LG Hom-Bot smart vacuum

LG Electronics has avoided a security disaster this summer after it worked with security researchers to patch a vulnerability in the mobile app that customers are using to control a breadth of LG smart home devices.

The vulnerability affects the LG SmartThinQ app used to control all of LG's "smart" home appliances, a list that includes devices such as smart ovens, vacuums, dishwashers, refrigerators, washing machines, dryers, air conditioners, and more.

The flaw was discovered by security researchers from Israeli firm Check Point, who reported the problem to LG technicians.

Vulnerability allowed hackers to take over LG smart devices

According to researchers, an attacker would have been able to hijack the authentication process that occurs between the SmartThinQ app and LG's servers. The attacker could have been able to take over a user's account and control devices in the user's home, and paired with the user's profile.

For example, attackers could have overheated ovens, altered a home's temperature via AC units in a Mr.Robot-style hack, or spied on users via camera-enabled devices.

Once such device was the LG Hom-Bot smart vacuum, which also comes with an on-board camera. To prove how intrusive the hack could have been, Check Point put together a video showing how the SmartThinQ hack could have allowed an attacker to spy on a family's home.

The good news is that the vulnerability is now patched, and even if users still use older app versions, the vulnerability is not easy to exploit.

First, the attacker needs to recompile the LG application on the client side, in order to bypass security protections. This enables the traffic between the appliance and the LG server to be intercepted. Then, the would-be attacker creates a fake LG account to initiate the login process. By manipulating the login process and entering the victim’s email address instead of their own, it was possible to hack into the victim’s account and take control of all LG SmartThinQ devices owned by the user, including the Hom-Bot robot vacuum cleaner, refrigerators, ovens, dishwashers, washing machines and dryers, and air conditioning units.

The above exploitation steps are certainly not easy to carry out by low-skilled attackers. However, they are not out of reach for trained and determined threat actors.

Patches are available

LG has released an update for the SmartThinQ app (v1.9.20 released on September 29), and firmware updates for affected smart appliances.

Check Point tracks this vulnerability as HomeHack, and has released a report with more details here.