Bootloader vulnerability allows hacking any LG phone. Update the firmware

An information security awareness group has revealed the finding of a new security risk for some mobile devices. According to the report, South Korea-based technology company LG released a security update to fix a flaw in its Android smartphones sold over the past seven years.

Tracked as CVE-2020-12753, this vulnerability affects the bootloader component that is included in the smartphones developed by the company.

The bootloader is a non-operating system component specific to each smartphone manufacturer company. This is the first code executed when a user starts their device, and its main function is to ensure that the device and operating system’s firmware starts correctly.

A couple of months ago an information security  awareness expert reported a vulnerability in the bootloader component present in multiple LG smartphone models starting with the LG Nexus 5 series; soon after, software engineer Max Thomas delved into the vulnerability, mentioning that the bootloader component graphics package contains a flaw that allows threat actors to run code simultaneously with bootloader code under certain conditions (when the battery runs out or when the device is in bootloader download mode, for example).

The expert mentions that if a malicious hacker can synchronize an attack perfectly, it might be able to execute a code specially designed to take control of the bootloader (which involves compromising a device completely). Thomas posted or video demonstrating the attack.

The vulnerability is present in all LG smartphones that use Qualcomm Secure Execution Environment (QSEE) chips with EL1 or EL3 runtime firmware. LG devices running Android versions 7.2 and later are also affected, information security awareness experts mention.

These kinds of flaws are known as “cold boor attack”, and their exploitation requires threat actors to have physical access to the vulnerable device, although this does not mean that there is no risk of exploitation. If users lose their smartphone, a malicious hacker could fully access their information.   

Fixes for this vulnerability were included in LG’s latest update; users must verify that the update is installed correctly. For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.