Lenovo Smartphones and Mobile Devices Vulnerable to Root Hacking

Multiple different exploits were discovered on Lenovo's phones. While several models have already been patched, there remains to be many vulnerable to giving hackers root access.

Mobile giant Lenovo has officially come out with a statement that their VIBE line of smartphones are assailable to a local root vulnerability caused by at least three different software weaknesses. Several of the vulnerabilities are already addressed by Lenovo with patches already released, however, not all of the exploitable phones have been fixed yet.

Lenovo officials explained stated in an advisory that a hacker, who has physical access to the vulnerable mobile device can gain root privileges if there is no security system in place, like a PIN code or a password. If an attacker manages to obtain root privileges, then he or she can "modify the device's operation and functionality in myriad ways," according to the company's advisory.

According to Lenovo, a particular vulnerability called CVE-2017-374 gives improper access capabilities on the nac_server section, which, along with other exploits, can be misused, including CVE-2017-3749 and CVE-2017-3750. These exploits give attackers the ability to obtain root access to the corrupted device and possibly root it to assume direct control over it.

According to Lenovo's advisory, the three exploits are as follows:

• CVE-2017-3748 - Improper access controls on the nac_server component can be abused in conjunction with CVE-2017-3749 and CVE-2017-3750 to elevate privileges to the root user (commonly known as 'rooting' or "jail breaking" a device)
• CVE-2017-3749 - The Idea Friend Android application allows private data to be backed up and restored via Android Debug Bridge, which allows tampering leading to privilege escalation in conjunction with CVE-2017-3748 and CVE-2017-3750
• CVE-2017-3750 - The Lenovo Security Android application allows private data to be backed up and restored via Android Debug Bridge, which allows tampering leading to privilege escalation in conjunction with CVE-2017-3748

Of course, rooting a phone is clearly not the worst thing that can happen to you, or even your phone, though a chunk of the device's security protocols will likely be corrupted. Still, we mustn't forget that physical access to the device is needed to fully compromise it, so the average Lenovo user is probably going to avoid getting hit by these exploits.

Patches are available for some devices

Additionally, several phones that have since been updated to Android 6.0 Marshmallow are not vulnerable to these exploits anymore, and Lenovo states that patches have already been made available for a bunch of models, which were vulnerable before.

"Lenovo does not advise end users to root devices as it may adversely affect device security & stability. Users on older Android releases (earlier than Android 6.0 Marshmallow) are advised to take the following actions: 1) If you have enabled the Android Developer Options menu on your device (uncommon), disable ADB when not in use 2) Enable lock screen authentication mechanisms; e.g. PIN/Password protection," the company explains.

The devices that are still vulnerable to the exploits as of the time of writing are:

• A1600
• A2560
• A2800
• A2860
• A2880
• A3000
• A3500
• A3600-d
• A3600u
• A3800-d
• A3900
• A6000
• A6000-I
• A6600
• A6020i37
• A6800
• K30-E
• K30-W-cu
• K32c30
• K80M