Security flaw in LG’s SmartThinQ mobile app invades homeowner’s privacy

Security flaw in LG’s SmartThinQ mobile app invades homeowner’s privacy
LG’s SmartThinQ mobile app was found by Check Point to contain security flaws that allow hackers to spy on homeowners. The flaw has been patched but it is another case in point of today’s security issue of IoT devices.

The flaw is in the user authentication process between the SmartThinQ mobile app and LG’s back-end platform. Homeowners mostly use the mobile app to check on their LG appliances, like checking inventory in a refrigerator or checking if a washing machine has finished a cycle.

The exploitation procedure is not likely to be performed by low-skilled attackers. Hackers need to first modify LG’s app on their own device in order to bypass security protections, and then they need to use a fake LG account they created to initiate the login process. By entering the victim’s email address in the login, they will hack into the account and take control of all the user’s LG appliances at home.

Manipulation could possibly be done on robot vacuum, refrigerator, oven, dishwasher, washing machine and dryer, and air conditioning. A video clip made by Check Point shows how a hacked LG smart vacuum can spy a family’s home with the built-in camera.

“This vulnerability highlights the potential for smart home devices to be exploited, either to spy on home owners and users and steal data, or to use those devices as a staging post for further attacks, such as spamming, denial of service (as we saw with the giant Mirai botnet in 2016) or spreading malware,” Check Point researchers say in a report.

The researchers notified the Korean company back in July privately about the flaw, which was patched at the end of September through a mobile app update.

Check Point said that hackers are more likely to exploit vulnerabilities in mobile apps for IoT devices rather than the hardware itself, since finding such flaws doesn’t require advanced engineering skills. Hackers can also attack a greater number of devices this way.

LG smart appliance owners must get the latest SmartThinQ app update to avoid further intrusions.
Share to:
Comments ( 0 )