BitDefender has made public a series of vulnerabilities affecting LG TVs with webOS from 2020 to 2023. LG released a specific security update last March and the news was made known by BitDefender in recent days as per agreements with the ‘agency. The vulnerabilities were present in the following versions of webOS:
- webOS 4.9.7 – 5.30.40;
- webOS 5.5.0 – 04.50.51;
- webOS 6.3.3-442 (kisscurl-kinglake) – 03.36.50;
- webOS 7.3.1-43 (mullet-mebin) – 03.33.85.
Although the original BitDefender report mentions only a few models, as reported by the 4KFilme magazine, the vulnerabilities affect all LG TV models with webOS LCD and OLED from 2020 to 2023. LG has released a security patch starting from March 22nd and all owners of an LG TV are therefore invited to check that they have activated automatic updates and if not to proceed immediately by manually forcing the search for a new update. If your TV is not connected to the Internet, updates can be downloaded from the official support page for your model on the LG website.
The first vulnerability identified first exploits the service used by webOS for integration with LG’s ThinQ app to control the company’s IoT ecosystem, bypassing the security PIN for accessing the device. From here, by exploiting three other vulnerabilities, a malicious user would be able to inject and execute code with administrator permissions, effectively taking control of the television and gaining access to the user’s local network. According to BitDefender, at the time of the checks, more than 91,000 televisions potentially exposed to these vulnerabilities were identified through Shodan.
