LG Smart TVs vulnerable to hacking, over 90,000 exposed to the internet
Take action: If you have a smart TV, NEVER connect it to the internet directly. Make sure it's used in a local trusted network. If you are using LG TV (and any other smart TV), update it as soon as possible. Smart TV operating systems are not well maintained, so they shouldn't be trusted too much.
Learn More
Bitdefender researchers have detected critical flaws in LG smart TVs webOS. These flaws could allow attackers to gain root access to the devices and execute commands at the operating system level.
- The central vulnerability, tracked as CVE-2023-6317 (CVSS score 7.2) in a service that enables control of TVs via LG’s ThinkQ smartphone app. This flaw allows attackers to bypass PIN code verification, creating a privileged user profile without the user's interaction.
- Exploitation of this vulnerability could lead to further attacks leveraging additional vulnerabilities: CVE-2023-6318, CVE-2023-6319 , and CVE-2023-6320 (all with CVSS score 9.1), enabling privilege elevation, OS command injection, and the injection of authenticated commands, respectively.
The vulnerabilities are found in models:
- LG43UM7000PLA running webOS 4.9.7 - 5.30.40
- OLED55CXPUA running webOS 5.5.0 - 04.50.51
- OLED48C1PUB running webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50
- OLED55A23LA running webOS 7.3.1-43 (mullet-mebin) - 03.33.85
Despite the services being intended for LAN access only, a scan by Shodan revealed that over 91,000 of these devices were exposed to the internet, with the majority of the internet-connected TVs located in South Korea, followed by Hong Kong, the U.S., Sweden, and Finland.
LG has released an updated webOS version on March 22, 2024. LG TV owners with the affected models are advised to isolate them from the internet and update their devices through the settings menu.
