LG has updated its software after security researchers spotted a flaw that allowed them to gain control of devices like refrigerators, ovens, dishwashers, and even access the live feed from a robot vacuum cleaner.
The vulnerability, dubbed HomeHack, potentially affects millions of LG SmartThinQ home appliances. It was uncovered by researchers at Check Point, who found that the mobile app and cloud application associated with the IoT devices allowed them to remotely gain control of the connected appliances.
The researchers uncovered a flaw in the mobile app and authentication process and the way in which it interacts with the LG infrastructure between apps and the devices.
In total, there are four stages in the process — an authentication request which verifies user credentials, a signature request which creates a signature based on the username from an authentication request, a token request which uses the signature response as a header and username as parameter to get an access token for the user account, which is then sent to enable the login request to take place.
Researchers found there was no direct dependency between the authentication request and the signature or token request, ultimately allowing attackers to make up a fake username and use it to take over a legitimate LG account and gain control of appliances. All attackers need to attack the devices of a specific individual is their email address.
Settings could be changed on the hacked devices, or they could be turned or off.
“As more and more smart devices are being used in the home, hackers will shift their focus from targeting individual devices, to hacking the apps that control networks of devices. This provides cyber criminals with even more opportunities to exploit software flaws, cause disruption in users’ homes and access their sensitive data,” said Oded Vanunu, head of products vulnerability research at Check Point.
The vulnerability only applied to the LG SmartThinQ ecosystem; researchers say it wouldn’t be possible for attackers to use the flaw access non-LG devices on the network.
Researchers disclosed the vulnerability to LG in July and the appliance manufacturer issued an update to fix it in September.
“Effective September 29th the security system has been running the updated 1.9.20 version smoothly and issue-free. LG Electronics plans to continue strengthening its software security systems as well as work with cyber-security solution providers like Check Point to provide safer and more convenient appliances,” said Koonseok Lee, manager of the smart development team at LG Electronics.
To ensure that their devices can’t be remotely compromised, users must update to the latest software versions of the appliances and the apps.