Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Android Security IT

New Cold Boot Attack Affects Seven Years of LG Android Smartphones (zdnet.com) 10

South Korean phone manufacturer LG has released a security update last month to fix a vulnerability that impacts its Android smartphones sold over the past seven years. From a report: The vulnerability, tracked under the identifier of CVE-2020-12753, impacts the bootloader component that ships with LG smartphones. In March this year, US software engineer Max Thomas discovered a vulnerability in the bootloader component that had been added to LG smartphones starting with the LG Nexus 5 series. In a technical breakdown of the vulnerability published on Tuesday, Thomas says the bootloader component's graphics package contains a bug that lets attackers sneak in their own code to run alongside the bootloader's graphics under certain conditions, such as when the battery dies out and when the device is in the bootloader's Download Mode. Thomas says that threat actors who perfectly time an attack can gain the ability to run their own custom code, which could allow them to take over the bootloader, and inherently the entire device.
This discussion has been archived. No new comments can be posted.

New Cold Boot Attack Affects Seven Years of LG Android Smartphones

Comments Filter:
  • Keep your phone in your pocket. It will never have a cold boot, it'll always be around 25-30 deg C or more (depending upon the outside temperature and the layers between you and the phone).
  • by ron_ivi ( 607351 ) <sdotno@@@cheapcomplexdevices...com> on Wednesday June 03, 2020 @02:06PM (#60141614)

    can gain the ability to run their own custom code, which could allow them to take over the bootloader

    So almost (but not quite) as good as an unlocked bootloader?

    That sounds like a feature.

    Since when have locked-down devices been considered a good thing here?

    • by SuperKendall ( 25149 ) on Wednesday June 03, 2020 @02:23PM (#60141682)

      Reading through some of the details I was wondering that as well, is this really an attack feasible in the wild? It seems like the kind of attack that could be used to unlock the device (or by authorities) but not really practical for a remote attack.

      • Most of the really bad remote attacks chain two or three vulnerabilities. One executes low-privilege code remotely, another escalates privilege, yet another gives persistence.

        By itself, this issue is very much not remotely exploitable. By itself, this indeed a "solder wires to the eMMC chip" vulnerability. It's difficult enough that even police or the FBI wouldn't use it routinely, it would only be useful for big cases, like a serial killer or actual terrorist.

        Actually a decent "compromise" between those w

    • by Wyzard ( 110714 ) on Wednesday June 03, 2020 @03:05PM (#60141894) Homepage

      I don't know about other LG phones, but the Nexus 5 (specific phone mentioned in the article) already had an unlockable bootloader. No exploits needed; just fastboot oem unlock from a connected PC, then flash whatever custom ROM you want.

      Unlocking the bootloader in the supported way would also wipe the user's data. That's a good thing: it's a security measure to ensure that the unlockable bootloader can't be used as a backdoor to access someone's data on a stolen or confiscated phone. This new attack sounds like it sidesteps that, so it's a security risk.

    • If you want to mess with somebody else's phone without their knowledge and tamper with their data, then yes this is better than an unlocked bootloader.

      Unlocking the bootloader in the supported way (supported by Motorola and other manufactures I would be buy from) follow a process that it designed to make sure I can't take over your phone without your knowledge.

      Here's roughly the typical process the system goes through when you switch from locked to unlocked:

      phoneâ(TM)s storage is wiped so i can't get/t

  • by raymorris ( 2726007 ) on Wednesday June 03, 2020 @02:23PM (#60141686) Journal

    Technical details can be found here:

    https://douevenknow.us/post/61... [douevenknow.us]

    It requires that the attacker first has the ability to write arbitrary data to the eMMC, such as by a kernel exploit or soldering tiny wires to the eMMC chip.

  • That's one I probably don't have to worry about.

Reality must take precedence over public relations, for Mother Nature cannot be fooled. -- R.P. Feynman

Working...