Researchers at cybersecurity firm Bitdefender have identified several vulnerabilities that can allow malicious actors to remotely hack LG TVs powered by the electronics giant’s WebOS operating system.
A total of four security holes have been found in WebOS versions 4 through 7. One of the flaws, CVE-2023-6317, can be exploited to bypass authorization and add a new user to the targeted TV.
This access can then be chained with another vulnerability, CVE-2023-6318, to elevate privileges to root and take full control of the device. Two other vulnerabilities, CVE-2023-6319 and CVE-2023-6320, allow arbitrary command injection.
An attacker could exploit these flaws to drop malware, snoop on traffic, or move laterally across the network housing the compromised TV, Bitdefender said.
It’s also not uncommon for smart TVs to be targeted in cybercrime operations, such as the long-running Bigpanzi botnet operation.
While the vulnerable service should only be accessible over the local area network, a Shodan search reveals roughly 90,000 internet-exposed instances, many of which could be vulnerable to attacks.
More than 47,000 results are in South Korea, followed at a distance by Hong Kong (7,500), the United States (6,800), and Sweden and Finland (6,000 each).
LG was informed about the vulnerabilities in early November 2023 and released patches in March 2024. The vendor does have a web page dedicated to TV security bulletins, but it does not appear to have published an advisory for these flaws.
LG TVs running WebOS do have an automatic update feature so the patches may have already been delivered to many devices.
Related: Massive Android Botnet Hits Smart TV Ad Ecosystem
Related: LG Promises Three Years of OS Updates for Premium Android Smartphones
Related: Google Patches Chromecast Vulnerabilities Exploited at Hacking Contest
