Security researchers at Bitdefender have found multiple vulnerabilities impacting various versions of WebOS, the operating system used in LG smart TVs.
These security flaws pose significant risks, enabling unauthorized access and control over the affected TV models.
The Vulnerabilities Explained in Detail
The four identified vulnerabilities, labeled CVE-2023-6317 through CVE-2023-6320, allow attackers to bypass authorization, escalate privileges, and execute arbitrary commands on the affected devices.
CVE-2023-6317 enables attackers to bypass the TV’s authentication system and add unauthorized users to the device. This provides the initial foothold for the attacker to then exploit the other vulnerabilities.
CVE-2023-6318 is an elevation of privilege vulnerability that allows attackers to gain root access on the smart TV after the initial unauthorized access gained through CVE-2023-6317. With root-level privileges, the attacker can execute virtually any command on the device.
Also Read: How Cloudflare uses lava lamps to strengthen website encryption
CVE-2023-6319 involves operating system command injection, which permits attackers to execute malicious commands by manipulating a library responsible for displaying music lyrics on the TV. This could allow the attacker to run arbitrary code on the device.
The fourth vulnerability, CVE-2023-6320, enables authenticated command injection by exploiting an API endpoint. Successful exploitation of this flaw grants the attacker privileges similar to those of the root user, enabling further malicious actions.
Widespread Exposure and Potential Consequences
Bitdefender’s research shows that these vulnerabilities impact a wide range of LG smart TV models running WebOS versions 4.9.7 through 7.3.1-43. This includes popular models like the LG43UM7000PLA, OLED55CXPUA, OLED48C1PUB, and OLED55A23LA.
The researchers conducted internet scans using the Shodan search engine and discovered over 91,000 exposed LG smart TVs that are potentially vulnerable to these flaws. This means a significant number of devices are at risk of being compromised.
The consequences of these vulnerabilities could be severe. Attackers could potentially gain full control of the TV, access user accounts (such as streaming service logins), and even use the device as a launching point to target other connected devices on the same network.
Additionally, compromised TVs could be enlisted in botnet-driven distributed denial-of-service (DDoS) attacks or cryptomining operations, further exploiting the device’s resources and network connectivity.
Patching the Vulnerabilities and Staying Secure
Bitdefender reported the vulnerabilities to LG on November 1, 2023, but it took the vendor until March 22, 2024, to release the necessary security updates.
LG smart TV users are advised to apply the latest WebOS updates as soon as possible to address these critical security issues. To do so, go to the TV’s Settings > Support > Software Update menu and select “Check for Update.” Users can also enable automatic WebOS updates to ensure their devices are always up-to-date and protected.
It’s important to note that while smart TVs may not be considered as critical as other devices like laptops or smartphones, the severity of these vulnerabilities, particularly the ability to execute remote commands, should not be underestimated.
Compromised smart TVs can serve as a gateway for attackers to gain access to other devices on the same network, potentially exposing sensitive information or enabling further malicious activities.
Furthermore, smart TVs often have applications that require user accounts, such as streaming services. If an attacker gains control of a compromised TV, they could potentially steal these account credentials, leading to the compromise of other online services and accounts.
Conclusion
The discovery of these LG smart TV vulnerabilities serves as a stark reminder of the importance of keeping our connected devices secure.
Smart TV owners should prioritize installing the latest software updates to address these critical security issues and protect their devices and home networks from potential exploitation.
By staying vigilant and proactive, we can help safeguard our homes and personal information from cyber threats. Regularly updating smart TVs and other connected devices is crucial in this age of rapidly evolving cybersecurity risks.
Don’t wait – take action today to secure your smart TV and ensure your home network remains safe from malicious actors.
