New Cold Boot Attack Affects Seven Years of LG Android Smartphones (zdnet.com) 10
South Korean phone manufacturer LG has released a security update last month to fix a vulnerability that impacts its Android smartphones sold over the past seven years. From a report: The vulnerability, tracked under the identifier of CVE-2020-12753, impacts the bootloader component that ships with LG smartphones. In March this year, US software engineer Max Thomas discovered a vulnerability in the bootloader component that had been added to LG smartphones starting with the LG Nexus 5 series. In a technical breakdown of the vulnerability published on Tuesday, Thomas says the bootloader component's graphics package contains a bug that lets attackers sneak in their own code to run alongside the bootloader's graphics under certain conditions, such as when the battery dies out and when the device is in the bootloader's Download Mode. Thomas says that threat actors who perfectly time an attack can gain the ability to run their own custom code, which could allow them to take over the bootloader, and inherently the entire device.
Easy solution (Score:2, Funny)
Sounds like a feature (Score:5, Interesting)
can gain the ability to run their own custom code, which could allow them to take over the bootloader
So almost (but not quite) as good as an unlocked bootloader?
That sounds like a feature.
Since when have locked-down devices been considered a good thing here?
Re:Sounds like a feature (Score:4, Interesting)
Reading through some of the details I was wondering that as well, is this really an attack feasible in the wild? It seems like the kind of attack that could be used to unlock the device (or by authorities) but not really practical for a remote attack.
Not remote UNLESS (Score:2)
Most of the really bad remote attacks chain two or three vulnerabilities. One executes low-privilege code remotely, another escalates privilege, yet another gives persistence.
By itself, this issue is very much not remotely exploitable. By itself, this indeed a "solder wires to the eMMC chip" vulnerability. It's difficult enough that even police or the FBI wouldn't use it routinely, it would only be useful for big cases, like a serial killer or actual terrorist.
Actually a decent "compromise" between those w
Re:Sounds like a feature (Score:5, Informative)
I don't know about other LG phones, but the Nexus 5 (specific phone mentioned in the article) already had an unlockable bootloader. No exploits needed; just fastboot oem unlock from a connected PC, then flash whatever custom ROM you want.
Unlocking the bootloader in the supported way would also wipe the user's data. That's a good thing: it's a security measure to ensure that the unlockable bootloader can't be used as a backdoor to access someone's data on a stolen or confiscated phone. This new attack sounds like it sidesteps that, so it's a security risk.
For me to unlock yours without your knowledge (Score:2)
If you want to mess with somebody else's phone without their knowledge and tamper with their data, then yes this is better than an unlocked bootloader.
Unlocking the bootloader in the supported way (supported by Motorola and other manufactures I would be buy from) follow a process that it designed to make sure I can't take over your phone without your knowledge.
Here's roughly the typical process the system goes through when you switch from locked to unlocked:
phoneâ(TM)s storage is wiped so i can't get/t
Technical details here (Score:5, Informative)
Technical details can be found here:
https://douevenknow.us/post/61... [douevenknow.us]
It requires that the attacker first has the ability to write arbitrary data to the eMMC, such as by a kernel exploit or soldering tiny wires to the eMMC chip.
Moving on (Score:2)