Users of smart home products made by South Korean electronics giant LG could, until recently, be targeted by cybercriminals and spied upon in real time, a new research has revealed.
Critical bugs were found in the mobile application and cloud platform linked to LG’s SmartThinQ range – a selection of internet of things (IoT) devices including robot vacuum cleaners, washing machines, fridges and ovens which are monitored remotely via smartphone.
Experts from cyber firm Check Point, who dubbed the flaws “HomeHack”, were able to exploit the bugs to take control of LG user accounts which, by extension, gave them access to the connected devices.
“By manipulating the login process […] it was possible to hack into the victim’s account and take control of all LG SmartThinQ devices,” the team explained.
In some cases, products could be switched on and off.
The company highlighted the flaws by taking control of the video camera in LG’s Hom-Bot robot vacuum cleaner. In the end, researchers were able to snoop on the live feed as it skulked around the house.
“This camera, in the case of account takeover, would allow the attacker to spy on the victim’s home, with no way of them knowing, with all the obvious negative consequences of invasion of privacy and personal security violation,” Check Point said in a blog post.
The HomeHack vulnerabilies were disclosed to LG on 31 July 2017, with the electronics firm successfully patching the SmartThinQ app at the end of September.
“As more and more smart devices are being used in the home, hackers will shift their focus from targeting individual devices, to hacking the apps that control networks of devices,” said Oded Vanunu, head of products and vulnerability research at Check Point.
He continued: “This provides cybercriminals with even more opportunities to exploit software flaws, cause disruption in users’ homes and access their sensitive data.
“Users need to be aware of the security and privacy risks when using their IoT devices and it is essential that IoT manufacturers focus on protecting smart devices against attacks by implementing robust security during the design of software.”
The LG Hom Bot in action LG
Sales of the Hom-Bot robotic vacuum cleaner alone reached 400,000 in the first half of 2016. In 2016, LG said that 80m smart home devices had been shipped worldwide.
Koonseok Lee, manager of LG’s smart development team, said: “LG Electronics plans to continue strengthening its software security systems as well as work with cybersecurity solution providers like Check Point to provide safer and more convenient appliances.”
He said that the company was still planning to expand its IoT product range in future.
Check Point advised users to ensure they have the latest mobile security updates installed – which can be done via the Google Play and Apple stores. The LG smart home appliances will also need to be updated with the latest software version via the SmartThinQ application dashboard.