Hackers Can Transform LG SmartThinQ Tools into Spy Robots

Cyber News - Recent research conducted by security researchers at the Check Point company highlights the privacy concerns surrounding smart home devices manufactured by LG.

Check Point researchers found a security vulnerability on LG SmartThinQ that allowed attackers to hijack an Internet-connected device (IoT) such as refrigerators, ovens, dishwashers, air conditioners, dryers, and washing machines manufactured by LG.

Unfortunately, the attacker can even control the remote LG Hom-Bot, a vacuum-equipped robot equipped with a camera, and access live video feeds to spy on everything around the device.

This hack does not even require attackers and devices targeted to be on the same network.

Dubbed "HomeHack", vulnerabilities reside in mobile applications and cloud applications used to control LG SmartThinQ home appliances, allowing attackers to control the control of any control device from a remote-controlled app.

This vulnerability allows attackers to log in from the SmartThinQ cloud app and take over the victim's LG account, according to the researchers.

The researchers point out the risks posed by this vulnerability by controlling the LG Hom-Bot, which is equipped with security cameras as well as motion-sensing sensors and owned by over a million users.

You can watch a video published by a Check Point researcher, which shows how easy it is to hijack the tool and use it to spy on their users and homes.

The problem is with the way the SmartThinQ app processes the login process, and exploiting the vulnerability requires only attackers with moderate skills to find out the target email address, and nothing else.

Because the attackers need only to go through the login process, they do not need to be on the same network as their victims, and IoT's main security tips such as avoiding the use of default credentials, and always using secure passwords have no effect here.

In addition, such devices that should give users remote access to an app cannot be placed behind a firewall to keep them away from exposure on the Internet.
To perform this hack, an attacker needs a device that requires app traffic delimitation with an LG server.

However, the LG app has an in-built anti-root mechanism, which is immediately closed if it detects the rooted smartphone, and the SSL anti-root mechanism, which limits the incoming traffic.

So, to get past those two security features, Check Point researchers say that hackers can first decompile the source code of the app, remove the functionality that allows embedding and anti-root SSL from the application code, recompiling applications and installing them on their devices.

Now, hackers can run this app on their smartphone and can set up proxies that allow them to block app traffic.

This is How HomeHack Attacks Work

The researcher analyzes the login of the SmartThinQ app and finds it contains the following request:

• Authentication request - the user will enter their login credentials, which will be validated by the company's backend server.
• A signature request - create a signature based on the username given above (ie email address), and this signature has nothing to do with the password.
• Token requests - access tokens for user accounts are generated using the signature response as headers and usernames as parameters.
• Incoming request - sending the above-generated access token for users to log in to the account.

However, researchers found that there is no dependence between the first step and the two next things mentioned above.

So the attacker first uses his or her username to skip the first step, then block traffic to change the username to the victim's username for steps two and three, which will effectively give the attacker access to the victim's account.

After controlling the victim's account, the attacker can control the LG device or device associated with the account, including refrigerators, ovens, dishwashers, washers and dryers, air conditioning, and robotic vacuum cleaners.

Attackers can then change settings on hacked devices, or can only be turned on or off.

Researchers revealed the vulnerability in the LG product was found on July 31 and the manufacturer of the device issued an update to fix the problem in September.

So if you have an LG SmartThinQ device, you are strongly advised to update to LG SmartThinQ mobile apps to the latest version (1.9.23) through Google Play Store, Apple App Store or SmartThinQ LG settings.