LG appears to have changed its position regarding fixing software in its Android-based smart phones.
According to security researchers at Budapest University of Technology and Economics' Security Evaluation and Research Laboratory (SEARCH-LAB), the company had previously stated it would not fix legacy software, despite being informed of a serious security flaw last year.
SEARCH-LAB says it discovered the problem in the software update mechanism last year, informing LG in November.
According to a paper published Monday, LG responded to the notification by saying it was considering a fix only for newly launched models which have the Android Lollipop operating system.
“According to the current state, all Android-based LG Smart Phones are affected by this exploitable vulnerability today and remain exposed according to LG's plans,” the researchers said.
When we contacted LG for a comment, it simply responded: "LG is committed to security in all our products and remains committed to providing a user experience that customers can trust. A recent article reported on a vulnerability in the Update Center app found on all LG smartphones. Since the end of March 2015, the vulnerability in LG's Update Center has been repaired and currently all LG smartphones running Android 5.0 (Lollipop) and higher require SSL certificate verification before an application can be installed. For pre-Lollipop LG smartphones, a software patch is currently being prepared and will be issued over the next several weeks starting this month. We appreciate our customers' patience and understanding that greater security is an ongoing, never-ending mission at LG."
In their statement, the researchers said the Update Center app on the smart phone communicates with the host lgcpm.com through HTTPS but the server's SSL certificate is not verified by the app, leaving it wide open to hijack by a man-in-the-middle attacker.
“Since new applications and/or application upgrades are installed through this channel in APK form without the need for any additional confirmation from the user, a malicious attacker can abuse the functionality to install arbitrary applications into the victim smart phones,” the researchers wrote. They added that this can even occur in the background, without the user's knowledge, when Update Center thinks a new version of an LG application is available.
Carl Leonard, principal security analyst, Websense Security Labs, said old code was hard to fix. “Any business wishing to maintain legacy code bases must balance the challenge of identifying a fix, testing those fixes to ensure they do not break related code paths, and then deploying that fix to end users,” he said. “This is not a simple task, for example we saw Microsoft go through that decision process with Windows XP.”
Leonard added: “The lesson to be learned here is to perform extensive testing with security risks in mind from the get-go. Identifying weaknesses and potential scenarios that could interfere with the legitimacy of app updates, in this case, could have perhaps prevented this issue from ever being a problem.”
Tom Wilson, research analyst at Nettitude, was surprised when he heard that the fix wouldn't be backported. “This could easily be exploited for malicious purposes. From the sounds of it, an attacker could set up an open Wi-Fi hotspot at a large public gathering such as a conference, or even a hotel and use the vulnerability to deliver a virus/crimeware to anyone using an unpatched LG phone,” he said.
Gavin Reid, VP of threat intelligence, Lancope, said that Android has always been first for mobile platform attacks. “The complexity of updates for Android handsets has been at odds with security from the start, making Android a much easier platform to attack,” he said. “The vendor-specific builds and add-ons grow this complexity. LG is the only group that can fix this and they have to in order to ensure the security of their customers.”
Being open source has always been seen as one of Android's strength, said Wilson. “However, in this case it has proved to be a weakness as each manufacturer is able to add their own ‘tweaks' to the operating system. Until Android has a centralised update mechanism for manufacturer tweaks, we will undoubtedly see more of these issues.”
Mark James, security specialist at ESET, said: “I appreciate there may be implications or cost issues with fixing this but it's their job to ensure their software is as secure as it can be.”
James said that until it's fixed, users of older LG phones need to examine the automatic update option urgently. “By default these are turned on,” he said. “If you're using your phone for anything except just receiving calls, then turning off automatic updates is the best option and do your updates manually over a secure Wi-Fi.”