ng-nz logo
Story image

Check Point uncovers major security flaw in LG smart devices

27 Oct 2017

With recent news from LG and Check Point, It’s like all your favourite horror movies have come true.

Check Point’s security researchers uncovered a vulnerability that exposed millions of users of LG SmartThinQ smart home devices to the risk of unauthorised remote control of their home appliances.

It’s undoubtedly concerning given the skyrocketing rise of smart applicances – in 2016 80 million smart home devices were shipped around the world, a 65 percent increase from the year before.

Deemed ‘HomeHack’, the vulnerabilities in the SmartThinQ mobile app and cloud application enabled the Check Point team to remotely login, take over the user’s legitimate account and gain control of the vacuum cleaner and its integral video camera.

Once in control of a specific user’s LG account, any LG device or appliance associated with that account could be controlled by the attacker – including the robot vacuum cleaner, refrigerators, ovens, dishwashers, washing machines and dryers, and air conditioners. 

Furthermore, the HomeHack vulnerability equipped attackers with the ability to spy on users’ home activities via the Hom-Bot robot vacuum cleaner video camera that sends live video to the associated LG SmartThinQ app as part of its HomeGuard Security feature.

“As more and more smart devices are being used in the home, hackers will shift their focus from targeting individual devices, to hacking the apps that control networks of devices. This provides cyber criminals with even more opportunities to exploit software flaws, cause disruption in users’ homes and access their sensitive data,” says Oded Vanunu, head of products vulnerability research at Check Point.

“Users need to be aware of the security and privacy risks when using their IoT devices and it’s essential that IoT manufactures focus on protecting smart devices against attacks by implementing robust security during the design of software and devices.”

Check Point disclosed the vulnerability to LG on July 31 2017, following responsible disclosure guidelines and LG responded by fixing the reported issues in the SmartThinQ application at the end of September.

Vanunu says fortunately LG responsibly provided a quality fix to stop possible exploitation of the issues.

“In August, LG Electronics teamed with Check Point Software Technologies to run an advanced rooting process designed to detect security issues and immediately began updating patch programs,” says Koonseok Lee, manager of the smart development team within smart solution BD at LG Electronics.

“Effective September 29th the security system has been running the updated 1.9.20 version smoothly and issue-free.  LG Electronics plans to continue strengthening its software security systems as well as work with cyber-security solution providers like Check Point to provide safer and more convenient appliances.” 

In terms of protecting devices, Check Point and LG recommend:

  • Update LG SmartThinQ app to the latest version (V1.9.23)
  • Update smart home physical devices with the latest version
Story image
Hands-on review: JBL Quantum One headset
The JBL Quantum One headset is a premium product that delivers excellent sound no matter what device you use it on. It’s also very comfortable and one of the best headsets I have ever used. More
Story image
Hands-on review: JBL Tune 220TWS
Another great part of the design is the earbuds themselves. Most other earbuds on the market can’t be worn for more than two hours at a time because of the amount of pressure they put on ear canals. Thankfully, the JBL Tune 220 were designed with all-day wear in mind. More
Story image
Kiwi scoops grand photography prize at Sony Alpha Awards
Wanaka-based Oscar Hetherington won this year’s award for his seascape photo, called ‘Back Wash’. He’s the fourth consecutive Kiwi to win the grand prize – and $10,000 worth of Sony camera gear to boot.More
Story image
Hands-on review: Twelve South HiRise Wireless 
The HiRise wireless charging stand is both elegant and useful. It is a two in one that would be a great addition to any desk or nightstand.More
Story image
Apple's new watchOS 7 features handwashing detection, new watch faces
“watchOS 7 brings sleep tracking, automatic handwashing detection, and new workout types together with a whole new way to discover and use watch faces, helping our users stay healthy, active, and connected.”More
Story image
Kiwis and Aussies among most concerned globally about data privacy
New research from Genesys finds the two neighbours value their data privacy more than other regions - but, as always, there are key differences of opinions too.More