As many as 91,000 LG TVs face the risk of being commandeered unless they receive a just-released security update patching four critical vulnerabilities discovered late last year.
The vulnerabilities are found in four LG TV models that collectively comprise slightly more than 88,000 units around the world, according to results returned by the Shodan search engine for Internet-connected devices. The vast majority of those units are located in South Korea, followed by Hong Kong, the US, Sweden, and Finland. The models are:
- LG43UM7000PLA running webOS 4.9.7 – 5.30.40
- OLED55CXPUA running webOS 5.5.0 – 04.50.51
- OLED48C1PUB running webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50
- OLED55A23LA running webOS 7.3.1-43 (mullet-mebin) – 03.33.85
Starting Wednesday, updates are available through these devices’ settings menu.
Got root?
According to Bitdefender—the security firm that discovered the vulnerabilities—malicious hackers can exploit them to gain root access to the devices and inject commands that run at the OS level. The vulnerabilities, which affect internal services that allow users to control their sets using their phones, make it possible for attackers to bypass authentication measures designed to ensure only authorized devices can make use of the capabilities.
“These vulnerabilities let us gain root access on the TV after bypassing the authorization mechanism,” Bitdefender researchers wrote Tuesday. “Although the vulnerable service is intended for LAN access only, Shodan, the search engine for Internet-connected devices, identified over 91,000 devices that expose this service to the Internet.”
The key vulnerability making these threats possible resides in a service that allows TVs to be controlled using LG’s ThinkQ smartphone app when it’s connected to the same local network. The service is designed to require the user to enter a PIN code to prove authorization, but an error allows someone to skip this verification step and become a privileged user. This vulnerability is tracked as CVE-2023-6317.
Once attackers have gained this level of control, they can go on to exploit three other vulnerabilities, specifically:
- CVE-2023-6318, which allows the attackers to elevate their access to root
- CVE-2023-6319, which allows for the injection of OS commands by manipulating a library for showing music lyrics
- CVE-2023-6320, which lets an attacker inject authenticated commands by manipulating the com.webos.service.connectionmanager/tv/setVlanStaticAddress application interface.