91,000 Smart LG TV Devices Vulnerable to Remote Takeover

Cybersecurity researchers from Bitdefender discovered critical vulnerabilities in LG TVs running webOS versions 4 through 7. These vulnerabilities could allow attackers to gain complete control over the TV, steal data, or install malware.

The vulnerabilities were identified by Bitdefender as part of their research into the security of popular IoT devices. They found that attackers could bypass authentication mechanisms and create new user accounts with elevated privileges. This would allow them to take full control of the TV, including injecting malicious code, stealing data, or moving laterally across the smart home network.

Bitdefender responsibly disclosed the vulnerabilities to LG in November 2023. LG confirmed the vulnerabilities in November and released a patch in March 2024. However, Bitdefender waited until today, April 9th, 2024, to publicly disclose the details of the vulnerabilities to raise awareness among users and encourage them to update their TVs.

****What LG TV models are affected?****

The following LG TV models are affected by these vulnerabilities:

• LG TVs running webOS 4.9.7 – 5.30.40 (e.g., LG43UM7000PLA)
• LG TVs running webOS 5.5.0 – 04.50.51 (e.g., OLED55CXPUA)
• LG TVs running webOS 7.3.1-43 (mullet-mebin) – 03.33.85 (e.g., OLED55A23LA)
• LG TVs running webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50 (e.g., OLED48C1PUB.

The first vulnerability, identified as CVE-2023-6317, permits attackers to bypass the authorization mechanism, enabling them to add users to the TV set by manipulating a specific variable.

In a subsequent step, attackers can exploit another vulnerability (CVE-2023-6318) to escalate their access privileges to root, effectively gaining full control over the device.

Furthermore, a third vulnerability (CVE-2023-6319) allows for operating system command injection by tampering with a library responsible for displaying music lyrics. Lastly, the CVE-2023-6320 vulnerability enables attackers to inject authenticated commands through manipulation of the API endpoint.

****Most Impacted Countries****

A glimpse into Shodan, the search engine designed to uncover misconfigured and exposed Internet of Things (IoT) devices, reveals the most impacted countries in terms of smart device vulnerabilities. South Korea leads the list of 91,938 exposed devices, followed by Hong Kong and the United States in second and third place, respectively.

Screenshot: Bitdefender

****What should LG TV owners do?****

LG released a patch to address these vulnerabilities in March 2024. LG TV owners should update their TVs to the latest software version as soon as possible. You can usually check for updates in the TV’s settings menu.

1. Say Hello to Ransomware Targeting Smart TV
2. Hacker Shows How Smart TVs Can Be Remotely Hacked
3. Critical Vulnerability Found in Samsung’s Tizen-based Smart TV
4. LG Smart TV Screen Bricked After Android Ransomware Infection
5. Smart TVs make screenshots every second, send them to the server