Over 90,000 LG Smart TVs may be vulnerable to unauthorized access due to four flaws discovered in multiple versions of the WebOS operating system used by the devices. The following four vulnerabilities stem from the ability to create user accounts on the TV using a native service designed for smartphone connectivity:
- CVE-2023-6317 allows threat actors to bypass the TV's authorization mechanism by exploiting a variable setting, enabling the addition of an unauthorized user account.
- CVE-2023-6318 is an elevation of privilege vulnerability that allows threat actors to achieve root access following the initial unauthorized access provided by CVE-2023-6317.
- CVE-2023-6319 allows command injection by manipulating the library responsible for displaying music lyrics, which could lead to the execution of arbitrary commands.
- CVE-2023-6320 allows threat actors to exploit the 'com.webos.service.connectionmanager/tv/setVlanStaticAddress' API endpoint to allow authenticated command injection as the ‘dbus’ user, which has similar privileges as the root user.
The vulnerabilities were responsibly disclosed to LG in November 2023; however, LG didn’t release an update to address the security issues until March 2024.
Image 1: Map of exposed LG Smart TVs using potentially vulnerable versions of WebOS. Source: Shodan.io
Source: Bleeping Computer
Identify, manage, and reduce cyber risk with your free attack surface report.
Our automated attack surface reports detect end-of-life software and operating systems, exposed devices and services, third-party risks & more.
Try it free
Analysis
Typically, sensitive information and data aren’t stored on TVs, so the threat of these vulnerabilities leading to data extortion and ransomware attacks is low.
However, the exploitation of these vulnerabilities could give threat actors access to credentials stored on the TV for streaming services (e.g., Netflix, Prime, Disney+, etc.) that could lead to the compromise of these accounts and other accounts that share the same username and passwords.
The most likely outcome is that any TV compromised due to these vulnerabilities will be leveraged for crypto mining activities or added to a botnet designed to conduct distributed denial of service (DDoS) attacks.
According to a report from 2023, compromised Internet of Things (IoT) devices, such as TVs, are responsible for more than 40 % of DDoS traffic.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software, appliances, and operating systems. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities.
Covalence users were automatically notified if any vulnerable LG TVs were detected in their environment and are encouraged to review these AROs as quickly as possible via the Covalence portal.
Field Effect strongly encourages all users of the affected LG TVs to upgrade to the latest version of WebOS as soon as possible by navigating to the TV's Settings > Support > Software Update, and selecting "Check for Update."
Field Effect also recommends that users enable automatic updates and do not directly connect the TV to the open internet unless there is a need to do so.
Related articles