90k+ LG TVs Vulnerable to Authorization Attacks

Bitdefender Labs has revealed a critical security flaw in over 90,000 LG smart TVs running the company’s proprietary WebOS platform.

If exploited, the vulnerability could allow attackers to gain unauthorized access to the TV’s functions and potentially the user’s home network.

The Discovery of the Flaw

Cybersecurity experts at Bitdefender have identified a series of vulnerabilities in LG’s WebOS, which is used in a wide range of LG smart TVs.

The vulnerabilities are related to improper authentication mechanisms within the system that malicious actors could bypass.

The core issue lies in the way WebOS handles file permissions and authentication processes.

The system fails to adequately verify whether a request has been made by an authorized entity, which could allow an attacker to execute unauthorized commands.

Specifically, the vulnerability can be traced to a service within WebOS known as “com.webos.service.networkinput,” which listens for incoming network requests.

CVE-2023-6317: The attacker can bypass the authorization mechanism in WebOS versions 4 through 7.
CVE-2023-6318: This flaw allows attackers to elevate the access they gained in the first step to root and fully take over the device
CVE-2023-6319: Flaw allows operating system command injection by manipulating a library responsible with showing music lyrics.
CVE-2023-6320: vulnerability lets an attacker inject authenticated commands by manipulating the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint.

This service is intended to allow users to interact with their TV via mobile applications or other devices.

However, due to insufficient security checks, an attacker could mimic the legitimate communication between the TV and authorized devices.

Potential Risks and Impacts

The exploitation of this vulnerability could lead to several adverse scenarios:

• Unauthorized Access: Attackers could gain control over the TV’s functions, change channels, adjust volume, or play arbitrary media content.
• Privacy Breach: Sensitive information such as account credentials and personal data could be at risk if the TV is used to access online services.
• Network Intrusion: Since smart TVs are often connected to home networks, this vulnerability could serve as a gateway for attackers to compromise other devices on the same network.

Upon discovery, Bitdefender promptly notified LG of the vulnerabilities, and the electronics giant has since been working on a patch to address the issue.

LG TV owners are advised to ensure their devices are set to receive automatic updates, which will apply the security fix once it is released.

In the meantime, users can take the following steps to mitigate the risk:

• Network Segmentation: Isolate the smart TV on a separate network segment to limit its interaction with other devices.
• Regular Monitoring: Keep an eye on any unusual activity on the TV or the network it is connected to.
• Vendor Updates: Follow LG’s announcements for updates regarding the vulnerability and apply patches as soon as they become available.

This incident serves as a stark reminder of the growing security challenges in the Internet of Things (IoT) landscape.

As more devices become interconnected, the potential for security breaches increases.

Manufacturers and users alike must prioritize security to protect against unauthorized access and ensure the privacy and safety of users.

Stay tuned for further developments on this story as LG works to secure its smart TVs against potential authorization attacks.

Secure your emails in a heartbeat! Take Trustifi's free 30-second assessment and get matched with your ideal email security vendor - Try Here