Critical LG TV bug allows complete device takeover

LG WebOS, the operating system running LG TVs, has been found to harbor several flaws, some of which allow attackers to take over the device, severely impacting user security.

Vulnerabilities affecting LG WebOS TV versions 4 through 7 allowed researchers to completely take over affected TVs, install malware, and steal data, researchers at BitDefender discovered.

“Although the vulnerable service is intended for LAN access only, Shodan, the search engine for internet-connected devices, identified over 91,000 devices that expose this service to the internet,” researchers said.

Most of the impacted devices, a tad over 50,000, were discovered in South Korea. Another 7,500 impacted LG TVs were found in Hong Kong, 6,800 in the US, 6,300 in Sweden and Finland, as well as 3,400 in Latvia.

The impacted TV models are:

  • webOS 4.9.7-5.30.40 running on LG43UM7000PLA
  • webOS 5.5.0-04.50.51 running on OLED55CXPUA
  • webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB
  • webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA

One of the flaws, tracked as CVE-2023-6317, allows attackers to bypass authorization and set up an extra user on the TV set. Another bug, CVE-2023-6318, permits attackers to build on the first one by elevating their privileges on the device.

The third vulnerability that researchers discovered, CVE-2023-6319, allows it to inject commands into the OS by “manipulating a library responsible for showing music lyrics.”

Lastly, CVE-2023-6320 permits attackers to inject authentication commands by manipulating application programming interface (API) endpoints.

Bitdefender informed LG about the issue in early November 2023, with the company issuing a patch for all of the vulnerabilities on March 22nd, 2024.

The researchers provide a full technical summary and attack analysis in the technical summary of the vulnerabilities. LG TV owners with affected devices and OS versions are advised to check their OS version and update to the latest one.

More from Cybernews:

The $100 cybersecurity budget – how cyber pros would spend it

French football giant PSG says hackers targeted its ticketing system

Epilepsy Foundation of Metro NY hit by ransomware attack

Google Cloud gets GenAI creating cybersecurity powerhouse

Ft. Worth, Texas county agency hit by Medusa ransomware gang

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked