Article Details
Scrape Timestamp (UTC): 2024-04-09 13:02:05.192
Original Article Text
Click to Toggle View
Over 90,000 LG Smart TVs may be exposed to remote attacks. Security researchers at Bitdefender have discovered four vulnerabilities impacting multiple versions of WebOS, the operating system used in LG smart TVs. The flaws enable varying degrees of unauthorized access and control over affected models, including authorization bypasses, privilege escalation, and command injection. The potential attacks hinge on the ability to create arbitrary accounts on the device using a service that runs on ports 3000/3001, which is available for smartphone connectivity, using a PIN. Bitdefender explains that although the vulnerable LG WebOS service is supposed to be used only in local area networks (LAN) settings, Shodan internet scans show 91,000 exposed devices that are potentially vulnerable to the flaws. The four flaws are summarized as follows: The vulnerabilities impact webOS 4.9.7 – 5.30.40 on LG43UM7000PLA, webOS 04.50.51 – 5.5.0 on OLED55CXPUA, webOS 0.36.50 – 6.3.3-442 on OLED48C1PUB, and webOS 03.33.85 – 7.3.1-43 on OLED55A23LA. Bitdefender reported its findings to LG on November 1, 2023, but it took the vendor until March 22, 2024, to release the related security updates. Though LG TVs alert users when important WebOS updates are available, those can be postponed indefinitely. Therefore, impacted users should apply the update by going to the TV's Settings > Support > Software Update, and selecting "Check for Update." Applying WebOS updates automatically when available can be enabled from the same menu. Though TVs are less critical in terms of security, the severity of remote command execution remains potentially significant in this case as it could give attackers a pivot point to reach other, more sensitive devices connected to the same network. Moreover, smart TVs often have applications that require accounts, like streaming services, which the attacker could potentially steal to take control of those accounts. Finally, vulnerable TVs can be compromised by malware botnets that enlist them in distributed denial of service (DDoS) attacks or used for cryptomining.
Daily Brief Summary
Over 90,000 LG smart TVs are susceptible to remote attacks due to four vulnerabilities found in the WebOS operating system by Bitdefender researchers.
The security flaws enable unauthorized access, allowing for actions like authorization bypass, privilege escalation, and command injection through a service that connects to smartphones.
Shodan internet scans show that many of these smart TVs are visible online, indicating a large number of devices being at risk.
The affected models and WebOS versions span from webOS 4.9.7 to 7.3.1-43 across various LG smart TV models.
LG was notified about the vulnerabilities in November 2023 and took until March 2024 to issue security updates, which users need to apply manually.
The importance of timely WebOS updates has been underscored as vulnerable devices might serve as entry points for further attacks on connected devices and networks.
Smart TVs, due to their role in users' digital lives, could be leveraged for botnet DDoS attacks, cryptomining, or to hijack associated streaming service accounts.