Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Thousands of LG TVs Possibly Exposed to Remote Hacking

Many LG TVs may be vulnerable to remote hacking due to a series of vulnerabilities found by Bitdefender researchers.

Researchers at cybersecurity firm Bitdefender have identified several vulnerabilities that can allow malicious actors to remotely hack LG TVs powered by the electronics giant’s WebOS operating system.

A total of four security holes have been found in WebOS versions 4 through 7. One of the flaws, CVE-2023-6317, can be exploited to bypass authorization and add a new user to the targeted TV.

This access can then be chained with another vulnerability, CVE-2023-6318, to elevate privileges to root and take full control of the device. Two other vulnerabilities, CVE-2023-6319 and CVE-2023-6320, allow arbitrary command injection.

An attacker could exploit these flaws to drop malware, snoop on traffic, or move laterally across the network housing the compromised TV, Bitdefender said.

It’s also not uncommon for smart TVs to be targeted in cybercrime operations, such as the long-running Bigpanzi botnet operation

While the vulnerable service should only be accessible over the local area network, a Shodan search reveals roughly 90,000 internet-exposed instances, many of which could be vulnerable to attacks. 

More than 47,000 results are in South Korea, followed at a distance by Hong Kong (7,500), the United States (6,800), and Sweden and Finland (6,000 each). 

LG was informed about the vulnerabilities in early November 2023 and released patches in March 2024. The vendor does have a web page dedicated to TV security bulletins, but it does not appear to have published an advisory for these flaws. 

Advertisement. Scroll to continue reading.

LG TVs running WebOS do have an automatic update feature so the patches may have already been delivered to many devices.

Related: Massive Android Botnet Hits Smart TV Ad Ecosystem

Related: LG Promises Three Years of OS Updates for Premium Android Smartphones

Related: Google Patches Chromecast Vulnerabilities Exploited at Hacking Contest

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights