Friday, 29 January 2016

SNAP vulnerability puts millions of LG's G3 smartphones at risk

Security researchers from BugSec and Cynet have discovered a critical vulnerability in LG G3 smartphones which can allow a potential hacker to run arbitrary JavaScript code on the devices.  Once the vulnerability is exploited, the hacker can steal sensitive data theft, launch phishing attacks and lead to a denial of service (DOS) on the device.
The vulnerability named SNAP bug resides in every LG smartphone including its flagship LG G3 due to a native application called Smart Notice.
The ‘SNAP’ vulnerability was first discovered by BugSec security researchers Liran Segal and Shachar Korot. It is a critical flaw in one of the LG G3 applications, Smart Notice, which comes pre-installed with all LG smartphones.
The security flaw is rooted in a bug in one of the pre-installed LG applications, Smart Notice, which exists on every new LG G3 device. LG debuted its Smart Notice app with the G3 and displays to users the recent notifications (named “cards”)  that can be forged to inject unauthenticated malicious code. The bug is highly critical because the Smart Notice App is enabled by default and always in a ‘on state’.
The root cause for the security problem is the fact that Smart Notice does not validate the data presented to the users. Data can be taken from the phone contacts and manipulated. The attack can take place in several ways due to functionality issues of the Smart Notice application. The application pops notifications (named ‘cards’) in each of these scenarios:
  • Favorite contact notification – Recommends you keep in touch with favorite contacts.
  • New contact suggestion – Suggests saving a caller number.
  • Callback reminder – Reminder to callback a contact after declining the call.
  • Birthday notification – Reminder about contact birthday.
  • Memo reminder – Provides notifications about user memos.

The BugSec researchers used a long contact name which is not seen by the user, but will still be activated by the application. Afterwards, a delivery method was needed for which they created two delivery vectors to test the bug :
The QR Vector by using social engineering, the hackers have just publish an ad asking the victim to scan the following QR code that will open a “save the contact” window, which requires only an approval click by the user.
The WhatsApp\MMS Vector also by using social engineering, the hackers can send a contact (with a forged source) that will be saved by the users.
By exploiting this SNAP vulnerability, a potential hacker can easily steal sensitive data from the device SD card, including WhatsApp data and images, and can also mislead the end user into phishing scams and drive-by attacks.
The BugSec researchers said that LG G3 users need to only save a maliciously constructed notification message for the exploit to work. Once the malicious message resides on the smartphone, the hacker would do his malicious work without any warning or signal to the smartphone owner.
BugSec’s research team said it had notified LG about the SNAP vulnerability in Smart Notice App. LG has released the updated App with the patch to mitigate the vulnerability.
PoC video :

More details on the vulnerability can be found in a blog post by Bugsec here.  LG has so far not commented on the issue.

0 comments:

Post a Comment