Vulnerability in LG Hom-Bot Allows Hackers to Use the Device’s Camera and Spy

Vulnerability in LG Hom-Bot Allows Hackers to Use the Device’s Camera and Spy

Vulnerability in LG Hom-Bot Allows Hackers to Use the Device’s Camera and Spy

Vulnerability in LG Hom-Bot Allows Hackers to Use the Device’s Camera and Spy

Check Point researchers have discovered a vulnerability in LG’s Hom-Bot vacuum cleaner. Hackers can now hijack the LG SmartThing home appliances, thanks to this vulnerability. The affected devices include dryers, refrigerators, vacuum cleaners, dishwashers, and microwaves.

The experts demonstrated their findings by showing how hackers could compromise LG Hom-Bot. The video camera installed inside the device can be controlled by the hackers.

The first part involves disassembling the LG Hom-Bot to locate the UART (Universal Asynchronous Receiver/Transmitter) connection. Once they had done this, they had to make sure the main process debugged. After that, they look for the connection between the SmartThing and Hom-Bot.

The researchers said,

“This is when we had the idea to investigate the SmartThinQ application – leading to the discovery of the HomeHack flaw.”

The process was possible using debugging tools and a rooted phone. Once the SSL pining and anti-root mechanism bypassed. Hackers could intercept the application’s traffic. Thus, now an LG account could be created.

The researchers from CheckPoint also performed an analysis of the login process. They were not able to find any link between the creation of username based signature and the authentication request. It can help them identify the actual user credentials.

Once they had all this data, the only thing hackers needed to bypass confirmation process. Then switch to the owner’s username to get access for completing the process. “By exploiting the vulnerability, the attacker could take over the victim’s account. Also, control his smart LG devices,” experts noted.

LG was quick to fix the issue after the announcement of the vulnerability on July 31st, 2017. The solution made by LG included a fix to the SmartThing application. Altogether with urging users to update to the app from Google or Apple Play Store. The process to update the app is quite simple. The update button is available on Dashboard of the SmartThing app. A step by step solution is given below.

CheckPoint researchers express their concerns about hacker’s new focus on individual devices. A consequence of the advances made in hacking capabilities, affect more than ever.

How to Protect from HomeHack Vulnerability

The users of LG SmartThinQ mobile app should update the app, to protect their devices. Experts also tell users to take the following steps if they want to secure their devices:
  • Download the updated version of LG SmartThinQ app from Google and Apple Play Store.
  • You can update the app via its settings.
  • Smart home physical appliances should up to date.
  • Click on the ‘smart home product’ under smartThinQ Dashboard.
  • If the update is missing a popup will alert you about it.

Leave a Reply

Your email address will not be published. Required fields are marked *