Bitdefender recently discovered critical vulnerabilities in LG smart TVs running WebOS versions 4.9.7 through 7.3.1, affecting various models [3] [4] [8].
Description
These vulnerabilities, identified as CVE-2023-6317 [2] [8], CVE-2023-6318 [1] [2] [4] [5] [6] [7] [8], CVE-2023-6319 [1] [2] [4] [5] [6] [7] [8], and CVE-2023-6320 [1] [2] [4] [7] [8], allow attackers to gain root access [6], escalate privileges [3], inject OS commands [1] [3] [6], and perform authenticated command injections [1] [3] [4], bypassing authentication measures [6]. Exploits include an authorization mechanism bypass (CVE-2023-6317) enabling user creation without proper authentication [4], authenticated command injection (CVE-2023-6318) for root access [4], command execution via music lyrics display (CVE-2023-6319) [4], and authenticated command injection through the setVlanStaticAddress API (CVE-2023-6320) [4]. Over 91,000 devices in South Korea, Hong Kong [6], the US [6], Sweden [6], and Finland were impacted by these flaws. LG was promptly notified about these vulnerabilities on November 1, 2023, and subsequently released security patches on March 22, 2024. Owners of affected models are strongly advised to keep their TVs behind a router and enable automatic updates to enhance security and mitigate risks. The security updates rolled out in March 2024 aim to address these vulnerabilities that could potentially enable attackers to add users or take control of devices. Regularly checking for updates in the TV settings is recommended to safeguard against these security risks.
Conclusion
The vulnerabilities in LG smart TVs highlight the importance of prompt security patching and regular updates to protect against potential attacks. Owners of affected models should take necessary precautions to secure their devices and prevent unauthorized access.
References
[1] https://www.infosecurity-magazine.com/news/lg-tv-vulnerabilities-expose-91000/
[2] https://www.techradar.com/pro/lg-tvs-could-be-hacked-to-let-criminals-spy-on-you-experts-warn
[3] https://www.helpnetsecurity.com/2024/04/09/lg-smart-tvs-webos-vulnerabilities/
[4] https://www.securitynewspaper.com/2024/04/09/how-to-hack-a-lg-smart-tv-via-vulnerabilities-in-lg-webos/
[5] https://securityaffairs.com/161651/hacking/lg-smart-tvs-vulnerable.html
[6] https://arstechnica.com/security/2024/04/patches-released-for-as-many-as-91000-hackable-lg-tvs-exposed-to-the-internet/
[7] https://securitynews.neuracyb.com/lg-smart-tvs-exposed-vulnerabilities-grant-root-access-to-hackers/
[8] https://www.darkreading.com/vulnerabilities-threats/researchers-discover-thousands-of-lg-smart-tvs-at-risk-of-attacks
