LG TVs could be hacked to let criminals spy on you — and that's not all

A digital padlock on a blue digital background.
(Image credit: Shutterstock / vs148)

Your LG TV could be the biggest security vulnerability in your home or your office, new research from Bitdefender has found.

The LG WebOS TV operating system’s versions 4 through 7 are seemingly riddled with security vulnerabilities that allow hackers to add themselves as a user, take over the device and exploit command injection vulnerabilities to their hearts delight.

Over 91,000 devices are exposed via their internet connection, despite the vulnerable service’s intended use being LAN access only.

Triple escalation of vulnerabilities

The first vulnerability, tracked as CVE-2023-6317, allows the hacker to skirt around the TV’s authorization mechanisms and by changing a single variable, add themselves as a user on the TV. Next, by abusing the vulnerability tracked as CVE-2023-6318, the hacker can give themselves total access to the device paving the way for command injection.

By abusing two more vulnerabilities, tracked as CVE-2023-6319 and CVE-2023-6320, the hacker can either manipulate a music lyrics library to allow OS command injection, or the attacker can manipulate a specific API endpoint to inject authenticated commands.

The vulnerable device models are:

  • LG43UM7000PLA running webOS 4.9.7 - 5.30.40
  • OLED55CXPUA running webOS 5.5.0 - 04.50.51
  • OLED48C1PUB running webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50
  • OLED55A23LA running webOS 7.3.1-43 (mullet-mebin) - 03.33.85

A patch was released to address these vulnerabilities on March 22, being made available for the above models from April 10, so it is worth checking the OS system version of vulnerable LG TV devices to ensure the patch has been installed.

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for close to 5 years, at first covering geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division). Benedict then continued his studies at a postgraduate level and achieved a distinction in MA Security, Intelligence and Diplomacy. Benedict transitioned his security interests towards cybersecurity upon joining TechRadar Pro as a Staff Writer, focusing on state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

TOPICS