Bitdefender has uncovered four vulnerabilities in LG smart TVs running on WebOS, the operating system used by LG TVs. These vulnerabilities could allow attackers to gain unauthorized access and control over affected TV models, including authorization bypasses, privilege escalation, and command injection. The vulnerabilities stem from the ability to create arbitrary accounts on the device via a service running on ports 3000/3001, originally designed for smartphone connectivity using a PIN.
The vulnerabilities, collectively labeled as CVE-2023-6317 through CVE-2023-6320, pose significant risks to LG smart TV users, as they allow attackers to bypass authorization mechanisms, gain root access, and execute arbitrary commands on the operating system. Despite the intended use of the vulnerable LG WebOS service in local area networks (LAN) settings only, Bitdefender’s internet scans via Shodan have revealed approximately 91,000 exposed devices that could potentially fall victim to these flaws.
The impacted LG smart TV models include those running WebOS versions 4.9.7 to 5.30.40, 04.50.51 to 5.5.0, 0.36.50 to 6.3.3-442, and 03.33.85 to 7.3.1-43. Despite Bitdefender’s report to LG in November 2023, it took until March 2024 for LG to release the necessary security updates addressing these vulnerabilities. Users of affected LG smart TVs are advised to promptly apply the updates by navigating to the TV’s Settings > Support > Software Update menu and selecting “Check for Update.”
While smart TVs may not be perceived as high-value targets for attackers, the potential risks posed by these vulnerabilities are significant. Exploitation could lead to remote command execution, enabling attackers to pivot to more sensitive devices on the network. Additionally, compromised smart TVs could be utilized in botnets for distributed denial-of-service (DDoS) attacks or even for cryptomining, highlighting the importance of promptly addressing security vulnerabilities in internet-connected devices.
