Security Architecture, Endpoint/Device Security, IoT, Network Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

LG patches app bug that can turn IoT vacuums into robotic spies

LG Electronics has patched a bug in its smart appliance app that can be exploited to gain remote access to devices under its control, including a camera-equipped vacuum that can be abused to spy on its owners.

Users of the LG SmartThinQ app who have not yet updated their software to version 1.9.23 could also have their dishwashers and washing machines turned on or off at will, reports Check Point Software Technologies, in a Thursday blog post authored by researchers Roman Zaikin, Dikla Barda, and Oded Vanunu .

The vulnerability, dubbed HomeHack, exists due to a flawed account login process that doesn't properly connect its steps. This allows attackers to use enter a random username to successfully pass user authentication, before switching to the victim's actual username for the rest of the process, including signature and access token generation.

Check Point explains the exploit process further: "First, the attacker needs to recompile the LG application on the client side, in order to bypass security protections. This enables the traffic between the appliance and the LG server to be intercepted," the blog post explains. "Then, the would-be attacker creates a fake LG account to initiate the login process. By manipulating the login process and entering the victim's email address instead of their own, it was possible to hack into the victim's account and take control of all LG SmartThinQ devices owned by the user..."

Among the impacted devices is the Hom-Bot robot vacuum cleaner, an automated housekeeping device that also sends out security alerts when it detects movement. When homeowners receive such an alert, they can use the app to turn on the vacuum's built-in video camera in order to view a live security feed on their smartphones.

If the app is taken over by hackers, however, then they can access the vacuum's camera to spy on the device's owner, conducting surveillance on his or her house.

Other potentially impacted devices include refrigerators, ovens, dryers, and air conditioners.

LG updated its app software on Sept. 29, two months after Check Point researchers discovered the vulnerability at the end of July.

"Earlier this year LG Electronics teamed up with Check Point Software Technologies to run an advanced rooting process designed to detect security issues in our smart ecosystem and immediately began updating the relevant programs," explains an official LG company statement provided to SC Media. "Strengthening our software security system is a top priority at LG and partnering with cyber-security solution experts such as Check Point will be part of our strategy going forward."

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.