LG TV owners should update their firmware, webOS vulnerability found in a few models

[Daniel Sims]

PSA: Owners of four LG TV models should check the settings menu for a new software update. The patch fixes a series of vulnerabilities that could give attackers total control over the device. Although the initial hack requires access to the user's home network, further exploitation could occur remotely. Nearly 100,000 TVs could be affected.

Security researchers at Bitdefender have discovered four severe vulnerabilities affecting four LG smart TVs. The company recently issued updates to fix the issues, which could grant attackers root access to the webOS operating system, allowing them to assume full control over a TV.

According to Shodan, a search engine for internet-connected devices, around 91,000 TVs are potentially vulnerable. Over half are located in South Korea, but thousands are also used in Hong Kong, the US, Sweden, and other countries. The vulnerabilities impact features that can normally only access local networks, but hackers can expose them to the open internet.

The affected models are listed below:

• LG43UM7000PLA running OS versions 4.9.7 to 5.30.40
• OLED55CXPUA running OS versions 5.5.0 to 04.50.51
• OLED48C1PUB running OS versions 6.3.3-442 to 03.35.50
• OLED55A23LA running OS versions 7.31-43 to 0.3.33.85

Hackers would need to exploit one of the vulnerabilities before the other three. The first step, dubbed CVE-2023-6317, allows an attacker to create a new user account on the TV with high privileges without entering a PIN.

Creating an account requires using LG's ThinkQ mobile app on the same network as the TV, thus requiring prospective attackers to access a target's Wi-Fi network. However, establishing the account enables the other exploits to be used remotely.

From there, vulnerability CVE-2023-6318 can allow someone to perform remote code execution and gain root access by sending certain requests. Meanwhile, exploit CVE-2023-6319 makes command injections possible by manipulating the system the TV uses for displaying song lyrics. The last vulnerability, CVE-2023-6320, can enable remote code execution as a dbus user through specific requests.

Those using the impacted TVs should look for a firmware update in the settings menu. Updated software can also be found by looking up each model number on LG's support site and selecting "Manual & Software" on the bottom menu.

Internet-connected household appliances can provide hackers with an often-ignored attack surface, as they can suffer from severe vulnerabilities. For example, last year, researchers found that TP-Link smart light bulbs could leak Wi-Fi passwords.

Permalink to story:

LG TV owners should update their firmware, webOS vulnerability found in a few models

 

[ferrellsl]

Some users may not want to update their device as gaining root access would allow them to sideload their own apps instead of the many lame ones installed by LG. It would also allow them to remove apps they don't like or use. Users intelligent enough to root their TVs are usually smart enough to firewall them as well.

 

[daffy duck]

WebOS is such a steaming pile of crap, I would use Google TV or Apple TV 4K to supply the smarts to any LG (or Scamsung) TV I purchased.

 

[BobHome]

Whew! I guess my LG 32LH20 TV is safe.
Well, it is almost 15 years old--but still works fine!

 

[hwertz]

WebOS is such a steaming pile of crap, I would use Google TV or Apple TV 4K to supply the smarts to any LG (or Scamsung) TV I purchased.

Yeah, you know WebOS is actually a direct descendant of the old PalmOS (from Palm Pilots?) I have no idea why LG uses it; but HP bought PalmOS years back, and for whatever reason LG decided to use it for their TVs.

 

[subnex]

I liked webos when I bought my lg tv some years ago. That was until I after an update could not use my tv without accepting a new EULA allowing them to track my usage and deliver me "promotional content", reverting the update was noy an option. Since then, my lg smart tv became a dumb tv and my media center handles the rest

 

[nismo91]

Alright so I don't know what people feel about TV OS but whenever I'm doing TV shopping, I literally can't find any normal dumb TV anymore. I know Samsung always put TizenOS on their TVs, LG put WebOS and many other chinese manufacturers such as TCL, Hisense mostly uses Android TV OS. I've just found out that there is another OS called VidaaOS on a budget TV.

I seriously don't know how well all of these could be maintained in the near future. Or rather would the devs wanted to keep supporting the old platform. I used my TV with a computer so there's no need for any OS, as a matter of fact I didn't bother to connect my TV to the network.

 

[Endymio]

I liked webos when I bought my lg tv some years ago. That was until I after an update could not use my tv without accepting a new EULA allowing them to track my usage and deliver me "promotional content"

I called LG personally over that very issue, and they directed me to a (semi) secret setting, allowing me to turn off the feature entirely.

 

[subnex]

Alright so I don't know what people feel about TV OS but whenever I'm doing TV shopping, I literally can't find any normal dumb TV anymore. I know Samsung always put TizenOS on their TVs, LG put WebOS and many other chinese manufacturers such as TCL, Hisense mostly uses Android TV OS. I've just found out that there is another OS called VidaaOS on a budget TV.

I seriously don't know how well all of these could be maintained in the near future. Or rather would the devs wanted to keep supporting the old platform. I used my TV with a computer so there's no need for any OS, as a matter of fact I didn't bother to connect my TV to the network.

I can't remember exactly.how, but I could disable the smart tv os features and let the tv start like a dumb tv. I think that is the closest you get to one anyway nowadays. I had the same gripe when I bought mine.