Bitdefender details root vulnerability in LG WebOS v4 to v7 affecting LG HDTVs and commercial signage monitors

Bitdefender has detailed a serious vulnerability in LG WebOS v4 to v7 that allows hackers to gain root access to this operating system used on LG HDTVs and commercial signage monitors. At minimum, models released from 2018 to 2022 are known to ship with the vulnerable OS versions. One search shows at least 91,000 potentially hackable LG displays are connected to the internet.

Root access hacks provide hackers the keys to the kingdom, or full, unfettered access to the hacked device. In the case of a HDTV or monitor, such a hack provides full access to the apps installed, accounts logged in, and even web cameras attached. Credit card information, account passwords, and livestreams of private living and bed rooms can be streamed out by hackers who have root access.

The LG WebOS hack utilizes two of four key vulnerabilities in WebOS v4 to v7: CVE-2023-6317 to bypass password authorization, then CVE-2023-6318 to gain root privileges, CVE-2023-6319 to inject OS commands, or CVE-2023-6320 to inject root-level equivalent, dbus user commands.

Bitdefender has notified LG prior to release of the vulnerability details, so affected monitors should have a WebOS version update that will fix the issue. Concerned readers should contact LG directly for specifics on how to update their displays, or simply take the displays off-line since an Internet connection is required to hack into them. Also, users who have a LG Smart Cam web camera attached to their displays will want to consider disconnecting the camera until their TVs are patched.

Readers who really do not want to put their family and personal data at risk of a smart TV hack should look into replacing them with dumb HDTVs (like this at Amazon).