HomeHack vulnerability could allow your LG robot vacuum to spy on you
Researchers at threat prevention specialist Check Point have uncovered a vulnerability which could allow hackers to gain control of the LG Hom-Bot robot vacuum cleaner's video camera.
The camera normally sends live video to the associated LG SmartThinQ app as part of its HomeGuard Security feature. Once in control of a specific user's LG account, any LG device or appliance associated with that account could be controlled by the attacker -- including the robot vacuum cleaner, refrigerators, ovens, dishwashers, washing machines and dryers, and air conditioners.
Dubbed HomeHack, the vulnerability in the SmartThinQ mobile app enabled Check Point's researchers to create a fake LG account, and then use this to take over a user's legitimate LG account, and in turn gain remote control of the user's LG smart appliances.
The Hom-Bot is a popular machine with sales of over 400,000 in the first half of 2016. Check Point disclosed the vulnerability to LG on July 31 2017, following responsible disclosure guidelines. LG has responded by fixing the reported issues in the SmartThinQ application at the end of September.
"As more and more smart devices are being used in the home, hackers will shift their focus from targeting individual devices, to hacking the apps that control networks of devices. This provides cyber criminals with even more opportunities to exploit software flaws, cause disruption in users' homes and access their sensitive data," says Oded Vanunu, head of products vulnerability research at Check Point. "Users need to be aware of the security and privacy risks when using their IoT devices and it's essential that IoT manufactures focus on protecting smart devices against attacks by implementing robust security during the design of software and devices."
To protect their devices, users of the LG SmartThinQ mobile app and associate appliances should ensure they are updated to the latest software versions from the LG website. They should also update their LG SmartThinQ app to the latest version (V1.9.23), either via the Google play store, Apple App Store or via the LG SmartThinQ app settings.
More details of the vulnerability are available on the Check Point blog and there’s a video of it in action below.