Story image

Check Point & LG plug security vulnerabilities in smart appliances

07 Nov 2017

Check Point researchers recently worked with LG to plug vulnerabilities in a number of home appliances, including dishwashers, washing machines, robot vacuum cleaners and refrigerators.

The ‘HomeHack’ vulnerability allows attackers to take control over smart appliances – and to spy on users through the video camera in robot vacuums.

The Hom-Bot video camera operates as part of the LG SmartThinQ app and HomeGuard Security features.

Researchers were able to create a fake LG account, use it to take over a genuine account and take over the smart appliances. They disclosed the vulnerability at the end of July and in September, LG released a fix for the SmartThinQ application.

Check Point’s head of products vulnerability research Oded Vanunu says hackers are increasingly interested in the apps that power device networks, rather than the individual devices themselves.

“This provides cyber criminals with even more opportunities to exploit software flaws, cause disruption in users’ homes and access their sensitive data.”

LG’s Smart Development Team manager, Koonseok Lee, says the company is expanding its smart appliance lineup “while prioritising the development of safe and reliable software programs”.

“In August, LG Electronics teamed with Check Point Software Technologies to run an advanced rooting process designed to detect security issues and immediately began updating patch programs. Effective September 29th the security system has been running the updated 1.9.20 version smoothly and issue-free.  LG Electronics plans to continue strengthening its software security systems as well as work with cyber-security solution providers like Check Point to provide safer and more convenient appliances,” Lee advises.

It is not the first time Check Point researchers have discovered vulnerabilities in LG devices.

Last year the CVE-2016-3117 vulnerability was able to let attackers take control of LG mobile devices.  The CVE-2016-2035 vulnerability was able to allow attackers to conduct credential theft or install a malicious app. LG fixed both vulnerabilities.

Those who own the LG SmartThinQ mobile app and appliances should make sure they have the latest software updates from the LG website.

Users should:

  • Update the LG SmartThinQ app to the latest version (V1.9.23), you can update the app via Google play store, Apple’s App Store or via LG SmartThinQ app settings. 
  • Update your Smart home physical devices with the latest version, you can do that by clicking on the smart home product under SmartThinQ application Dashboard (if an update is available you will get a popup alerting you).

“Users need to be aware of the security and privacy risks when using their IoT devices and it’s essential that IoT manufactures focus on protecting smart devices against attacks by implementing robust security during the design of software and devices,” Vanunu concludes.

Here's how it could be done:

Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
NZ ISPs issue open letter to social media giants to discuss censorship
Content sharing platforms have a duty of care to proactively monitor for harmful content, act expeditiously to remove content which is flagged to them as illegal.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Bitdefender invests in A/NZ with new offices and regional director
Bitdefender has opened its Partner Advantage Network (PAN) programme with the aim of recruiting and supporting its over 500 local resellers.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
Online attackers abusing Kiwis' generosity in wake of Chch tragedy
It doesn’t take some people long to abuse people’s kindness and generosity in a time of mourning.
Ransomware’s decline equals cryptomining’s rise
ESET’s Security Days Conference recently took place to go over the current threat environment and what to look out for next.