A flaw discovered by security researchers would have allowed hackers to take control of numerous LG smart devices including a camera-equipped robot vacuum.
According to security firm Check Point, who reported the flaw to LG last July, the attack was enabled by a vulnerability in the authentication process between the SmartThinQ mobile app and LG’s servers.
Dubbed HomeHack, the security bug also affected LG’s internet-connected air conditioners, dishwashers, ovens, refrigerators and washing machines.
“The HomeHack vulnerability could have allowed attackers to stop your refrigerator from working, turn on your oven, access the video camera on your robotic vacuum cleaner and turn the device into a spy in your home, or even turn your kitchen into a paddling pool by flooding your dishwasher,” Check Point notes.
In a video demonstrating the hack, the camera on an LG Hom-Bot robot vacuum cleaner is activated, permitting the attacker to spy on numerous targets undetected.
“This vulnerability highlights the potential for smart home devices to be exploited, either to spy on home owners and users and steal data, or to use those devices as a staging post for further attacks, such as spamming, denial of service (as we saw with the giant Mirai botnet in 2016) or spreading malware,” Check Point adds.
In the first half of 2016 LG is reported to have sold more than 400,000 Hom-Bot robotic vacuum cleaners alone. Since the device was introduced in 2003, more than 1 million people are believed to have purchased the item.
“As more and more smart devices are being used in the home, hackers will start to shift their focus from targeting individual devices, to hacking the apps that control networks of devices,” Check Point continued. “This will give criminals even more opportunities to exploit software flaws, cause disruption in users’ homes and access their sensitive data.”
After being privately informed of the vulnerability, LG released a security update last September to fix the flaw.