Researchers from biddefender unveiled a series of critical vulnerabilities within LG’s WebOS, the operating system powering its smart TVs.
The findings, part of Bitdefender’s ongoing efforts to enhance IoT security, spotlight significant flaws in WebOS versions 4 through 7, potentially affecting millions of users worldwide.
Root Access Gained Through Exploits
The vulnerabilities that affect LG TV enable unauthorized root access to the affected LG TVs, bypassing the built-in authorization mechanisms.
Vulnerable OS versions
- webOS 4.9.7 – 5.30.40 running on LG43UM7000PLA
- webOS 5.5.0 – 04.50.51 running on OLED55CXPUA
- webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50 running on OLED48C1PUB
- webOS 7.3.1-43 (mullet-mebin) – 03.33.85 running on OLED55A23LA
This level of access allows attackers to control the TV remotely, posing a severe privacy and security risk to users.
The compromised service, exclusively intended for local area network (LAN) access, was discovered to be online accessible on more than 91,000 devices, as reported by Shodan, an internet-connected device search engine.
CVE-2023-6317: Bypassing Security Measures
One of the critical vulnerabilities, identified as CVE-2023-6317, involves the manipulation of the LG ThinkQ smartphone app, which is used for remote control of the TV.
Attackers can exploit the app’s setup process by creating a privileged account without the user’s knowledge or consent.
This is achieved by bypassing the PIN confirmation step, a security measure intended to verify the identity of the person setting up the app.
The vulnerability affects multiple versions of WebOS, including 4.9.7, 5.5.0, 6.3.3-442, and 7.3.1-43, granting attackers a broad attack surface previously inaccessible.
CVE-2023-6318: Command Injection Flaws
Further investigation revealed two authenticated command injection vulnerabilities, leading to root access, and another that allows commands to run as the dbus user.
These flaws are exploited through the processAnalyticsReport
method, which requires three parameters: type
, reportFile
, and originalFile
.
By setting the type
parameter to analytic
, attackers can execute unauthorized commands. This vulnerability, tagged as CVE-2023-6318, affects WebOS versions 5.5.0, 6.3.3-442, and 7.3.1-43.
Implications and Recommendations
The discovery of these vulnerabilities underscores the critical need for robust security measures in IoT devices, particularly smart TVs, which have become integral to modern homes.
Users are advised to ensure their devices’ firmware is up to date and to restrict remote access to their TVs to mitigate the risk of unauthorized access.
LG has been notified of these findings, and efforts are underway to address the vulnerabilities through firmware updates.
However, the incident serves as a stark reminder of the evolving landscape of cybersecurity threats and the importance of proactive security practices in safeguarding digital lives.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.