Adrian Johnson
TLDR:
- Multiple security vulnerabilities have been discovered in LG webOS smart televisions that could allow unauthorized access and root access to the devices.
- The vulnerabilities, tracked as CVE-2023-6317 through CVE-2023-6320, were reported by Bitdefender and fixed by LG in March 2024.
Researchers from the Romanian cybersecurity firm Bitdefender have revealed a series of security vulnerabilities in LG webOS smart televisions that could potentially allow threat actors to bypass authorization and gain root access to the devices. The vulnerabilities, tracked as CVE-2023-6317 through CVE-2023-6320, were reported to LG in November 2023 and subsequently patched in updates released on March 22, 2024.
The vulnerabilities impact various versions of webOS running on LG smart TVs, including models such as LG43UM7000PLA, OLED55CXPUA, OLED48C1PUB, and OLED55A23LA. These vulnerabilities range from bypassing PIN verification to injecting authenticated commands, ultimately enabling threat actors to gain elevated permissions and potentially execute arbitrary commands on the devices.
One particularly concerning aspect highlighted by Bitdefender is the exposure of the vulnerable service to the internet, with over 91,000 devices identified by Shodan as vulnerable. The majority of these devices are located in countries such as South Korea, Hong Kong, the U.S., Sweden, Finland, and Latvia.
Overall, the discovery of these vulnerabilities emphasizes the importance of regularly updating smart TV firmware and ensuring that security patches are promptly applied to mitigate the risk of potential exploitation by malicious actors.
