Is Your LG Smart TV an Open Door for Hackers? Bitdefender Exposes Startling Security Flaws

Your LG TV isn’t just smart, it’s a smart target for hackers! With glaring security gaps, your binge-watching buddy could turn into a cybercriminal’s dream. Patch up and stay secure—your couch potato days depend on it! #LGWebOSTVsecurity

Hot Take:

Who knew your binge-watching binges could be a hacker’s paradise? LG TVs are apparently not just smart—they’re also ‘smart’ enough to potentially welcome cyber intruders into your living room. With a dash of hacking skills, one can apparently turn from watching sitcoms to sitcom-level security scenarios. Time to update your TV’s resume with a new skill: vulnerability virtuoso!

Key Points:

  • LG TV’s WebOS versions 4 to 7 are like Swiss cheese for hackers, full of holes to exploit.
  • A staggering 91,000 devices could be playing “Welcome to My House” for hackers thanks to internet exposure.
  • A single variable tweak turns hackers into TV users, giving “guest appearance” a whole new meaning.
  • Four CVE-listed vulnerabilities could lead to a command performance by cybercriminals.
  • LG issued a patch faster than you can say “streaming service subscription,” so check your TV’s OS version stat.
Title: Command injection in the processAnalyticsReport method from the com.webos.service.cloudupload service
Cve id: CVE-2023-6318
Cve state: PUBLISHED
Cve assigner short name: Bitdefender
Cve date updated: 04/09/2024
Cve description: A command injection vulnerability exists in the processAnalyticsReport method from the com.webos.service.cloudupload service on webOS version 5 through 7. A series of specially crafted requests can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability. Full versions and TV models affected: * webOS 5.5.0 - 04.50.51 running on OLED55CXPUA  * webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB  * webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA

Title: Command injection in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint
Cve id: CVE-2023-6320
Cve state: PUBLISHED
Cve assigner short name: Bitdefender
Cve date updated: 04/09/2024
Cve description: A command injection vulnerability exists in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint on webOS versions 5 and 6. A series of specially crafted requests can lead to command execution as the dbus user. An attacker can make authenticated requests to trigger this vulnerability. Full versions and TV models affected: * webOS 5.5.0 - 04.50.51 running on OLED55CXPUA  * webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB

Title: PIN/prompt bypass on the secondscreen.gateway service allows access to the SSAP API without user interaction
Cve id: CVE-2023-6317
Cve state: PUBLISHED
Cve assigner short name: Bitdefender
Cve date updated: 04/09/2024
Cve description: A prompt bypass exists in the secondscreen.gateway service running on webOS version 4 through 7. An attacker can create a privileged account without asking the user for the security PIN.  Full versions and TV models affected: webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA webOS 5.5.0 - 04.50.51 running on OLED55CXPUA webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB   webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA

Title: Command injection in the getAudioMetadata method from the com.webos.service.attachedstoragemanager service
Cve id: CVE-2023-6319
Cve state: PUBLISHED
Cve assigner short name: Bitdefender
Cve date updated: 04/09/2024
Cve description: A command injection vulnerability exists in the getAudioMetadata method from the com.webos.service.attachedstoragemanager service on webOS version 4 through 7. A series of specially crafted requests can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability. * webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA  * webOS 5.5.0 - 04.50.51 running on OLED55CXPUA  * webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB  * webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA

Need to know more?

No Channel is Safe:

It turns out the biggest threat to your digital safety might just be that massive flat-screen you've been Netflix-and-chilling with. Bitdefender's digital detectives have unearthed a TV drama of their own, revealing that LG's WebOS might as well stand for "Welcoming Entry Open to Saboteurs." With vulnerabilities that could let hackers add themselves as users quicker than you can lose the remote in the couch cushions, it's a plot twist no one saw coming.

A Vulnerability Quartet:

Just when you thought it was safe to go back into the smart home waters, these vulnerabilities come in like a four-part harmony of cyber threats. From bypassing authorization with the elegance of a prime-time heist to command injections that make your TV perform like a trained seal, it's no wonder over 91,000 devices are at risk of becoming hacker's new playgrounds.

Updating: More Than Just Your Watchlist:

If you've been diligent about keeping your TV's firmware as fresh as the latest streaming hits, you might be in the clear. LG has released a patch quicker than a showrunner squashing plot leaks. So, if your TV's operating system is sporting a version number that's looking a bit last season, it's time for an upgrade before your TV gets cast in a hacker's spinoff.

Subscribe for More Drama:

And if you can't get enough of these digital dramas, why not sign up for the TechRadar Pro newsletter? It's like getting a TV Guide for the cybersecurity world, filled with all the news, reviews, and cliffhangers your business needs to avoid being canceled by cyber threats.

Meet Benedict, the Cyber Scribe:

Our storyteller of digital perils is none other than Benedict Collins, a man who traded ice hockey live streams for live cyber-attack feeds. With a background that reads like a character from a techno-thriller, he’s equipped with a BA in Politics with Journalism and a MA in Security, Intelligence, and Diplomacy. When Benedict isn't decoding the latest cyber espionage, he's probably in a pub garden, contemplating the geopolitics of his pint.

Tags: CVE-2023-6317, CVE-2023-6318, CVE-2023-6319, CVE-2023-6320, Firmware Patch Update, IoT security risks, LG Smart TV Vulnerability