Newfound security hole in the LG G3 made user data on it prone to intruders


If you're still rocking the LG G3 (pretty much the best Quad-HD smartphone $270 can buy), you might have been bugged about installing a Smart Notice patch recently. Smart Notice is a service that shows recent notifications in the form of cards, similar in style to Google Now. It is enabled by default on LG devices.

Thus, you might have given it a shot and liked it, or disabled it completely on your LG G3. Whatever the case is, you should know that LG released this patch to close a serious vulnerability in the service. It was discovered by Israeli cyber security firm BugSec, which affectionately called it "SNAP".

SNAP lets potential attackers execute arbitrary code and wreak havok such as stealing private data, pull off phishing scams, and crash the operating system. The root cause of the problem is that Smart Notice does not "validate" user-submitted data. Users of vulnerable devices only need to save an infected notification message to get, in the researchers's words, "pwned". Affected users would receive no warning or other signs that something awful has happened.

According to the source, the vulnerability is only present on the LG G3 at the moment, although Smart Notice is also found in the LG G4 and other recent LG handsets. So, if you receive an updated version of the app, you'll know what's up.

The researches at BugSec say they don't know of any cases in which the vulnerability has been exploited, be it by attackers or malware scripts. However, they do insist that the vulnerability is not merely theoretical, and the fact that LG patched up Smart Notice so soon after having it brought to their attention lends it enough credibility by itself.

If you would like to learn more, watch the video below, prepared by BugSec and Cynet.


source: BugSec via The Register

Related phones

G3
  • Display 5.5" 1440 x 2560 pixels
  • Camera 13 MP / 2.1 MP front
  • Processor Qualcomm Snapdragon 801, Quad-core, 2500 MHz
  • Storage 32 GB + microSDXC
  • Battery 3000 mAh(21h 3G talk time)

FEATURED VIDEO

7 Comments

1. Odeira

Posts: 300; Member since: Jun 29, 2012

If entire GOVERNMENTS can be hacked and played around with, what chance your mobile? This here's not surprising at all... At least LG responded quickly enough...

3. Mxyzptlk unregistered

Maybe they should have responded quicker by making the G3 a better phone, but they failed to do that.

6. chenski

Posts: 785; Member since: Mar 22, 2015

The g3 is pretty good as it is, but then of course any phone can be made better

2. xocomaox

Posts: 202; Member since: Dec 14, 2015

I'd imagine 80% of their user-base had removed this service within weeks of getting the phone.

4. skymitch89

Posts: 1453; Member since: Nov 05, 2010

What version of Smart Notice is the patched version? My G3 has version 4.40.11 and I don't recall ever getting any kind of update that mentioned a new version of Smart Notice, a patch for Smart Notice, or anything else that involved Smart Notice.

5. TechieXP1969

Posts: 14967; Member since: Sep 25, 2013

LG LG LG...needs LG KNOX

7. SkyfallWalker

Posts: 73; Member since: Jan 28, 2016

LG needs to put out a Patch ASAP

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless