LG Electronics has patched a bug in its smart appliance app that can be exploited to gain remote access to devices under its control, including a camera-equipped vacuum that can be abused to spy on its owners.
Users of the LG SmartThinQ app who have not yet updated their software to version 1.9.23 could also have their dishwashers and washing machines turned on or off at will, reports Check Point Software Technologies, in a blog post last Thursday authored by researchers Roman Zaikin, Dikla Barda, and Oded Vanunu .
The vulnerability, dubbed HomeHack, exists due to a flawed account login process that doesn't properly connect its steps. This allows attackers to use enter a random username to successfully pass user authentication, before switching to the victim's actual username for the rest of the process, including signature and access token generation.
Check Point explains the exploit process further: "First, the attacker needs to recompile the LG application on the client side, in order to bypass security protections. This enables the traffic between the appliance and the LG server to be intercepted," the blog post explains. "Then, the would-be attacker creates a fake LG account to initiate the login process. By manipulating the login process and entering the victim's email address instead of their own, it was possible to hack into the victim's account and take control of all LG SmartThinQ devices owned by the user..."
Among the impacted devices is the Hom-Bot robot vacuum cleaner, an automated housekeeping device that also sends out security alerts when it detects movement. When homeowners receive such an alert, they can use the app to turn on the vacuum's built-in video camera in order to view a live security feed on their smartphones.
If the app is taken over by hackers, however, then they can access the vacuum's camera to spy on the device's owner, conducting surveillance on their house.
Other potentially impacted devices include refrigerators, ovens, dryers, and air conditioners.
LG updated its app software on 29 September, two months after Check Point researchers discovered the vulnerability at the end of July.
"Earlier this year LG Electronics teamed up with Check Point Software Technologies to run an advanced rooting process designed to detect security issues in our smart ecosystem and immediately began updating the relevant programs," explains an official LG company statement provided to SC Media. "Strengthening our software security system is a top priority at LG and partnering with cyber-security solution experts such as Check Point will be part of our strategy going forward."