Researchers turn LG’s Hom-Bot vacuum cleaner into a real-time spying device

Check Point researchers have discovered a vulnerability in LG’s smart home infrastructure that could have allowed hackers to take over the legitimate user’s account and, through it, take remote control of all the LG SmartThinQ home appliances.

These appliances include dishwashers, refrigerators, microwaves, dryers, and robotic vacuum cleaners.

The dangers of certain devices being switched on or off while nobody is at home are obvious, but the researchers decided to show how an attacker could turn LG’s Hom-Bot vacuum cleaner into a real-time spying device through its integrated video camera:

About the HomeHack vulnerability

The researchers first disassembled the Hom-Bot to find the UART (Universal Asynchronous Receiver/Transmitter) connection. They found it, connected to it, and managed to manipulate to receive access to the filesystem.

“While debugging the main process, we looked for the code responsible for Hom-Bot’s communication with the SmartThinQ mobile application. This is when we had the idea to investigate the SmartThinQ application – leading to the discovery of the HomeHack vulnerability,” they shared.

To delve into the SmartThinQ application and the backend platform, they installed the app on a rooted phone and employed debugging tools.

After bypassing the app’s anti-root and SSL pining mechanisms, they succeeded in intercepting the application traffic. Then they created an LG account and logged into the application.

An analysis of the login process revealed that there is no direct dependency between step 1 (authentication request that verifies user credentials) and later ones (2 and 3) that create a signature based on the username and use it to get the access token for the user account.

“This means that the attacker could use his username to pass step 1, and then change the username to the victim’s in steps 2 and 3. Step 4 would allow the attacker to complete the login process to the victim’s account,” they explained.

“By exploiting the HomeHack vulnerability, as described above, the attacker could take over the victim’s account and control his smart LG devices.”

A fix has been provided

The researchers disclosed the vulnerability to LG on July 31 2017, and LG responded by fixing the reported issues in the SmartThinQ application at the end of September.

Users of the LG SmartThinQ mobile app and LG’s smart appliances are advised to update them to the latest app (v1.9.23) and software versions.

Updates for the app can be had from the Google Play store, Apple’s App Store or via LG SmartThinQ app settings. The smart home physical devices can be updated by clicking on the smart home product under SmartThinQ application Dashboard.

“As more and more smart devices are being used in the home, hackers will shift their focus from targeting individual devices, to hacking the apps that control networks of devices. This provides cyber criminals with even more opportunities to exploit software flaws, cause disruption in users’ homes and access their sensitive data,” said Oded Vanunu, head of products vulnerability research at Check Point.

“Users need to be aware of the security and privacy risks when using their IoT devices and it’s essential that IoT manufactures focus on protecting smart devices against attacks by implementing robust security during the design of software and devices.”