Recent research conducted by security researchers at threat prevention firm Check Point highlights privacy concern surrounding smart home devices manufactured by LG.
Check Point researchers discovered a security vulnerability in LG SmartThinQ smart home devices that allowed them to hijack internet-connected devices like refrigerators, ovens, dishwashers, air conditioners, dryers, and washing machines manufactured by LG.
...and what's worse?
Hackers could even remotely take control of LG's Hom-Bot, a camera-equipped robotic vacuum cleaner, and access the live video feed to spy on anything in the device's vicinity.
This hack doesn't even require hacker and targeted device to be on the same network.
Dubbed HomeHack, the vulnerability resides in the mobile app and cloud application used to control LG's SmartThinkQ home appliances, allowing an attacker to remotely gain control of any connected appliance controlled by the app.
This vulnerability could allow hackers to remotely log into the SmartThinQ cloud application and take over the victim's LG account, according to the researchers.
Watch the Video Demonstration of the HomeHack Attack:
The researchers demonstrated the risks posed by this vulnerability by taking control of an LG Hom-Bot, which comes equipped with a security camera and motion detection sensors and reportedly owned by over one million users.
You can watch the video posted by the Check Point researchers, which shows how easy it is to hijack the appliance and use it to spy on users and their homes.
The issue is in the way SmartThinQ app processes logins, and exploiting the issue only requires a hacker with a moderate skill to know the email address of the target, and nothing else.
Since hackers can merely bypass a victim's login using the HomeHack flaw, there is no need for them to be on the same network as the victim, and primary IoT security tips such as avoid using default credentials, and always use a secure password also fails here.
Also, such devices which are supposed to give users remote access from an app cannot be put behind a firewall to keep them away from the exposure on the Internet.
In order to perform this hack, the hacker needs a rooted device and requires to intercept the app traffic with the LG server.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
However, the LG app has a built-in anti-root mechanism, which immediately closes if detects the smartphone is rooted, and SSL pinning mechanism, which restricts intercepting traffic.
So, to bypass both security features, Check Point researchers said hackers could first decompile the source of the app, remove the functions that enable SSL pinning and anti-root from the app's code, recompile the app and install it on their rooted device.
Now, hackers can run this tempered app on their rooted smartphone and can set up a proxy which could allow them to intercept the application traffic.
Here's How the HomeHack Attack Works:
Researchers analyzed the login process of the SmartThinQ app and found that it contains the following requests:
- Authentication request – the user would enter his/her login credentials, which would be validated by the company's backend server.
- Signature request – creates a signature based on the above-provided username (i.e. the email address), and this signature has nothing do with the password.
- Token request – an access token for the user account is generated using the signature response as a header and username as a parameter.
- Login request – sends the above-generated access token in order to allow the user to login to the account.
However, researchers found that there's no dependency between the first step and the subsequent two mentioned above.
So, an attacker could first use his/her username to pass step one, and then intercept the traffic in order to change the username to the victim's username for steps two and three, which would effectively grant the attacker access to the victim's account.
Once in control of the target account, the attacker can control any LG device or appliance associated with that account, including refrigerators, ovens, dishwashers, washing machines and dryers, air conditioners, and robot vacuum cleaners.
Hackers can then change the settings on the hacked devices, or can simply switch on or off.
This Is What You Can Do Now:
Researchers disclosed the vulnerability to LG on July 31 and the device manufacturer issued an update to patch the issue in September.
So, if you own any LG SmartThinQ appliance, you are strongly advised to update to the LG SmartThinQ mobile app to the latest version (1.9.23) through Google Play Store, Apple App Store or the LG SmartThinQ settings.