Thousands of LG Smart TVs Vulnerable to Root Access Security Flaws
Security researchers have discovered four vulnerabilities affecting various versions of WebOS, which is used in LG Smart TVs. Learn about the nature of these flaws and the risks arising from them.
- Security researchers from Bitdefender have discovered four vulnerabilities in LG’s WebOS that impact multiple versions of the company’s smart TV portfolio.
- The vulnerable operating system has reportedly made over 90,000 devices vulnerable to remote attacks.
Security researchers from Bitdefender have disclosed multiple vulnerabilities in the LG Web OS, which is used on many variants of its Smart TV portfolio. Bad actors could use the flaws to gain root access and bypass authorization measures on such devices. The vulnerabilities were first discovered in November 2023 and were finally fixed by LG in late March this year.
The vulnerabilities designated CVE-2023-6317, CVE-2023-6318, CVE-2023-6319, and CVE-2023-6320 are usually used via LAN networks. According to the Bitdefender report, over 90,000 devices are expected to be susceptible to these flaws. The vulnerabilities combine authentication bypass, command injection, and privilege escalation bugs.
The CVE-2023-6317 leverages variable settings to bypass authorization mechanisms, while CVE-2023-6318 enables privilege escalation through root access. On the other hand, CVE-2023-6319 and CVE-2023-6320 manipulate music lyric libraries and API endpoints, thereby allowing command injection.
Threat actors can conduct remote attacks by creating accounts on the device using an LG service that allows smartphone connectivity through a PIN. Consequently, Smart TVs could be used as a medium to hijack TV applications, create malware botnets, and reach other sensitive devices that are connected to the same network.
The flaws impact numerous webOS versions including webOS 4.9.7-5.30.40 operating on TV models LG43UM7000PLA, webOS 5.5.0-04.50.51 operational on OLED55CXPUA, webOS 6.3.3-442 (kisscurl-kinglake)-03.36.50 running on OLED48C1PUB, and webOS 7.3.1-43 (mullet-mebin)-03.33.85 which runs on OLED55A23LA. Users are recommended to update their smart TVs to the latest version to mitigate such threats.
What best practices do you follow to secure your smart devices? Share your thoughts on LinkedIn, X, or Facebook. We’d love to hear from you!
Image source: Shutterstock