Check Point researchers have discovered a vulnerability in LG’s Hom-Bot vacuum cleaner. Hackers can now hijack the LG SmartThing home appliances, thanks to this vulnerability. The affected devices include dryers, refrigerators, vacuum cleaners, dishwashers, and microwaves.
The experts demonstrated their findings by showing how hackers could compromise LG Hom-Bot. The video camera installed inside the device can be controlled by the hackers.
The first part involves disassembling the LG Hom-Bot to locate the UART (Universal Asynchronous Receiver/Transmitter) connection. Once they had done this, they had to make sure the main process debugged. After that, they look for the connection between the SmartThing and Hom-Bot.
The researchers said,
“This is when we had the idea to investigate the SmartThinQ application – leading to the discovery of the HomeHack flaw.”
The process was possible using debugging tools and a rooted phone. Once the SSL pining and anti-root mechanism bypassed. Hackers could intercept the application’s traffic. Thus, now an LG account could be created.
The researchers from CheckPoint also performed an analysis of the login process. They were not able to find any link between the creation of username based signature and the authentication request. It can help them identify the actual user credentials.
Once they had all this data, the only thing hackers needed to bypass confirmation process. Then switch to the owner’s username to get access for completing the process. “By exploiting the vulnerability, the attacker could take over the victim’s account. Also, control his smart LG devices,” experts noted.
LG was quick to fix the issue after the announcement of the vulnerability on July 31st, 2017. The solution made by LG included a fix to the SmartThing application. Altogether with urging users to update to the app from Google or Apple Play Store. The process to update the app is quite simple. The update button is available on Dashboard of the SmartThing app. A step by step solution is given below.
CheckPoint researchers express their concerns about hacker’s new focus on individual devices. A consequence of the advances made in hacking capabilities, affect more than ever.