The news hit the headlines on a cool, rainy April 2024 morning. I grabbed my sweater.

Bitdefender was the first to report the four security vulnerabilities discovered in LG’s WebOS TV operating system, allowing a potential cyber attacker to gain root access to the TV after bypassing the proper authorization. 

The second paragraph of the BitDefender article featured a Shodan[.]io search result that raised eyebrows, see below. If you have not heard of Shodan before, it’s an easy way for both vigilantes and cyber criminals fresh out the slammer to find internet-facing devices on the internet:

 

 

Nothing like a little Shodan[.]io result to get the tires screeching! The magazines grabbed the story:

LG Smart TVs at Risk of Attacks, Thanks to 4 OS Vulnerabilities-Dark Reading

Thousands of LG TVs are vulnerable to takeover—here’s how to ensure yours isn’t one-ARS Technica

Consider the scenario of an AV integration technician falling victim to a cyber attack. This individual, often working late at night or over the weekends, may have unsupervised access to an LG TV that is about to be installed. Exploiting the first of the vulnerabilities (CVE-2023-6317), the attacker can take control of the TV through a smartphone app, bypass the security PIN and add privileged user to the TV set. The second vulnerability (CVE-2023-6318) attacker to elevate the new user to root-level access, potentially leading to significant security breaches.

For more information on what root is and why it’s bad to log in as root, check this out: https://askubuntu.com/questions/16178/why-is-it-bad-to-log-in-as-root

 

With root access and the third vulnerability (CVE-2023-6319), the attacker can inject OS-level commands, in this case, by manipulating a library for showing music lyrics. Basically, the hacker is turning the music library lyrics into their own little Tortured Poets Department, but instead of using a typewriter, they are injecting (pasting) operating system-level commands into the library. 

The final vulnerability, CVE-2023-6320, allows a would-be attacker to inject authenticated commands by manipulating the com.webos.service.connectionmanager/tv/setVlanStaticAddress application interface.  This could allow the attacker to leave a backdoor to access from outside. Or, they could leave a code that would allow for network scanning for any other insecure devices. 

Even if the TV is not on the client network, it could be programmed to record screen captures of meetings or presentations and then appear to fail after a few months, using a logic bomb. A service call is then placed, the TV gets replaced and the stolen screenshots walk right out the door. 

Before you get all down bad crying in the rack room, there is good news: I can fix it (no really I can). 

Because (drumroll, please) LG TV security updates/patches are readily available!  

I want to give kudos to the LG Product Security Response Center (PSRC) for working with the security researchers and issuing automatic and manual security patches for this flat panel WebOS vulnerability before it was made public. But, they also made it clear there are some limitations:

“Our TVs are also increasingly connected to the internet. We provide software and security updates at least once a year for a minimum period of 2 years after the product launch. The security update period for the product is five years from the webOS platform launch date.”

If you own an LG TV from 2019 onwards, you should make sure you download the latest software update. They have determined it affects most LG TV models. It may be necessary to perform a software update to reflect the latest security patches if you are unboxing it for the very first time.

 

LG Links

https://lgsecurity.lge.com/bulletins/tv#updateDetails 

https://www.lg.com/us/support/software-firmware-drivers

https://lgsecurity.lge.com/bulletins/tv#updateDetails