Researchers have found a vulnerability in LG home devices connected to the internet such as smart refrigerators, ovens, dishwashers, air conditioners, dryers and washing machines. The vulnerability is dubbed “HomeHack” and resides in the LG mobile app and cloud app that is used to control LG’s SmartThinkQ home appliances.
HomeHack allows attackers to gain remote control of any appliance that is controlled by the app. Researchers could even take over LG’s “Hom-Bot”, which is a robotic vacuum cleaner that is equipped with a camera.
Researchers claim that there is an issue with the way that SmartThinQ processes logins. Attackers can “merely bypass” the victim’s login using the HomeHack vulnerability. It is worth noting that the devices that are supposed to give users remote access from, cannot be guarded by a firewall.
All the attacker needs is a rooted device and intercept the app traffic with the LG server. LG does have a built in anit-root mechanism which closes immediately if there is detection of the smartphone being rooted. To bypass both security features, researchers said “hackers could first decompile the source of the app, remove the functions that enable SSL pinning and anti-root from the app's code, recompile the app and install it on their rooted device.”
For people that own LG home devices that were previously stated, they are advised to update their appliances as soon as possible.