Flaw in mobile app lets hackers take over LG Smart Devices

A flaw in an LG app means hackers can hijack seemingly innocuous household gadgets and turn them into secret spying systems.

This is due to a  vulnerability in the login process on the LG SmartThinQ app, according to security researchers. 

The vulnerability impacts all LG smart devices, including its range of smart dishwashers, refrigerators, microwaves, dryers, and vacuums.

It means attackers can potentially remotely turn a smart oven up to the highest temperature or use a vacuum cleaner camera to spy on its user.

LG patched up the vulnerability after being contacted by security experts, but if users have not installed the latest software update, they may still be at risk.

According to Tel Aviv-based security firm Check Point, the Hom-Bot robot vacuum cleaner can be switched on to spy on what you’re doing at home, as demonstrated in a video.

‘The HomeHack vulnerability could have allowed attackers to stop your refrigerator from working, turn on your oven, access the video camera on your robotic vacuum cleaner and turn the device into a spy in your home,’ Check Point warned in a blog post.

The built-in vacuum camera, which is on the top of the robot, sends live video to the LG SmartThinQ app.

The device, which costs around $700/ £520, can also act as a security device as it sends out an alert when it detects movement.

Check Point said: ‘However, this camera, in the case of account takeover, would allow the attacker to spy on the victim’s home, with no way of them knowing, with all the obvious negative consequences of invasion of privacy and personal security violation.’

Security experts found a vulnerability in the login process, which allowed them to intercept traffic between the appliance and the LG server. 

They could then create a fake LG account and link up to that account.

‘By manipulating the login process and entering the victim’s email address instead of their own, it was possible to hack into the victim’s account and take control of all LG SmartThinQ devices’, Check Point said.

‘This vulnerability highlights the potential for smart home devices to be exploited, either to spy on home owners and users and steal data, or to use those devices as a staging post for further attacks, such as spamming, denial of service (as we saw with the giant Mirai botnet in 2016) or spreading malware,’ Check Point said. 

Hackers found a vulnerability in the login process on the LG SmartThinQ app which means that hackers could control your home remotely – just like you do

In the first half of 2016 there more than 400,000 LG Hom-Bot robotic vacuum cleaners sold. 

‘As more and more smart devices are being used in the home, hackers will start to shift their focus from targeting individual devices, to hacking the apps that control networks of devices,’ the security firm said. 

‘This will give criminals even more opportunities to exploit software flaws, cause disruption in users’ homes and access their sensitive data.’ 

According to Tel Aviv-based security firm Check Point, the HomBot robot vacuum cleaner could allow people to spy on what you’re doing at home

The built-in vacuum camera, which is on the top of the robot, sends live video to the LG SmartThinQ app which is part of its HomeGuard Security Feature

After contacting LG, the company released a new version that patched up these vulnerabilities.

Researchers say in order to avoid getting hacked, users should ensure they are updated to the latest software versions.

Users can update via the Google play store, Apple’s App Store and LG SmartThinQ app.

MailOnline has contacted LG for comment. 

Hackers found a vulnerability in the login process. This allowed them to intercept traffic between the appliance and the LG server. They could then create a fake LG account and link up to that account

After contacting LG in July, the company released a new version that patched up these vulnerabilities. Users can update via the Google play store, Apple’s App Store and LG SmartThinQ app