but waited until LG developed a patch to protect phones before going public with the information. It should be noted that there are no documented cases of a hacker using the vulnerability – but given the potential use, LG immediately began working on a fix, which was released this week, prior to the Cynet/BugSec announcement.

Although now superseded by the G4, LG’s G3 model remains very popular with its users. “The G4 has only been on the market for a few months, and most users haven’t upgraded yet, so there are still many G3s in use. Because the vulnerability is in the built-in Smart Notice application, any app that uses it – and almost every app that gets messages does – is a potential vehicle for hackers to use to reach an individual’s device, stealing data, sending revealing photos stored on the device to social media, grabbing saved credit card information, etc.,” Cohen said.

The vulnerability allows hackers to use a JavaScript routine to run server side code, allowing them to extend the reach of code to take control of a device. In a blog post, the researchers detail and demonstrate how they were able to grab phone numbers and ID information out of a phone’s memory, access a phishing site with a device’s browser to download malware, or even to run a denial of service hack attack against a web site – directly from the device, without its owner even being aware of what was going on. “The malicious code could be delivered by apps that utilize messaging services,” said Cohen. “We created two – one that informed users of WhatsApp messages, and one that prompted them to scan a QR code – but many other methods could be used as well.”

Upon discovering the problem, Cohen said that the team – led by researchers Liran Segal and Shachar Korot – did the responsible thing and informed LG. “They were very professional about it, and worked with us to understand the problem and ways to fix it,” said Segal. “As to how they allowed such a vulnerability into their device, they didn’t explain and we didn’t ask,” as the matter was an internal LG one. “I imagine they are doing their own internal reckoning right now,” he said.

Acknowledging the issue wasn’t necessarily the way firewall makers reacted last month when another team of BugSec and CyNet researchers informed them about the massive design flaw in next-generation firewalls, which examine application communications instead of port access to determine whether or not a hacker is trying to break through.

In that case, as well, a JavaScript flaw allowed hackers to waltz through the firewall’s protective shield and take control of computers and servers. “This vulnerability could potentially be a big risk for organizations,” said Stas Volfus, Head of Offensive Security for the team. “It’s built into all next generation firewalls, and if we were able to exploit it, hackers will be able to do so as well.”

Instead of thanking the team, though, some manufacturers – Cohen won’t say which ones – responded by saying that they knew all about the vulnerability, and they weren’t worried about it. The hacker community had been aware of the problem for several years, but no attacks using the vulnerability had yet been reported – meaning that other security measures were sufficiently protecting the systems.

“We were a bit surprised, too,” said Cohen, declining to elaborate. The criticism of the team’s “paranoia” was a topic of discussion among a (very geeky) segment of the cyber-security community last month, with experts weighing on both sides – and to bolster its arguments, the team released a video showing the potential damage that could result from the vulnerability, despite the other protective measures in a device.

With the discovery of two major breaches under their belt, the Israeli companies are on a roll. “Apparently there are other such ‘design flaws’ in products on different levels – hardware and software – and we are in the middle of working on several others, details of which we will reveal soon,” said Cohen. ‘This one was unique because it potentially could affect so many people.”

Read the Original Article at Times of Israel

1 thought on “Device OPSEC: If You Use an LG Device, Read This!”

  1. PARTNERING WITH EAGLES says:
    29 January 2016 at 20:38

    Why am I not surprised… I’ve made lots of posts about privacy, and on mobile “phones”.
    https://partneringwitheagles.wordpress.com/2011/12/05/carrier-iq-a-follow-up-to-you-have-no-privacy/

Leave a Reply

Your email address will not be published. Required fields are marked *

Tactical Hermit Substack

Recent Post

  • Crime Awareness: Deadly social media ‘door-kicking’ trend could end tragically for kids and homeowners
  • Let Freedom Ring
  • In Memoriam: Michael Madsen
  • The Great Anti-Southern Psyop!
  • Know Your White History: Rudolf Diesel and Clessie Cummins
General Franco (2008-2024)

Book of the Month

Fellow Conspirators

Area Ocho

American Partisan

Western Rifle Shooters Association

Brushbeater

Von Steuben Training and Consulting

CSAT

Politically Incorrect Humor and Memes

Freedom is Just Another Word

Prepared Gun Owners

Fix Bayonets

The Firearm Blog

BorderHawk

Cold Fury

Don Shift SHTF

NC Renegades

Big Country Ex-Pat

The Bayou Renaissance Man

Bustednuckles

The Feral Irishman

It Ain’t Holy Water

Evil White Guy

Pacific Paratrooper

Badlands Fieldcraft

Riskmap

Stuck Pig Medical

Swift Silent Deadly

Spotter Up

The Survival Homestead

Bacon Time!

SHTF Preparedness

Sigma 3 Survival School

The Organic Prepper

The Zombie Apocalypse Survival Homestead

Texas Gun Rights

The Gatalog

Taki’s Magazine

Defensive Training Group

The Trail Up Blood Hill

No White Guilt

Europe Renaissance

Vermont Folk Truth

The Occidental Observer

The Dissident Right

Daily Stormer

American Renaissance

Blacksmith Publishing

Arktos Publishing

Antelope Hill Publishing

White People Press

White Rabbit Radio

White Papers Substack

Viking Life Blog (Archived)

Identity Dixie

The Texian Partisan

Southern Vanguard

League of the South

The Unz Review

Dissident Thoughts

The Third Position

Renegade Tribune

COPYRIGHT NOTICE/DISCLAIMER & FAIR USE ACT

All blog postings, including all non-fiction and fictional works are copyrighted and considered the sole property of the Tactical Hermit Blog. The names, characters and incidents portrayed in the short stories and novelettes are entirely fictional and are of the author's imagination. Any resemblance to actual events, locales or organizations or persons living or dead is entirely coincidental, The information contained in the articles posted to this site are for informational and/or educational purposes only. The Tactical Hermit disclaims any and all liability resulting from the use or misuse of the information contained herein.

The views and opinions expressed on this blog are those of the authors and do not necessarily reflect the official policy or position of any of the companies that advertise here. 

Much of the information on this blog contains copyrighted material whose use has not always been specifically authorized by the rightful copyright owner. This material is made available in an effort to educate and inform and not for remuneration. Under these guidelines this constitutes "Fair Use" under Section 107 of the U.S. Copyright Law. The publisher of this site DOES NOT own the copyrights of the images on the site. The copyrights lie with the respective owners.

© 2025 | Powered by Minimalist Blog WordPress Theme