LG TV owners should update their firmware, webOS vulnerability found in a few models

PSA: Owners of four LG TV models should check the settings menu for a new software update. The patch fixes a series of vulnerabilities that could give attackers total control over the device. Although the initial hack requires access to the user's home network, further exploitation could occur remotely. Nearly 100,000 TVs could be affected.

Security researchers at Bitdefender have discovered four severe vulnerabilities affecting four LG smart TVs. The company recently issued updates to fix the issues, which could grant attackers root access to the webOS operating system, allowing them to assume full control over a TV.

According to Shodan, a search engine for internet-connected devices, around 91,000 TVs are potentially vulnerable. Over half are located in South Korea, but thousands are also used in Hong Kong, the US, Sweden, and other countries. The vulnerabilities impact features that can normally only access local networks, but hackers can expose them to the open internet.

The affected models are listed below:

• LG43UM7000PLA running OS versions 4.9.7 to 5.30.40
• OLED55CXPUA running OS versions 5.5.0 to 04.50.51
• OLED48C1PUB running OS versions 6.3.3-442 to 03.35.50
• OLED55A23LA running OS versions 7.31-43 to 0.3.33.85

Hackers would need to exploit one of the vulnerabilities before the other three. The first step, dubbed CVE-2023-6317, allows an attacker to create a new user account on the TV with high privileges without entering a PIN.

Creating an account requires using LG's ThinkQ mobile app on the same network as the TV, thus requiring prospective attackers to access a target's Wi-Fi network. However, establishing the account enables the other exploits to be used remotely.

From there, vulnerability CVE-2023-6318 can allow someone to perform remote code execution and gain root access by sending certain requests. Meanwhile, exploit CVE-2023-6319 makes command injections possible by manipulating the system the TV uses for displaying song lyrics. The last vulnerability, CVE-2023-6320, can enable remote code execution as a dbus user through specific requests.

Those using the impacted TVs should look for a firmware update in the settings menu. Updated software can also be found by looking up each model number on LG's support site and selecting "Manual & Software" on the bottom menu.

Internet-connected household appliances can provide hackers with an often-ignored attack surface, as they can suffer from severe vulnerabilities. For example, last year, researchers found that TP-Link smart light bulbs could leak Wi-Fi passwords.