Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

LG patches RCE bug in smartphone keyboards

LG on Monday released a security update fixing a high-severity remote code execution vulnerability found in the default keyboards of all its mainstream smartphone models.

Remote actors can also exploit the bug to compromise users' privacy and authentication details by turning the "LG IME" keyboard into a keylogging tool, according to Check Point Software Technologies research engineer Slava Makkaveev, whom LG has credited with discovering the issue.

In a May 8 company blog post, Makkaveev explains that vulnerability is technically two bugs in one -- a language file download that relies on an insecure HTTP connection, and a validation flaw in LG's file system.

The first bug presents itself when an LG user downloads a new language for the device's handwriting mode, or even an update to a previously installed language file. This downloading process fails to employ the secure HTTPS protocol, leaving it vulnerable to a potential man-in-the-middle (MITM) proxy attack in which the metadata file "files.txt" is either corrupted with injected code or overwritten entirely. At this point, the now-malicious version of files.txt can instruct the device to download additional malicious files from an adversary-controlled URL.

Executing these files is where the second bug comes into play: The validation flaw bug allows the same MITM attackers to use a path traversal mechanism to write the downloaded files to whatever disk location they please within the LG keyboard package sandbox.

According to Makkaveev, as long as the downloaded file have the extension .so, the LG's keyboard application is programmed to grant it permission to execute. "So, if the metadata file is extended with a .so file, entry to the rogue lib file will be marked on the disk as executable," states the blog post, whose content was explained to SC Media in greater detail by Check Point researcher Jonathan Shimonovich.

In order to get the keyboard application to actually load and run the rogue file, the attackers can next designate the file as “input method extension library” within the keyboard configuration file /data/data/com.lge.ime/files/Engine.properties.

"By altering the files.txt metadata file, the Engine.properties file can also be overwritten by a fake one," the blog post continues. "LG's keyboard loads the libs [libraries] indicated in Engine.properties configuration file on the application's startup and the rogue lib we've injected inside the aforementioned file would be loaded as soon as the keyboard process restarts. Once we manage to inject the rouge lib inside Engine.properties, all we need to do is wait for the application to restart and load the library."

LG notes that its devices running on Android versions Android devices with OS 4.4, 5.0, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 and 8.0 are affected.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.