HomeHack Attack: Vulnerability In LG App Allowed Hackers To Spy On Victims

A significant security flaw in a mobile app made by LG would have allowed hackers to hijack a litany of internet-connected appliances manufactured by the company and spy on individuals through the devices.

The flaw, dubbed HomeHack, was first discovered by researchers at the cybersecurity firm Check Point earlier this year and would have allowed an attacker to take complete control over a appliances from LG’s Internet of Things product line called SmartThinQ.

To execute the attack, a hacker would first need to modify LG’s SmartThinQ app, recompiling it to bypass some built-in security protections. Doing so would allow the attacker to intercept the traffic between an appliance and the LG server that it is communicating with.

Once the first step was completed, the attack became significantly less technical. All an attacker would need is the email address of a victim’s account in order to login as that person and gain access to all of the devices connected to the app. No other information was required, nor did the attack require a victim to approve access. The LG mobile application didn’t even notify the victim of suspicious activity or potentially unauthorized access.

Once the attacker gained access to the app, they could remotely perform any number of tasks with connected devices and appliances—the range of which amount to anywhere from minor annoyances to troubling privacy violations.

Actions could range anywhere from turning on and off lights to preheating an oven while a person isn’t home or messing with an air conditioning unit. The app could also reveal the inventory in a person’s refrigerator or when a load of laundry has completed a cycle.

The most problematic part of the hack, though, is the ability it provides an attacker to spy on a victim—specifically through internet-connected devices that have a built-in camera like LG’s Hom-Bot robotic vacuum.

Some models of the Hom-Bot vacuum include a camera, part of the company’s HomeGuard Security system. That camera provides a live video feed from atop the robotic vacuum that can show what is happening within a person’s home and can be watched through the LG SmartThinQ app.

“This vulnerability highlights the potential for smart home devices to be exploited, either to spy on home owners and users and steal data, or to use those devices as a staging post for further attacks, such as spamming, denial of service (as we saw with the giant Mirai botnet in 2016) or spreading malware,” researchers at Check Point wrote.

“As part of our mission to enhance the lives of consumers worldwide, we are expanding our next-generation smart appliance lineup and prioritizing the development of safe and reliable software,” Taryn Brucia, the director of public relations for LG Electronics, told International Business Times.

“Strengthening our software security system is a top priority at LG and partnering with cyber-security solution experts such as Check Point will be part of our strategy going forward,” she said.

The HomeHack vulnerability was first reported to LG by Check Point on July 31, and the security firm said the Korean manufacturer responded quickly and responsibly to the disclosure. A patch for the problem was released in September and is available to users—though they may have to manually update to get up to date, depending on their settings.

Users of LG devices will want to update their LG SmartThinQ app to version 1.9.20 or later. The update, which was first made available September 29, is available for both Android devices via the Google Play Store and iOS devices like iPhones through the iTunes App Store.

Check Point also recommends users update their connected devices to the latest version of the software available, which can be done through the SmartThinq app by clicking on each individual device from the dashboard. If an update is available, a popup alert will appear.