IoT
10/30/2017
11:30 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Check Point Partners With LG To Secure Smart Home Devices

Check Point helps block a major security vulnerability in LG SmartThinQ(R) home IoT appliances.

SAN CARLOS, CA  —  Thu, 26 Oct 2017 -- Check Point Software Technologies Ltd. (NASDAQ: CHKP) a leading provider of cyber-security solutions globally, today announced that its security researchers have discovered HomeHack – a vulnerability that exposed millions of users of LG SmartThinQ® smart home devices to the risk of unauthorized remote control of their SmartThinkQ home appliances.  

The vulnerabilities in the LG SmartThinkQ mobile app and cloud application enabled the Check Point research team to remotely login to SmartThinQ cloud application, take over the user’s legitimate LG account, and gain control of the vacuum cleaner and its integral video camera.  Once in control of a specific user’s LG account, any LG device or appliance associated with that account could be controlled by the attacker – including the robot vacuum cleaner, refrigerators, ovens, dishwashers, washing machines and dryers, and air conditioners.

The HomeHack vulnerability gave attackers the potential to spy on users’ home activities via the Hom-Bot robot vacuum cleaner video camera, which sends live video to the associated LG SmartThinQ app as part of its HomeGuard Security feature.  Depending on the LG appliances in the owner’s home, attackers could also switch dishwashers or washing machines on or off.

“As more and more smart devices are being used in the home, hackers will shift their focus from targeting individual devices, to hacking the apps that control networks of devices. This provides cyber criminals with even more opportunities to exploit software flaws, cause disruption in users’ homes and access their sensitive data,” said Oded Vanunu, head of products vulnerability research at Check Point. “Users need to be aware of the security and privacy risks when using their IoT devices and it’s essential that IoT manufacturers focus on protecting smart devices against attacks by implementing robust security during the design of software and devices.”

The vulnerabilities in the SmartThinQ mobile app enabled Check Point’s researchers to create a fake LG account, and then use this to take over a user’s legitimate LG account, and in turn gain remote control of the user’s smart LG appliances.  Check Point disclosed the vulnerability to LG on July 31 2017, following responsible disclosure guidelines. LG responded by fixing the reported issues in the SmartThinQ application at the end of September.  “Thankfully, LG responsibly provided a quality fix to stop possible exploitation of the issues in its SmartThinQ app and devices,” said Oded Vanunu. 

“As part of LG Electronics’ mission to enhance the lives of consumers worldwide, we are expanding our next-generation smart home appliance lineup, while also prioritizing the development of safe and reliable software programs,” said Koonseok Lee Manager of Smart Development Team, Smart Solution BD, LG Electronics.  “In August, LG Electronics teamed with Check Point Software Technologies to run an advanced rooting process designed to detect security issues and immediately began updating patch programs. Effective September 29th the security system has been running the updated 1.9.20 version smoothly and issue-free.  LG Electronics plans to continue strengthening its software security systems as well as work with cyber-security solution providers like Check Point to provide safer and more convenient appliances.”

To protect their devices, users of the LG SmartThinQ mobile app and appliances should ensure they are updated to the latest software versions from the LG website.  Check Point also advises consumers to take the following steps to secure their smart devices and home Wi-Fi networks against intrusion and the possibility of remote device takeover: 

1.    Update LG SmartThinQ app to the latest version (V1.9.23), you can update the app via Google play store, Apple’s App Store or via LG SmartThinQ app settings.

2.    Update your Smart home physical devices with the latest version, you can do that by clicking on the smart home product under smartThinQ application Dashboard (if an update is available you will get a popup alerting you)

LG’s SmartThinQ® range of smart appliances and safety solutions enable users to monitor and maintain their homes from a smartphone. Sales of the Hom-Bot robotic vacuum cleaner alone exceeded 400,000 in the first half of 2016.  In 2016, 80 million smart home devices were shipped worldwide, a 64% increase from 2015. 

A video of how the attack could be done can be viewed, here 
To learn more about this vulnerability, visit the Check Point blog

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.