LG releases updates for vulnerabilities that could allow hackers to gain access to TVs
Four new vulnerabilities affecting thousands of LG TVs have been found by researchers who said the issues could allow hackers to add themselves as users and take other actions.
Researchers from cybersecurity firm Bitdefender said the bugs — three of which carry a 9.1 out 10 severity rating — center on LG WebOS, the software that comes on most LG TVs. The vulnerabilities affect WebOS versions 4 through 7.
LG did not respond to requests for comment but released patches for the vulnerabilities as part of a software update on March 22.
Each of the vulnerabilities allows hackers to take a different action. CVE-2023-6317 helps an attacker add an extra user to the TV set while CVE-2023-6318 allows a hacker to elevate the access they gained with the first bug and fully take over a device.
CVE-2023-6317 affects the LG ThinkQ smartphone app, which can be used to control the TV. “To set up the app, the user must enter a PIN code into the display on the TV screen. An error in the account handler lets an attacker skip the PIN verification entirely and create a privileged user profile,” Bitdefender said.
“We can request the creation of an account with no permissions, which will be automatically granted. Having created a privileged account without user interaction, we now have access to a large attack surface that was inaccessible before.”
Two other bugs — CVE-2023-6319 and CVE-2023-6320 — allow attackers to drop malware on the device, monitor traffic or move throughout a smart home network.
Bitdefender researchers said a search on security tool Shodan initially showed that more than 91,000 LG devices around the world are exposed to the internet and vulnerable to these four bugs.
But since the publication of the report, that number has dropped to around 87,500 — more than half are located in South Korea, but thousands are also in Finland, Sweden, the U.S. and Hong Kong.
Bitdefender said it disclosed the issues to LG on November 1 and the company confirmed the issues two weeks later. LG asked for an extension in December before patching the vulnerabilities last month.
Bitdefender noted that the vulnerabilities were found as part of a larger effort by the company to examine the security of popular IoT hardware.
IoT devices have become a popular target for hackers who often add exposed devices to powerful botnet networks that facilitate larger, more devastating attacks.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.