LG On Screen Phone authentication bypass vulnerability ------------------------------------------------------ SEARCH-LAB Ltd. discovered a serious security vulnerability in the On Screen Phone protocol used by LG Smart Phones. A malicious attacker is able to bypass the authentication phase of the network communication, and thus establish a connection to the On Screen Phone application without the owner’s knowledge or consent. Once connected, the attacker could have full control over the phone – even without physical access to it. The attacker needs only access to the same local network as the phone is connected to, for example via Wi-Fi. What is LG On Screen Phone? --------------------------- The LG On-Screen Phone application (OSP) makes it easy to access and control LG’s Android smartphones through a PC. The connection can be established either by using an USB cable or wirelessly through Wi-Fi or Bluetooth. When attempting to connect to the phone via OSP, a popup dialog is displayed on the phone and it is to be confirmed and accepted by the owner. Once the channel is established, the screen contents of the device are being transmitted to the PC as a motion stream, mouse clicks on the PC are turned into touch events on the phone. By using OSP one can control an LG Smart Phone just like it was in their hands. CVE --- The ID CVE-2014-8757 was assigned to this vulnerability. Affected Versions ----------------- LG On Screen Phone v4.3.009 (inclusive) and older versions of the application are vulnerable. This vulnerability was fixed in LG OSP v4.3.010 Most smart phone models of LG are affected and the OSP application is even preinstalled, and there is no option to uninstall or stop it. On newer models, like G3 the OSP application is not preinstalled anymore. Technical details ----------------- The vulnerable code resides in the On Screen Phone component: shell () geehrc:/ $ps |grep osp system 1411 303 559616 44504 ffffffff 00000000 S com.lge.osp It is started automatically on boot and there is no way in the system settings to turn it off. The process is listening on 0 0.0.0.0:8382: shell () geehrc:/ $ netstat -nap|grep 8382 netstat -nap|grep 8382 tcp 0 0 0.0.0.0:8382 0.0.0.0:* LISTEN The LG On Screen Phone client software running on PC connects to this TCP port. After receiving the initial banner, the client sends the following binary message to the server running on the phone: 00000000 18 00 1c 96 dd 82 c2 31 0a 0d 5a dc 05 2a 23 f4 ......1..Z..*#. 00000010 21 a5 d3 02 01 00 00 34 33 30 39 30 !......43090 This message triggers the confirmation dialog on the phone asking the user whether they wanted to allow this connection. If the user hits cancel, the phone server sends a response with a negative message to the client and then closes the TCP connection immediately. However, the server process does not require this message to be sent before serving another requests, like initiating the video stream or submitting files, handling key/touchscreen events, notifications. Using a modified client it is possible to connect to the phone without the confirmation dialog being displayed on the phone. The attacker has full control over the phone. Timeline -------- SEARCH-LAB Ltd. responsibly reported this threat to the manufacturer in September 2014 who confirmed the severity of the issue and started working on the fix in turn. The patched version of the application is now available to download through LG’s Update Center and/or will be available in form of Maintenance Release for some models. LG smartphone users should make sure to have at least version 4.3.010 of the On Screen Phone (OSP) application installed. Please note that when OSP is pre-installed, the device is vulnerable by default – OSP is started automatically and cannot be disabled in Settings. Links ----- https://www.youtube.com/watch?v=Wd8XydalVas https://github.com/irsl/lgosp-poc/