CYBER NEWS

CVE-2020-12753: Bug in LG Smartphones from the Past 7 Years

A new vulnerability in LG smartphones, CVE-2020-12753, was recently discovering, affecting models from the past seven years.

A security update has been issued that addresses the vulnerability which impacts the bootloader component in LG smartphones. This component is separate from Android, as it is firmware which is specific to each smartphone maker.

What is a bootloader component?
The bootloader component is the first piece of code that rungs when the smartphone is started. Its purpose is to ensure the safe start of both the operating system and the firmware of the device.

More about CVE-2020-12753

The vulnerability was discovered in March by software engineer Max Thomas from the United States. According to his technical writeup dedicated to the flaw, CVE-2020-12753 is “a bootloader vulnerability affecting most Qualcomm-based LG phones since the Nexus 5, all the way up to my test device, the LG Stylo 4 Q710 (and 5 Q720), and probably others.”

The researcher says that the bug exists in the bootloader component’s graphics package. The bug allows attackers to implement their own code alongside the bootloader’s graphics. However, specific conditions need to be met relating to when the device’s battery drains, and when the device is in the bootloader’s Download Mode.

Related:
Another serious issue has been found targeting modern CPUs ? the Portsmash Side-channel Vulnerability which is similar to previous cases like Meltdown
CVE-2018-5407: Portsmash Side-channel Vulnerability Is a New CPU Bug

A perfectly timed attack enables attackers to run their own custom code, thus taking over the bootloader. Once this happens, taking over the entire device is also possible. This type of attack is known as a cold boot attack.

To be more precise, a cold boot attack is a type of side channel attack in which an attacker with physical access to a device performs a memory dump of a device’s random access memory (RAM) by performing a hard reset of the targeted device. In other words, this type of attack requires physical access to the device. That being said, the vulnerability can be exploited on stolen devices.

A patch has already been released in the LVE-SMP-200006 security update.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...