Image: Ilan Dov
South Korean phone manufacturer LG has released a security update last month to fix a vulnerability that impacts its Android smartphones sold over the past seven years.
The vulnerability, tracked under the identifier of CVE-2020-12753, impacts the bootloader component that ships with LG smartphones.
Separate from the Android OS, the bootloader is a piece of firmware specific to each smartphone vendor. It is the first piece of code that runs when a user starts their device, and it ensures that smartphone firmware and the Android OS itself start in a correct and secure manner.
Vulnerability found in the LG bootloader graphics package
In March this year, US software engineer Max Thomas discovered a vulnerability in the bootloader component that had been added to LG smartphones starting with the LG Nexus 5 series.
In a technical breakdown of the vulnerability published on Tuesday, Thomas says the bootloader component’s graphics package contains a bug that lets attackers sneak in their own code to run alongside the bootloader’s graphics under certain conditions, such as when the battery dies out and when the device is in the bootloader’s Download Mode.
Image: Max Thomas
Thomas says that threat actors who perfectly time an attack can gain the ability to run their own custom code, which could allow them to take over the bootloader, and inherently the entire device. A video demo is embedded below.
The bug impacts all LG smartphones utilizing QSEE (Qualcomm Secure Execution Environment) chips that use the EL1 or EL3 runtime firmware, and all LG devices running Android 7.2 and later.
Attack requires physical access
To be clear, the CVE-2020-12753 vulnerability is what researchers call a “cold boot attack,” meaning a vulnerability that can only be exploited by having physical access and connecting to a vulnerable device.
However, this doesn’t mean the bug is less impactful. In situations where a user’s device is stolen or seized, this vulnerability can be used to grant the new owner control over the device and to unlock its secrets.
LG has released a patch for this bug in the LVE-SMP-200006 security update, which the company released in early May 2020.
Device owners who have a daily threat model that includes losing access to their LG smartphone should look into applying the LVE-SMP-200006 update.
Thomas has also released proof-of-concept code he used to break the bootloader on an LG Stylo 4 smartphone.