Security researchers at Bitdefender have issued a critical warning: over 90,000 LG smart TVs could be remotely hacked due to flaws in the TV’s WebOS operating system.

The discovered vulnerabilities could allow attackers to gain unauthorized access, potentially leading to sensitive information theft, control of the device, or even spying on users.

Bitdefender explains that although the vulnerable LG WebOS service is supposed to be used only in local area networks (LAN) settings, Shodan internet scans show 91,000 exposed devices that are potentially vulnerable to the flaws.

The four flaws are summarized as follows:

Buy Me a Coffee
  • CVE-2023-6317 allows attackers to bypass the TV’s authorization mechanism by exploiting a variable setting, enabling the addition of an extra user to the TV set without proper authorization.
  • CVE-2023-6318 is an elevation of privilege vulnerability that allows attackers to gain root access following the initial unauthorized access provided by CVE-2023-6317.
  • CVE-2023-6319 involves operating system command injection via manipulation of a library responsible for displaying music lyrics, allowing execution of arbitrary commands.
  • CVE-2023-6320 permits authenticated command injection by exploiting the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint, enabling command execution as the dbus user, which has similar permissions to the root user.

The vulnerabilities impact webOS 4.9.7 – 5.30.40 on LG43UM7000PLA, webOS 04.50.51 – 5.5.0 on OLED55CXPUA, webOS 0.36.50 – 6.3.3-442 on OLED48C1PUB, and webOS 03.33.85 – 7.3.1-43 on OLED55A23LA.

Bitdefender reported its findings to LG on November 1, 2023, but it took the vendor until March 22, 2024, to release the related security updates.

READ
T-Mobile Thwarts Cyberattack Amid Reports of Chinese-Linked Espionage Campaign

LG Smart TV owners should immediately check for software updates and ensure their TV is running the latest version of WebOS.

While LG has patched the vulnerabilities, updates may not be available for all older models. Users are advised to take extra precautions by restricting their TV’s internet access or disabling features that provide remote connectivity.