Researchers Find Flaw That Could Turn LG Robot Vacuums Into Perfect Spying Machines

The bug is just the latest in a long, seemingly endless list of flaws found in so-called smart devices.

|
Oct 26 2017, 2:42pm

Image: LG

Hackers could've hijacked internet-connected refrigerators, ovens, air conditioners, dishwashers, washing machines, dryers, and camera-equipped robotic vacuum cleaners manufactured by LG, thanks to a flaw in the mobile app used to control them, according to security researchers.

The flaw was found by researchers from Check Point in the user authentication process between the SmartThinQ mobile app and LG's back-end platform. This application allows users to remotely control different functions of their appliances, including turning them on and off. For example, users can preheat their oven or start their AC unit before they get home, can check their smart refrigerator's inventory before stopping by the supermarket or can see when their washing machine finished a cycle.

The flaw, which Check Point dubbed HomeHack, was privately reported to LG in July and was quietly patched at the end of September. It enabled attackers to easily hijack people's SmartThinQ accounts and gain control over their linked devices by knowing only their email addresses.

Read more: The Looming Disaster of the Internet of (Hackable) Things

To pull off the attack, hackers would have needed to modify LG's app on their own device in order to disable some security checks and then manipulate the log-in process to use the victim's username—their email address—instead of their own, the Check Point researchers said in a report released today. This process did not require the victim to click on anything, nor would it have alerted them of any suspicious activity.

They decided to demonstrate the risks posed by the vulnerability by taking control of an LG Hom-Bot, a robotic vacuum cleaner that doubles as a home security agent. The device is equipped with a security camera and motion detection sensors.

The researchers created a video to show how easily the appliance could be used to spy on users and their homes. According to some reports, LG has sold has sold over 1 million units of Hom-Bot vacuum cleaners to date, but not all models might have the HomeGuard security monitoring functionality.

"This vulnerability highlights the potential for smart home devices to be exploited, either to spy on home owners and users and steal data, or to use those devices as a staging post for further attacks, such as spamming, denial of service (as we saw with the giant Mirai botnet in 2016) or spreading malware," the Check Point researchers said in the report.

The incident also shows that regardless of how well people secure their local networks against intrusion, their IoT devices could still be hijacked through flaws in mobile applications or the vendor's back-end infrastructure.

This flaw in LG's products is just the latest in a long, seemingly endless list of flaws found in so-called smart devices, such as crock-pots, teddy-bears, and camera-equipped vibrators, among many others. Last month, security researchers from Rapid7 found security vulnerabilities in the mobile applications used to control smart home hubs from Wink and Insteon.

According to Oded Vanunu, head of products vulnerability research at Check Point, hackers are more likely to exploit vulnerabilities in the management mobile applications for IoT devices than in the devices themselves because finding such flaws doesn't require advanced reverse engineering skills. Moreover, these flaws could allow attackers to compromise a larger number of devices at once.

LG did not immediately respond to a request for comment, but according to Check Point, the vulnerability was fixed in version 1.9.20 of the SmartThinQ app, released September 29.

It's also worth noting that, since the beginning of October, many users have complained on Google Play that the application crashes on their devices after the latest update. It's not clear if this is related to the HomeHack patch or not, but there are clearly some recent issues with the app that resulted in a large number of one-star ratings.

Got a tip? You can contact this reporter at lucian@constantinsecurity.com and use this PGP key for encrypted email.

Get six of our favorite Motherboard stories every day by signing up for our newsletter .