LG Smart TVs at Risk: Vulnerabilities Exposed

Researchers from Bitdefender have identified four vulnerabilities in several versions of WebOS, the operating system utilized in LG smart TVs. These flaws enable cybercriminals to gain unauthorized access and control over the devices at various levels, including bypassing authorization, elevating privileges, and injecting commands.

The vulnerabilities are predicated on the ability to create arbitrary accounts on the device through a service operating over ports 3000/3001, designed for smartphone connections via a PIN code. Internet scans have revealed 91,000 devices that are online and potentially vulnerable to these weaknesses.

The identified security deficiencies include:

  • CVE-2023-6317: A bypass of the television’s authorization mechanism, allowing the addition of an extra user without proper authorization (CVSS score 7.2);
  • CVE-2023-6318: Privilege elevation to root level after initial access is gained (CVSS score 9.1);
  • CVE-2023-6319: Injection of operating system commands by manipulating a library responsible for displaying song lyrics (CVSS score 9.1);
  • CVE-2023-6320: Authenticated execution of commands as a user dbus with privileges akin to root (CVSS score 9.1).

The vulnerabilities affect specific versions of the WebOS operating system on the following TV models:

  • WebOS from 4.9.7 to 5.30.40 on LG43UM7000PLA;
  • WebOS from 04.50.51 to 5.5.0 on OLED55CXPUA;
  • WebOS from 0.36.50 to 6.3.3-442 on OLED48C1PUB;
  • WebOS from 03.33.85 to 7.3.1-43 on OLED55A23LA.

Bitdefender notified LG of these flaws on November 1, 2023. However, it was only after more than four months, on March 22, 2024, that the company finally released the corresponding security updates.

Although LG TVs notify users about important WebOS updates, these can be postponed indefinitely. Thus, experts recommend immediately applying all available updates through the TV’s settings menu.

While TVs are not considered critical in terms of digital security, the possibility of remote command execution remains a significant threat, as it could provide cybercriminals with a foothold for further attacks on other devices in the network.

Moreover, criminals could steal credentials for streaming services or other applications entered into the operating system.

Additionally, vulnerable TVs could be used to disseminate malware, participate in DDoS attacks, or for cryptocurrency mining, directly affecting their performance and, over prolonged periods of exploitation, their longevity.