The flaw was discovered by researchers from Check Point in the user authentication method between the SmartThinQ portable app and LG’s back-end platform. This applicability allows users to remotely control different purposes of their appliances, including turning them on and off. For example, users can preheat their furnace or start their AC unit before they get home, can check their smart fridge inventory before stopping by the supermarket or can see when their laundry machine finished a cycle.
The flaw, which Check Point called HomeHack, was privately reported to LG in July and was quietly patched at the end of September. It allowed attackers to easily hijack people’s SmartThinQ records and gain control over their linked means by knowing only their email addresses.
To pull off the attack, hackers would have required modifying LG’s app on their own device in order to cripple some security checks and then manage the log-in process to use the victim’s username their email address instead of their own, the Check Point researchers said in a statement released today. This process did not require the victim to click on anything, nor would it have alerted them of any questionable activity.
They decided to show the risks posed by the vulnerability by taking controller of an LG Hom-Bot, a robotic vacuum cleaner that doubles as a home security agent. The device is provided with a security camera and motion detection sensors.
The researchers created a video to show how easily the device could be used to spy on users and their homes. According to some reports, LG has sold has sold over 1 million units of Hom-Bot vacuum cleansers to date, but not all models might have the HomeGuard protection monitoring functionality.
“This vulnerability highlights the potential for smart home devices to be employed, either to spy on homeowners and users and steal data or to use those devices as a platform post for further attacks, such as spamming, denial of service or spreading malware,” the Check Point researchers said in the report.