A critical security flaw dubbed HomeHack exposed 1 million LG smartThinQ IoT home devices, enabling hackers to easily gain access to users’ homes and take full control over any LG smart device connected to the account, including dishwashers, vacuums, air conditioners and washing machines, found security researchers from Check Point.
The flaws in the account login process permit hackers to pass authentication by typing random usernames, then switching to the legitimate account.
The exploit of this vulnerability lets hackers avoid targeting individual devices, and simply hack the account that controls all of them and the network, unleashing a number of risks.
By hacking the app that controls all devices, the researchers created fake LG accounts. These would allow them to control legitimate LG accounts and, if used by hackers, permit them to invade user privacy and turn digital devices into espionage equipment.
To prove their point, the researchers hacked LG’s Hom-Bot robot vacuum cleaner and took over its functions to demonstrate the risks of unauthorized remote control. The video is at the end of the article.
LG was informed about the vulnerabilities in the mobile app and cloud application on July 31, and worked with Check Point on a patch that was delivered at the end of September.
“Effective September 29 the security system has been running the updated 1.9.20 version smoothly and issue-free,” said Koonseok Lee, manager of the smart development team at LG Electronics. “LG Electronics plans to continue strengthening its software security systems as well as work with cyber-security solution providers like Check Point to provide safer and more convenient appliances.”
Users are advised to immediately update the LG smartThinQ to the latest version – 1.9.20.