We use cookies on our websites. Information about cookies and how you can object to the use of cookies at any time or end their use can be found in our privacy policy.

Massive LG security flaw partially fixed, KitKat devices still at risk

Massive LG security flaw partially fixed, KitKat devices still at risk

In the wake of the massive, but highly unlikely to affect anyone, Samsung keyboard security hole last week, LG has had its own security problem uncovered. Researchers at the Budapest University of Technology and Economics' Security Evaluation and Research Laboratory (SEARCH-LAB) discovered a security risk in LG's Update Center. While LG has addressed the problem for devices running Android Lollipop, LG devices running Android KitKat or earlier versions are still at risk.

LG assures us that the security patch for pre-Lollipop devices ''is currently being prepared and will be issued over the next several weeks, starting this month.'' The issue is related to an SSL certificate vulnerability in the Update Center app, which can reportedly be targeted by a man-in-the-middle attack. This could potentially allow hackers to install malware apps on your phone without your knowledge.

lg g4 g3 back camera
LG has already fixed the vulnerability on newer devices running Android Lollipop. / © ANDROIDPIT

As LG explained to AndroidPIT: ''Since the end of March 2015 the issue in LG’s Update Center has been remedied and all LG smartphones running Android 5.0 (Lollipop) and higher now require SSL certificate verification before any application can be installed.'' According to LG, no cases have been reported.

This is likely due to the extreme unlikelihood of the scenario required in order to exploit it. For a security breach to take place, a hacker would need to be in control of an unsecured Wi-Fi connection the user is using. On top of this, the vulnerable device would also need to be updating at the same time. Like the Samsung keyboard issue, this situation is very unlikely to occur. But it's still an issue.

LG G2 Android 5 1 1
Only update your pre-Lollipop LG device on a secure connection. / © ANDROIDPIT

SEARCH-LAB claims it reported the security vulnerability to LG in November 2014, but LG told AndroidPIT that it was not aware of any previous communication from SEARCH-LAB. LG only became aware of the issue via a recent Softpedia article.

While LG acknowledges SEARCH-LAB may well have reported the issue when it says it did, it evidently wasn't picked up on until recently. This in itself is cause for concern. LG went on to say that ''LG is committed to strong security in all our products and providing a user experience that customers can trust,'' and that if it had known about the issue in November last year, that it ''wouldn't have waited until March to patch the server.''

If you own an LG device running Android KitKat or earlier, your best move is to avoid unsecured Wi-Fi networks and to ensure you only update your system or apps via a secure network connection. We'll keep you posted on the rollout of the patch.

Latest articles

Recommended articles

1 Comment

Write new comment:
All changes will be saved. No drafts are saved when editing
Write new comment:
All changes will be saved. No drafts are saved when editing