LG Electronics has avoided a security disaster this summer after it worked with security researchers to patch a vulnerability in the mobile app that customers are using to control a breadth of LG smart home devices.
The vulnerability affects the LG SmartThinQ app used to control all of LG's "smart" home appliances, a list that includes devices such as smart ovens, vacuums, dishwashers, refrigerators, washing machines, dryers, air conditioners, and more.
The flaw was discovered by security researchers from Israeli firm Check Point, who reported the problem to LG technicians.
According to researchers, an attacker would have been able to hijack the authentication process that occurs between the SmartThinQ app and LG's servers. The attacker could have been able to take over a user's account and control devices in the user's home, and paired with the user's profile.
For example, attackers could have overheated ovens, altered a home's temperature via AC units in a Mr.Robot-style hack, or spied on users via camera-enabled devices.
Once such device was the LG Hom-Bot smart vacuum, which also comes with an on-board camera. To prove how intrusive the hack could have been, Check Point put together a video showing how the SmartThinQ hack could have allowed an attacker to spy on a family's home.
The good news is that the vulnerability is now patched, and even if users still use older app versions, the vulnerability is not easy to exploit.
The above exploitation steps are certainly not easy to carry out by low-skilled attackers. However, they are not out of reach for trained and determined threat actors.
LG has released an update for the SmartThinQ app (v1.9.20 released on September 29), and firmware updates for affected smart appliances.
Check Point tracks this vulnerability as HomeHack, and has released a report with more details here.