LG releases updates for vulnerabilities that could give hackers access to TVs


Four new vulnerabilities affecting thousands of LG TVs have been discovered by researchers who said the issues could allow hackers to add themselves as users and take other actions.

Researchers from cybersecurity company Bitdefender said The bugs – three of which have a severity rating of 9.1 out of 10 – focus on LG WebOS, the software that comes with most LG TVs. The vulnerabilities affect WebOS versions 4 through 7.

LG did not respond to requests for comment but released fixes for the vulnerabilities as part of a software update on March 22.

Each of the vulnerabilities allows hackers to take a different action. CVE-2023-6317 helps an attacker add an additional user to the TV while CVE-2023-6318 allows a hacker to elevate the access they gained with the first bug and take full control of the TV. a device.

CVE-2023-6317 affects the LG ThinkQ smartphone app, which can be used to control the TV. “To configure the app, the user must enter a PIN code on the TV screen. An error in the account manager allows an attacker to completely bypass PIN verification and create a privileged user profile,” Bitdefender said.

“We can request the creation of an account without authorization, which will be automatically granted. After creating a privileged account without user interaction, we now have access to a large attack surface that was previously inaccessible.

Two other bugs – CVE-2023-6319 and CVE-2023-6320 – allow attackers to drop malware on the device, monitor traffic, or move around a smart home network.

Bitdefender researchers said research on security tool Shodan initially showed that more than 91,000 LG devices worldwide are exposed to the internet and vulnerable to these four bugs.

But since the report was published, this figure has increased abandoned at around 87,500 – more than half are in South Korea, but thousands are also in Finland, Sweden, the United States and Hong Kong.

Bitdefender said it disclosed the issues to LG on November 1, and the company confirmed the issues two weeks later. LG requested an extension in December before patching the vulnerabilities last month.

Bitdefender noted that the vulnerabilities were discovered as part of a broader effort by the company to examine the security of popular IoT hardware.

IoT devices have become a popular target of hackers which often add devices exposed to powerful botnets which facilitate greater, even more devastating attacks.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

Leave a comment