HomeHack Flaw Allows Spying Via the Robot Vacuum

Written by

Beware your vacuum robot: A vulnerability in LG Electronics’ smart-home line of appliances allows remote access and control of anything in the ecosystem—including refrigerators, ovens, dishwashers, washing machines and dryers, air conditioners and, yes, the vacuum cleaner.

Check Point Software uncovered a flaw that it helpfully dubbed HomeHack, which exposed millions of users of LG SmartThinQ devices to the risk of unauthorized remote control. The issue exists in the LG SmartThinkQ mobile app and cloud application, allowing hackers to remotely log in, take over the user’s legitimate LG account, and gain control of, say, the vacuum cleaner and its integrated video camera. Once in control of a specific user’s LG account, any LG device or appliance associated with that account could be controlled by the attacker.

Clearly, bad actors can spy on users’ home activities via the video camera, which sends live video to the associated LG SmartThinQ app as part of its HomeGuard Security feature. Attackers could also switch things like dishwashers or washing machines on and off.

“As more and more smart devices are being used in the home, hackers will shift their focus from targeting individual devices, to hacking the apps that control networks of devices,” said Oded Vanunu, head of products vulnerability research at Check Point. “This provides cyber-criminals with even more opportunities to exploit software flaws, cause disruption in users’ homes and access their sensitive data. Users need to be aware of the security and privacy risks when using their IoT devices and it’s essential that IoT manufacturers focus on protecting smart devices against attacks by implementing robust security during the design of software and devices.”

LG has patched the reported issues, so users should update their apps immediately.

“As part of LG Electronics’ mission to enhance the lives of consumers worldwide, we are expanding our next-generation smart-home appliance lineup, while also prioritizing the development of safe and reliable software programs,” said Koonseok Lee manager of Smart Development Team, Smart Solution BD, LG. “Effective September 29th, the security system has been running the updated 1.9.20 version smoothly and issue-free. LG Electronics plans to continue strengthening its software security systems as well as work with cybersecurity solution providers like Check Point to provide safer and more convenient appliances.”

What’s hot on Infosecurity Magazine?