back to article Got an unpatched LG 'smart' television? It could be watching you back

A handful of bugs in LG smart TVs running WebOS could allow an attacker to bypass authorization and gain root access on the device. Once they have gained root, your TV essentially belongs to the intruder who can use that access to do all sorts of nefarious things including moving laterally through your home network, dropping …

  1. sarusa Silver badge
    Devil

    Or your best solution is...

    Whoops, I have one of these TVs. But I have, never, ever, let it have access to the internet. How stupid would you need to be to let your 'smart' TV, which will report everything you're watching back to home base along with photos of your living room at the time, have access to the internet? It's just a dumb screen for the media box.

    1. commonsense

      Re: Or your best solution is...

      The problem affects people who don't frequent this website and/or aren't aware that a TV tlcould be exploited in this way. Is the inference that anybody who uses apps on TVs is stupid?

      The snootiness exhibited by some techies is incredible.

      1. John Robson Silver badge
        Facepalm

        Re: Or your best solution is...

        As is the assumption that the media box is completely invulnerable to any attack.

        1. Marty McFly Silver badge
          Big Brother

          Re: Or your best solution is...

          Don't jump from one trashcan to another. Roku, FireTV, AppleTV, etc are just more versions of the TV's built-in garbage.

          Gotta spend the money on a purpose-built PC to use as a media player. It may not be perfect, but at least I control what is running on it. And if I screw up the security or privacy it is on me.

          Do some network monitoring on outbound SmartTV traffic when it is displaying HDMI port 1. WTH is that thing sending to the mothership when none of the 'smart' features are in use?? Icon seems fitting....

          1. DS999 Silver badge
            Facepalm

            Re: Or your best solution is...

            Why do you think a purpose built PC would be secure? More secure, perhaps, but not secure.

            It is also pretty much useless because you can't run any streaming stuff on it like Netflix, Disney+ and so forth. I imagine now is where you climb on your high horse and claim "I will never rent media, only own it" but when pressed by "own it" you mean you've ripped your old DVD collection and now you pirate stuff, using the excuse that because they won't make recent content available on your "chosen platform" of a custom built media PC you have no alternate but piracy.

            I think an Apple TV is more secure than a "smart TV" because TV OEMs like LG and Samsung don't care about security at all. Its tvOS is basically a stripped down version of iOS, which while it hasn't proven invulnerable to remote attack it is pretty rare and has used exploit chains that include stuff like iMessage or Safari that tvOS don't support. I haven't heard of any real world exploits against an Apple TV. That's not to say one won't happen someday, but I like my odds versus running whatever an appliance maker who doesn't consider security at all puts out. It is also going to have its OS and apps supported longer than a smart TV's apps.

            1. perkele

              Re: Or your best solution is...

              I don't own a media box, but I see Apple TV recommended in so many places, e.g. as a replacement interface for Samsung TVs and to replace shit like Roku players (even before their latest games).

              So you pay a bit more, and maybe worry a bit less.

              I guess if I then wanted to read gushing fanboy support there's AppleRumours and the like. I'm referring to more generic locales.

            2. Marty McFly Silver badge
              WTF?

              Re: Or your best solution is...

              <Shrug> I guess I'll have to go check. Netflix streamed just fine in a web browser last time I used it. So did every other streaming service. Maybe you know something I don't know.

              And you are right...More secure but definitely not perfectly secure. My point is I am in control of the device, not the corporate mothership.

            3. Piro Silver badge

              Re: Or your best solution is...

              "It is also pretty much useless because you can't run any streaming stuff on it like Netflix, Disney+ and so forth. I imagine now is where you climb on your high horse and claim "I will never rent media, only own it" but when pressed by "own it" you mean you've ripped your old DVD collection and now you pirate stuff, using the excuse that because they won't make recent content available on your "chosen platform" of a custom built media PC you have no alternate but piracy."

              This but unironically and literally. I don't pay for any streaming services. I use a PC and ripped media. My streaming use amounts to some YouTube videos.

            4. HandleAlreadyTaken

              Re: Or your best solution is...

              >[a purpose-built PC] is also pretty much useless because you can't run any streaming stuff on it like Netflix, Disney+ and so forth

              That's not true at all. I have this exact set up, (albeit with generic small format PCs, no purpose-built ones) and I watch Netflix or YouTube in high resolution. I don't have Disney+, but I occasionally also watched Apple TV and Amazon Prime movies, with no problem at all. I don't pirate stuff, but I did rip my DVDs and music CDs to the NAS and sometimes watch them, again using the small media PCs.

          2. John Robson Silver badge

            Re: Or your best solution is...

            "Gotta spend the money on a purpose-built PC to use as a media player"

            Really not a solution to the problem at hand - I mean it solves several, but brings up several more.

            And I don't need yet another full blown machine running - OpenELEC on a RasPi would be an ok solution, except that it likely doesn't support half the things the TV does, and means I have to deal with more weirdness when I do stuff which isn't coming over that particular cable.

            If I could actually buy a dumb TV I would - If nothing else I could upgrade the source independently of the display.

            But the TV sits on a sewer network, as far as it knows it's the only device on the network, and there are no inbound connections happening.

            1. Marty McFly Silver badge
              Thumb Down

              Re: Or your best solution is...

              It's not the inbound you need to worry about. It is the outbound.

              Had a Samsung SmartTV. Playing content on HDMI 1. It also had a steady stream of outbound packets on the WiFi. WTH was it talking to?

              It would be one thing if these TVs went dumb when the 'Smart' components are not being used. But when they are chattering elsewhere when they don't need to be, that makes them suspicious. Especially now that the TVs have voice (microphone) and gesture (camera) controls.

              1. John Robson Silver badge

                Re: Or your best solution is...

                But the outbound is pretty boring if the TV only knows about itself.

                No camera on board, and the only mic I'm aware of is in the remote, so there isn't really enough power available to continuously transmit.

          3. HandleAlreadyTaken

            Re: Or your best solution is...

            >Gotta spend the money on a purpose-built PC to use as a media player.

            You don't need much money really, nor do you need a purpose-built PC. I got two cheap generic small format PCs from Amazon and using them as media players in two rooms, at high resolution. They've been running quite well, and I use them for Netflix, Apple TV, streaming movies and music off my NAS, and occasional YouTube/browsing. The only thing that's missing is a nice interface for a remote control, but I got some palm-sized wireless keyboards that work quite satisfactorily.

        2. perkele

          Re: Or your best solution is...

          Well yes, but that is why you have a firewall on your external interface and don't enable UnPnP.

          And still pray that things work / your firewall is updated / you've not been a doofus and configured it wrong [or trust the telco if they provide a "black box"].

          Still security is like an onion, so the more layers the better, unless the onion is rotten to the core.

      2. NeilPost

        Re: Or your best solution is...

        Agree - everyone who buys a SmartTV is going to leave is disconnected from the Internet!! Esp. The less than tech savvy ones/

        1. drankinatty

          Re: Or your best solution is...

          The LG exploits seem to be but the tip of the iceberg. What of all the other manufacturer (e.g. Samsung, e.g. a.l.) that have sold internet connected "smart" TVs with built in browsers but have not provided updates in over 5 years.... It's hard to make up a worse scenario for the average Joe that plugs an RJ-45 into his smart TV and hasn't a clue it could very well be watching him back...

      3. RedGreen925 Bronze badge

        Re: Or your best solution is...

        "Is the inference that anybody who uses apps on TVs is stupid?

        The snootiness exhibited by some techies is incredible."

        Indeed they are morons just like the idiots on their "smart" phones giving all their life's information to the parasite corporations willingly. Then having the audacity to complain about it when they are caught using it. And the apologists for the parasite corporations are more than just as bad, they are part of the problem.

    2. Kevin McMurtrie Silver badge

      Re: Or your best solution is...

      You plug it in periodically in the hopes that someday LG will fix bugs in HDMI/eARC or the video processors.

      1. NeilPost

        Re: Or your best solution is...

        Or more likely de support it after 5 years and no updates.

    3. TheMeerkat

      Re: Or your best solution is...

      > But I have, never, ever, let it have access to the internet

      Why would you want to use an extra device when, say, watching Netflix?

  2. Paul Crawford Silver badge

    ...while the vulnerable service is only intended for LAN access, more than 91,000 devices are exposed to the internet, according to a Shodan scan.

    Just how do folks manage that? I mean, just how do they not have NAT/firewall by default, or ended up port-forwarding them for exposure?

    1. John Robson Silver badge
      1. Anonymous Coward
        Anonymous Coward

        Unbelievably Prolific Nothing Protected

  3. Neil Barnes Silver badge

    your TV essentially belongs to the intruder

    Instead of LG, of course. Can't have all that lovely collectible data going to someone other than the mothership.

    (Still waiting for 'smart' TVs that will try and hijack your wifi - or even, I suppose, come with a built in secret phone connection. And I note a recent patent from Roku (as reported by Louis Rossman) whereby adverts will be inserted into HDMI streams, irrespective of source.)

    1. captain veg Silver badge

      Re: your TV essentially belongs to the intruder

      Yes.

      I work for an advertising agency. LG aggressively markets its TV sets to ad agencies as an advertising vector.

      Buy one, if you like, if it's cheap enough, but don't connect it to the network. Get your online content from some kind of separately-securable attached device.

      -A.

  4. ecofeco Silver badge
    Facepalm

    Smart TVs

    Dumb idea.

  5. Anonymous Coward
    Anonymous Coward

    triggered by manipulating the music-lyrics library.

    Hopefully the database of favourite Mediaeval recipes from the Pyrenees is still safe from SQL injection; I'd hate to think that such a basic function of a TV set had not been properly secured.

  6. Barry Rueger

    Samsung too?

    This is why, despite their invitation, my washing machine has not been added to our WIFI.

    Well, that and because I can't be bothered to clutter my phone with a washing machine app.

    1. 43300 Silver badge

      Re: Samsung too?

      Have they invented an app which can empty the laundry basket and sort it into light colours / dark colours / red, and load the washing machine yet? If not, a washing machine app is of very limited use!

      1. DS999 Silver badge

        Re: Samsung too?

        Gotta wait for the personal home robot (hopefully not the NS-5 model) to appear. Ironically, when that happens, there will no longer be a reason for appliances to be "smart", because your home robot after loading the washing machine can hit buttons and turn dials just as easily as it can communicate it with via bluetooth. What's the point of a fridge that talks to an app on your phone to tell you you are out of milk, your robot will be tasked with monitoring what you need and eventually do the grocery shopping for you.

        That assumes of course that regular people still have jobs (i.e. the robots and AI haven't taken them all) so they can afford a home robot. Or food and clothing, for that matter.

      2. Giles C Silver badge

        Re: Samsung too?

        I have the same type, never connected to WiFi because well Why….

        The reason for buying it was it was an unwanted return and had £100 off rhe retail price nothing to do with WiFi or anything else just wanted a good washer dryer. And it came with a 7 year guarantee

    2. spold Silver badge

      Re: Samsung too?

      Malicious app for malodourous crap?

      I had one of those, the app was total pants.

      1. 43300 Silver badge

        Re: Samsung too?

        It might have been total pants, but did it make one sock from a pair mysteriously disappear, like washing machines do?

      2. tiggity Silver badge

        Re: Samsung too?

        Did the washing machine app have a Felicity Kendal setting?

  7. anonymous boring coward Silver badge

    "November 1, 2023, and LG asked for a time extension to fix them. The electronics giant issued patches on March 22"

    How fast they are...

    1. aerogems Silver badge

      To be fair, LG tends to support products a lot longer than its competitors with updates. Most companies stop putting out updates as soon as the next year's model is on store shelves. LG, OTOH, may slow down the pace of updates after a model is no longer current, but I've seen updates for some TV I bought years ago that were put out within a few months of when I checked. That said, doesn't look like they've released an update for my C8 yet, still showing June of 2023 as the most recent update. Still, a 2018 model getting updates until at least mid-2023 is kind of the point I'm trying to demonstrate.

      1. VicMortimer Silver badge
        Flame

        IT IS A TELEVISION.

        The expected lifespan of the device is DECADES.

        LG does NOT get a prize for updating a TV from 2018.

  8. Icy North
    Happy

    Watching us back?

    It’s just like being on Gogglebox.

  9. tiggity Silver badge

    smart will become dumb

    After a while I'm sure there's a strong chance a lot of the "smarts" such as different players etc. will gradually fail as manufacturer stops providing software updates & there's some breaking change from some providers (e.g. the way newer instances of ITV Hub failed to be supported on some older Freeview TVs after an update and they could not run the new "replacement" ITVX "app").

  10. Piro Silver badge

    Never connect to network

    Problem solved. I have an LG TV, I patched it precisely once, I regretted that, it removed a bunch of features as I didn't agree with the new policy. So I disconnected it from the network.

    I didn't use the smart features anyway, but it was undoubtedly a downgrade.

    Forget it, don't patch, just don't have it online.

  11. phuzz Silver badge

    Does anyone have any recommendations for a new TV that is 'dumb'? It seems like most of them have some kind of 'smart' interface these days.

  12. wsm

    ROKU updates on the way

    What wonders await in the new features promised to improve every Roku device?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like