More than 90,000 LG smart TVs are at risk of being remotely attacked by vulnerabilities in WebOS

Four vulnerabilities in the WebOS operating system running on LG smart TVs have been discovered by Bitdefender security researchers.

By exploiting these vulnerabilities, hackers can gain unauthorized access and control to varying degrees over the affected TV.

Hackers could exploit these vulnerabilities and use a service running on port 3000/3001, currently used to connect smartphones with a PIN, to create arbitrary accounts on the device.

Four vulnerabilities on LG's smart TVs identified by the research team include:

1. CVE-2023-6317: Allows attackers to bypass the TV's permission mechanism and add users without user consent.
2. CVE-2023-6318: Helps hackers gain root access after executing CVE-2023-6317.
3. CVE-2023-6319: Command injection into the operating system and arbitrary command execution.
4. CVE-2023-6320: Exploits the API to execute commands as the dbus user, a permission similar to root.

According to Bitdefender, there are about 91,000 LG devices affected by the vulnerability. Affected versions include:

1. WebOS 4.9.7 - 5.30.40 running on TV series 43UM7000PLA
2. WebOS 04.50.51 - 5.5.0 on OLED55CXPUA TV.
3. WebOS 0.36.50 - 6.3.3-442 on OLED48C1PUB.
4. WebOS 03.33.85 - 7.3.1-43 on OLED48C1PUB, OLED55A23LA.

Bitdefender said it notified LG after discovering the vulnerability late last year. However, it wasn't until the end of March that LG released the first update to fix the problem. Users can go to Settings > Support > Software Update > Check for updates.

LG has not yet commented.

According to Bleeping Computer, bad guys can take advantage of security issues on TVs as a point to attack other devices connected to the same network, steal online accounts, and create botnets (ghost computer networks) for attack methods. Denied DDoS service or silently installed cryptocurrency mining software.

Micah Soto

Update 11 April 2024