A security update has been issued that addresses the vulnerability which impacts the bootloader component in LG smartphones. This component is separate from Android, as it is firmware which is specific to each smartphone maker.
What is a bootloader component?
The bootloader component is the first piece of code that rungs when the smartphone is started. Its purpose is to ensure the safe start of both the operating system and the firmware of the device.
More about CVE-2020-12753
The vulnerability was discovered in March by software engineer Max Thomas from the United States. According to his technical writeup dedicated to the flaw, CVE-2020-12753 is “a bootloader vulnerability affecting most Qualcomm-based LG phones since the Nexus 5, all the way up to my test device, the LG Stylo 4 Q710 (and 5 Q720), and probably others.”
The researcher says that the bug exists in the bootloader component’s graphics package. The bug allows attackers to implement their own code alongside the bootloader’s graphics. However, specific conditions need to be met relating to when the device’s battery drains, and when the device is in the bootloader’s Download Mode.
A perfectly timed attack enables attackers to run their own custom code, thus taking over the bootloader. Once this happens, taking over the entire device is also possible. This type of attack is known as a cold boot attack.
To be more precise, a cold boot attack is a type of side channel attack in which an attacker with physical access to a device performs a memory dump of a device’s random access memory (RAM) by performing a hard reset of the targeted device. In other words, this type of attack requires physical access to the device. That being said, the vulnerability can be exploited on stolen devices.
A patch has already been released in the LVE-SMP-200006 security update.