You Might Not Want Your Smart TV Connected to the Internet
A security firm has recently disclosed a vulnerability affecting more than 88,000 smart TVs that are connected to the Internet. It just so happens that this specific vulnerability is for LG TV’s but the risk is essentially the same for any smart TV given they all run some variant of an operating system.
This LG-specific vulnerability is critical given that a malicious hacker could gain root level access on the device and further exploit other known vulnerabilities such as:
| Vulnerability | Description |
|---|---|
| CVE-2023-6318 | allows the attackers to elevate their access to root |
| CVE-2023-6319 | allows for the injection of OS commands by manipulating a library for showing music lyrics |
| CVE-2023-6320 | lets an attacker inject authenticated commands by manipulating a WebOS application interface |
The most immediate risk would be exposing access to other paid accounts such as Netflix, viewing habits, and the ability to install other apps directly on the TV. A worst-case-scenario would be a malware infection where the TV would join a botnet of other infected devices to perform the bidding of the attacker.
The known affected TV models are:
| Model | webOS Version |
|---|---|
| LG43UM7000PLA | 4.9.7 - 5.30.40 |
| OLED55CXPUA | 5.5.0 - 04.50.51 |
| OLED48C1PUB | 6.3.3-442 (kisscurl-kinglake) - 03.36.50 |
| OLED55A23LA | 7.3.1-43 (mullet-mebin) - 03.33.85 |
Fortunately, for this specific attack to be carried out local access is required and only a subset of LG TV’s are known to be affected. However, once compromised the device would be controllable from anywhere.
What can you do?
It can be helpful to build a habit around updating all of your devices that are connected to the Internet, including your TV, just as you do your phone.
How can I help?
I specialize in helping my clients configure their networks and devices to operate as safely and securely as possible. This is just one more reason to have a robust, reliable network to protect against the local attacks first. No system is impenetrable but hackers are lazy and tend to focus on the easiest targets.