TL;DR:
- Thousands of LG smart TVs are vulnerable to being hacked due to security flaws in webOS
- The vulnerabilities allow hackers to create privileged accounts and gain unrestricted access to the TV
- LG has released software updates to patch the vulnerabilities
- Users should enable automatic updates or manually install the latest LG security update to protect their TVs from this LG TV hack
Attention all LG smart TV owners: your beloved entertainment hub may be at risk of falling into the wrong hands. A recent report from cybersecurity firm Bitdefender has revealed that thousands of LG TVs around the world are vulnerable to being taken over by hackers due to critical security flaws.
Understanding the LG TV Hack
So, what exactly is this LG TV hack all about? In a nutshell, the vulnerabilities discovered by Bitdefender allow malicious actors to create privileged user profiles on affected TVs without needing to enter a PIN code. This essentially grants them unrestricted access to the TV’s operating system and all its features.
The security flaws impact several versions of LG’s webOS platform, including 4.9.7, 5.5.0, 6.3.3-442, and 7.3.1-43. Some of the specific TV models confirmed to be affected are the LG43UM7000PLA, OLED55CXPUA, OLED48C1PUB, and OLED55A23LA. However, it’s important to note that any LG TV running the vulnerable LG webOS versions could potentially be at risk.
In case you are curious, here are the technical details from Bitdenfender:
WebOS runs a service on ports 3000/3001 (HTTP/HTTPS/WSS) which is used by the LG ThinkQ smartphone app to control the TV. To set up the app, the user must enter a PIN code into the display on the TV screen. An error in the account handler lets an attacker skip the PIN verification entirely and create a privileged user profile.
The function that handles account registration requests uses a variable called skipPrompt which is set to true when either the client-key or the companion-client-key parameters correspond to an existing profile. It also takes into consideration what permissions are requested when deciding whether to prompt the user for a PIN, as confirmation is not required in some cases.
We can request the creation of an account with no permissions, which will be automatically granted. Then we request another account with elevated permissions, but we specify the companion-client-key variable to match the key we got when we created the first account. The server will confirm that this key exists but will not verify if it belongs to the correct account. Thus, the skipPrompt variable will be true and the account will be created without requesting a PIN confirmation on the TV.
This vulnerability, identified as CVE-2023-6317, has been confirmed to affect webOS 4.9.7, 5.5.0, 6.3.3-442, and 7.3.1-43.
Having created a privileged account without user interaction, we now have access to a large attack surface that was inaccessible before. We have found two authenticated command injection vulnerabilities that lead to root access, and another that runs commands as the dbus user.
Authenticated command injection in the processAnalyticsReport method from the com.webos.service.cloudupload service
The processAnalyticsReport method requires three parameters: type, reportFile, and originalFile. When the type parameter is set to analytic the reportFile parameter will be passed to a system command without being sanitized.
Although requests to this method cannot be performed directly, we can use another endpoint, system.notifications/createAlert, to bypass this restriction, accessible only to authenticated users who have the WRITE_NOTIFICATION_TOAST permission. The onclose parameter supported by this endpoint allows us to perform internal requests to services that are not exposed, similar to SSRF. After we create the notification, we trigger the onclose call through the system.notifications/closeAlert endpoint, performing the request to the vulnerable endpoint.
The specified file must exist on the device, but we can bypass this constraint by using the download method from the com.webos.service.downloadmanager service, which will create a file in the /media/internal/downloads/ directory with an arbitrary filename. Both the processAnalyticsReport and download methods can be accessed through the createAlert endpoint.
The vulnerable command is created on line 83 and executed on line 84:
This vulnerability, identified as CVE-2023-6318, has been confirmed to affect webOS 5.5.0, 6.3.3-442, and 7.3.1-43.
Authenticated command injection in the getAudioMetadata method from the com.webos.service.attachedstoragemanager service
The getAudioMetadata method requires two parameters: deviceId and fullPath. While the deviceId parameter is not important, the fullPath parameter will be passed, under certain conditions, to a system command without being sanitized. If this parameter points to a file with the .mp3 extension the service will search in the same directory for the corresponding lyrics file with the same name (.lrc extension). If found, the first four bytes of the lyrics file will be compared with the sequence \xFF\xFE\x00\x00. If they match (meaning that the file is UTF1632 encoded) the service will try to decode it using the iconv binary. This binary will be called together with the full filename without prior sanitization, leading to command injection.
Both the .mp3 and .lrc files must exist on the device and can be created using the download method mentioned earlier. All required methods can be accessed through the createAlert endpoint.
The vulnerable code in convLrcStringByBinary from the asm binary:
This vulnerability, identified as CVE-2023-6319, has been confirmed to affect webOS 4.9.7, 5.5.0, 6.3.3-442, and 7.3.1-43.
Authenticated command injection in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint allows execution of commands on the device as dbus
The setVlanStaticAddress endpoint requires three parameters: ip_address, bcast_address, and netmask. All three parameters will be passed to a system command without being sanitized. Before calling this endpoint, we must first call the createVirtualLan endpoint. These endpoints require the READ_NETWORK_STATE permission.
Although the user that executes the commands is dbus, this account has similar permissions as the root user.
Vulnerable code in handle_set_vlan_static_address_command from libwca2.so library:
This vulnerability, identified as CVE-2023-6320, has been confirmed to affect webOS 5.5.0 and 6.3.3-442.
The Risks of a Compromised Smart TV
You might be wondering, “So what if a hacker gains control of my TV? It’s not like they can steal my bank details from it, right?” Well, while your TV may not hold your financial information, a compromised smart TV can still pose significant risks to your privacy and security.
An attacker with access to your LG TV could potentially:
- Access your paid streaming accounts and personal profiles
- Monitor your viewing habits and preferences
- Install malicious apps or software without your knowledge
- Enroll your TV in a botnet for coordinated cyberattacks
- Exploit any webcams or microphones connected to the TV
Protecting Your TV from the LG TV Hack
Thankfully, LG has been proactive in addressing these vulnerabilities. The company has released a LG security update that patches the security holes and protect users’ TVs from potential takeover attempts.
To ensure your LG TV is safe, you should:
- Enable automatic software updates in your TV’s settings menu
- Manually check for and install any available updates
- Confirm that your TV is running the latest version of webOS
It’s worth noting that local network access is required for hackers to initially exploit these vulnerabilities. As a general best practice, avoid connecting your smart TV to unfamiliar or public Wi-Fi networks.
Don’t Let Hackers Control Your LG TV: Install the Latest Patch ASAP
While the idea of your TV being hacked may be unsettling, there’s no need to panic or swear off smart TVs altogether. By staying informed about potential risks and taking proactive steps to secure your devices with regular updates, you can continue to enjoy the convenience and entertainment of your LG TV without compromising your security.
So go ahead, grab that remote, and make sure your LG TV is patched and ready to provide you with a safe, hassle-free viewing experience. While you’re messing around with your LG TV settings, here’s how to make live TV your default screen instead of the LG TV menu.
Attention #LGSmartTV owners! Thousands of TVs are vulnerable to #hacking. @LGTV has released crucial security updates to keep your device safe. Learn which models are affected and how to protect yours in our latest blog post.… Share on XHi, I’m Zack Applegate. I’m a technology writer at MethodShop. Please check out my articles on a variety of topics, including artificial intelligence, music, movies, and silly tech stuff like funny Elon Musk jokes and rock bands with weird names. If you have article ideas, please connect with me on Facebook.
Leave a Reply