Several security vulnerabilities have been identified in LG webOS, the operating system running on LG smart TVs. These LG Smart TV vulnerabilities could be exploited to bypass authorization controls and gain root access to the devices. Romanian cybersecurity firm Bitdefender discovered the LG Smart TV vulnerabilities in November 2023, and LG released updates on March 22, 2024, to address the vulnerabilities.
LG Smart TV Vulnerabilities: Affected webOS Versions and Models
The vulnerabilities, tracked under CVE-2023-6317 through CVE-2023-6320, affect the following versions of webOS on different LG smart TV models:
- webOS 4.9.7 – 5.30.40 on LG43UM7000PLA
- webOS 5.5.0 – 04.50.51 on OLED55CXPUA
- webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50 on OLED48C1PUB
- webOS 7.3.1-43 (mullet-mebin) – 03.33.85 on OLED55A23LA
Media reports state that these vulnerabilities present various smart TV security risks to the affected devices, as detailed below. Let’s have a detailed look at these LG Smart TV vulnerabilities:
- CVE-2023-6317 – This vulnerability allows attackers to bypass PIN verification and add a privileged user profile to the TV set without user interaction. Unauthorized access to the TV’s system can lead to further exploitation.
- CVE-2023-6318 – By exploiting this vulnerability, attackers can elevate their privileges to gain root access and take full control of the device. This increases the potential for severe security breaches.
- CVE-2023-6319 – This issue enables attackers to inject operating system commands by manipulating a library called ASM, which is responsible for displaying music lyrics. Such injection could lead to further unauthorized control of the device.
- CVE-2023-6320 – This vulnerability allows for the injection of authenticated commands through manipulation of the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint. This can be exploited to run arbitrary commands as the dbus user.
Cyber Threats To LG Televisions
Exploiting these LG TV security flaws could give attackers elevated permissions on the affected device, allowing them to chain the vulnerabilities to perform root access exploit on LG TVs or execute arbitrary commands. For instance, CVE-2023-6317 and CVE-2023-6318 can be used together to obtain root access, while CVE-2023-6320 could lead to running arbitrary commands as the dbus user.
According to Bitdefender, more than 91,000 devices expose these smart TV hacking risks to the internet, including a significant number in South Korea, Hong Kong, the U.S., Sweden, Finland, and Latvia. This exposure increases the risk of attacks, as compromised smart TVs could be used as starting points for additional attacks against remote systems or hosts.
Mitigation Recommendations
To minimize the risks posed by these LG TV security vulnerabilities, smart TV owners are advised to take the following steps:
- Keep the TV behind a router – Avoid connecting the TV directly to the internet. Placing the TV behind a router reduces the likelihood of unauthorized remote access.
- Enable automatic updates – Turn on the automatic update option on the TV to ensure that vendor patches are applied promptly, addressing potential LG TV security issues.
- Be cautious with online activities – Users should be mindful of the apps and services they access through their smart TVs, as these can also present vulnerabilities.
Conclusion
The vulnerabilities discovered in LG webOS smart TVs highlight the importance of regular updates and caution in managing smart devices. The cybersecurity risks of smart TVs emphasize the importance of regularly updating the devices and practicing safe online habits. Taking the recommended steps can help protect against potential exploitation and maintain the security of users’ private information.
The sources for this piece include articles in The Hacker News and Infosecurity Magazine.
The post LG Smart TV Vulnerabilities: 91K Devices At Root Access Risk appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/lg-smart-tv-vulnerabilities/