Security researchers have uncovered a critical set of vulnerabilities in LG’s WebOS operating system for smart televisions. These flaws allow attackers on the same local network—or in some cases over exposed ports—to bypass authentication, escalate privileges, and in worst-case scenarios, gain full control of the device. This risks more than just a hacked TV.
What the Vulnerabilities Allow
- Authentication Bypass: Attackers can skip PIN verification altogether and create privileged user accounts without needing user consent.
- Privilege Escalation & Root Access: Once an attacker has basic access, they can escalate to root level — giving them full administrative control over the TV.
- Command Injection: Vulnerable APIs and services allow unauthorised commands to be injected, including using system libraries (such as those used for lyrics display) and certain network services.
- File Access via Path Traversal: Attackers can exploit flaws in services that handle file requests, allowing them to download or view sensitive files from the TV’s internal filesystem.
Scope of Impact
- Tens of thousands of LG smart TVs globally are believed to be vulnerable. Scans suggest over 90,000 devices were exposing the vulnerable services, with many already patched, but some still at risk.
- Affected WebOS versions span several generations (WebOS 4 through 7) and include popular models.
- Geographically, while many vulnerable TVs are in LG’s home country, there are also impacted units in places like the US, Europe, and Asia.
Risk Implications
- Privacy Breach: Cameras, microphones, streaming credentials, or connected accounts could be exposed or misused.
- Device Hijack: Attackers could install malicious apps, enable developer mode, or use the TV as a foothold for further attacks in the home network.
- Network Safety: Since TVs are often connected to home networks, a compromised TV could be used as a pivot to attack other devices. Could even be enlisted in botnets or used for disruptive attacks.
What Users & Owners Should Do
- Update Firmware Immediately: If your LG TV indicates an available software update, install it. Keeping WebOS up-to-date is the best defence.
- Check Network Exposure: Ensure services aren’t exposed externally via router settings. Disable port forwarding or UPnP for ports used by control services if not needed.
- Isolate Untrusted Devices: If possible, segregate your smart TV onto a separate VLAN or guest network so exposure of one device doesn’t risk the rest.
- Monitor for Strange Behaviour: Unusual app behaviour, network traffic, apps you didn’t install — all are red flags.
- Enable Auto-Updates and Secure Settings: Where available, enable automatic updates and strict authorisation settings.
Why This Matters
Smart TVs are no longer simple appliances but fully networked devices with broad access to personal data and connected services. A vulnerability in such devices doesn’t just compromise entertainment—it can compromise privacy, security, and trust.
For manufacturers: this is a reminder that every network-exposed service, even ones meant for convenience, must be hardened and regularly audited.
