By: CE Critic - Buy Better Tech

Table of Contents

• Introduction
• Affected LG Smart TV Models
• Vulnerabilities: An Overview
  • CVE-2023-6317: Privilege Escalation
  • CVE-2023-6318 and CVE-2023-6320: Remote Code Execution
  • CVE-2023-6319: Command Injection
• Attack Vectors and Mitigation
• Firmware Updates and Additional Security Considerations
• Conclusion

Introduction

Initially reported by TechSpot, Security researchers at Bitdefender recently identified a chain of four critical vulnerabilities within the webOS operating system of several LG smart television models. These vulnerabilities potentially grant attackers root access, leading to complete control of the affected devices. LG has issued firmware patches; however, immediate action is recommended for owners of vulnerable models.

Affected LG Smart TV Models

The following LG smart TV models are susceptible to the discovered vulnerabilities:

• LG43UM7000PLA (webOS versions 4.9.7 to 5.30.40)
• OLED55CXPUA (webOS versions 5.5.0 to 04.50.51)
• OLED48C1PUB (webOS versions 6.3.3-442 to 03.35.50)
• OLED55A23LA (webOS versions 7.31-43 to 0.3.33.85)

Vulnerabilities: An Overview

The vulnerabilities form an exploit chain, requiring attackers to execute them in sequence for a successful attack.

CVE-2023-6317: Privilege Escalation

The initial vulnerability allows an attacker on the same local network as the target TV to elevate privileges by creating a high-privilege user account without PIN authentication. This leverages the LG ThinQ mobile app.

CVE-2023-6318 and CVE-2023-6320: Remote Code Execution

After establishing the privileged account, these vulnerabilities allow attackers to remotely execute arbitrary code, potentially achieving root-level access to the TV's operating system.

CVE-2023-6319: Command Injection

This vulnerability enables attackers to inject malicious commands by manipulating the TV's functionality for displaying song lyrics.

Attack Vectors and Mitigation

While initial exploitation requires an attacker to be on the same local network as the target TV, the severity lies in the potential for subsequent remote attacks. Approximately 91,000 potentially vulnerable TVs are currently exposed online.

The primary mitigation is to immediately install the firmware updates released by LG. These updates patch the identified vulnerabilities and significantly reduce the risk of exploitation.

Firmware Updates and Additional Security Considerations

1. Update Firmware: Navigate to your LG smart TV's settings menu and check for available firmware updates. If an update is available, install it immediately.

2. Manual Updates: If you cannot find an update through the TV's menu, visit the LG support website (https://www.lg.com/us/support), find your TV model, and download the latest firmware manually.

3. Network Security: Implement strong network security practices:

   • Use a secure Wi-Fi password (WPA2 or WPA3 encryption).
   • Consider network segmentation to isolate smart devices from sensitive devices on your home network.

Conclusion

This incident highlights the importance of keeping smart home devices, including televisions, updated with the latest security patches. Vulnerabilities in connected devices can expose users to a range of risks. Maintaining good network security practices alongside prompt firmware updates is essential to minimizing cybersecurity threats in the evolving landscape of the Internet of Things (IoT).