In an advisory report published online by MWR Labs on Jan. 16, three LG devices have been found to have a severe vulnerability. Perhaps shockingly, the devices affected by the vulnerability are from the same device family and span 3 generations of that family. The devices include LG's G3, G4, and G5 flagship devices. While there are two distinct vulnerabilities listed, both are tied directly to how the three devices store and retrieve data saved in the cloud and both vulnerabilities affect all three devices. Both of the vulnerabilities are tied to the devices' "SmartShare.Cloud" application. Smart Cloud acts as a go-between for several cloud services. The vulnerabilities also both require that the malicious party knows the name of files stored in the cloud. However, that is where the similarities between the two basically end.
The first vulnerability – called a "Path Traversal" in the report – works by allowing the attacker to change the API call being made to Dropbox. The vulnerability allows an attacker to make the file or folder shareable without requiring authentication or interaction from the owner of the file or folder. It is caused by LG SmartShare.Cloud not validating that the URL does not contain "possibly malicious characters." The second of the two vulnerabilities is listed as an "Arbitrary File Disclosure" type vulnerability. This was caused by the SmartShare application launching an "HTTP Server" listener "on all interfaces." With the second vulnerability, an attacker can retrieve any media file from either the Box or Dropbox storage of a user.
It is not uncommon for devices to have vulnerabilities. It may come as a relief to know that both of the vulnerabilities, in this case, require the attacker to be on the same network – in addition to knowing file or folder names. Additionally, vulnerability patch roll-outs generally happen over a short time scale once they are discovered. Sometimes those vulnerabilities are even discovered or announced to be deliberate – or at very least a part of the underlying infrastructure of an application. It is much more rarely that a vulnerability applies to three devices from three different generations. On the bright side, MWR Labs' report also says that LG has a security update to fix the problem – saying that the OTA update 2.4.0 has "mitigated this issue." If you have received the update, then the problem should be fixed for you. If you haven't, it may be best to avoid using Dropbox for your cloud backups until the update hits your device.