counter easy hit

LG TVs could be hacked to let criminals spy on you — and that

LG TVs could be hacked to let criminals spy on you — and that
0
A digital padlock on a blue digital background.

(Image credit: Shutterstock / vs148)

Your LG TV could be the biggest security vulnerability in your home or your office, new research from Bitdefender has found.

The LG WebOS TV operating system’s versions 4 through 7 are seemingly riddled with security vulnerabilities that allow hackers to add themselves as a user, take over the device and exploit command injection vulnerabilities to their hearts delight.

Over 91,000 devices are exposed via their internet connection, despite the vulnerable service’s intended use being LAN access only.

Triple escalation of vulnerabilities

The first vulnerability, tracked as CVE-2023-6317, allows the hacker to skirt around the TV’s authorization mechanisms and by changing a single variable, add themselves as a user on the TV. Next, by abusing the vulnerability tracked as CVE-2023-6318, the hacker can give themselves total access to the device paving the way for command injection.

By abusing two more vulnerabilities, tracked as CVE-2023-6319 and CVE-2023-6320, the hacker can either manipulate a music lyrics library to allow OS command injection, or the attacker can manipulate a specific API endpoint to inject authenticated commands.

The vulnerable device models are:

  • LG43UM7000PLA running webOS 4.9.7 – 5.30.40
  • OLED55CXPUA running webOS 5.5.0 – 04.50.51
  • OLED48C1PUB running webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50
  • OLED55A23LA running webOS 7.3.1-43 (mullet-mebin) – 03.33.85

A patch was released to address these vulnerabilities on March 22, being made available for the above models from April 10, so it is worth checking the OS system version of vulnerable LG TV devices to ensure the patch has been installed.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

More from TechRadar Pro

  • Bitdefender now has identity protection for Gmail and Outlook
  • Here is our guide to the best malware removal tools
  • Hyper-secure credential sharing is here – Keeper Security introduces time-limited access and self-destructing records

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division),  then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Leave A Reply

Your email address will not be published.