Up to 91,000 LG TVs could be at risk of being hacked unless they receive a newly released security update that patches four critical vulnerabilities discovered late last year.
The vulnerabilities were found in four LG TV models, with the most affected devices located in South Korea, followed by Hong Kong, the United States, Sweden and Finland. The models are:
- LG43UM7000PLA webOS 4.9.7 – 5.30.40.
- OLED55CXPUA webOS 5.5.0 – 04.50.51.
- OLED48C1PUB webOS 6.3.3-442 – 03.36.50.
- OLED55A23LA WebOS 7.3.1-43 – 03.33.85.
According to Bitdefender, malicious hackers can gain root (administrator) access to devices to enter commands that operate at the operating system level. The vulnerabilities affect internal services that allow users to control their devices using their phones, but allow attackers to bypass authentication measures designed to ensure that only authorized devices can use the capabilities.
“These vulnerabilities allow root access on a TV after bypassing the authorization mechanism. Although the vulnerable service is only intended for local area network (LAN) access, Shodan, a search engine for Internet-connected devices, identified more than 91,000 devices showing This service is for the Internet.
It was written Researchers at Bitdefender.
Three of one
The main vulnerability enabling these threats lies in a service that allows TVs to be controlled by LG's ThinkQ smartphone app if they are connected to the same local network. The service is designed to require the user to enter a PIN to verify eligibility, but a bug allows someone to skip this verification step and become eligible. This vulnerability is called “CVE-2023-6317“He is being tracked.
Once attackers have this level of control, they can exploit three other vulnerabilities:
- “CVE-2023-6318“, which allows attackers to gain root privileges.
- “CVE-2023-6319“, which allows you to enter operating system commands by manipulating a library for displaying music lyrics.
- “CVE-2023-6320“, which allows attackers to do so Application interface Injection of authenticated commands by manipulation
According to LG's support pages, the phone and TV must be connected to the same network for the ThinkQ app to work. A Bitdefender representative confirmed in an email that local access is required to exploit the vulnerabilities, but noted that once devices are compromised, they can be controlled remotely.
The problem should not be taken seriously
In any case, the vulnerabilities are serious enough to warrant patching, as someone with unauthorized access to the TV could potentially access connected paid accounts, track viewing habits, install apps, or potentially introduce devices into a botnet. . It's not clear why so many LG TVs appear to be… Shodan in the results.
Although many devices are set to install updates automatically, it's a good idea to check your firmware settings to make sure you have the latest version installed. Exact instructions vary by model, but in general you'll need to go to Settings > All Settings > Support, select Software update, then Check for updates. If an update is available, select Download and install.
(source)
