Update your LG TV now, or let hackers root it. But is Bitdefender overhyping the issue?

4×CVE=RCE or Merely CE?

What’s the craic? Bill Toulas reports: LG Smart TVs may be exposed to remote attacks

“Check for Update”
The flaws enable varying degrees of unauthorized access and control over affected models, including authorization bypasses, privilege escalation, and command injection. … Over 90,000 LG Smart TVs may be exposed to remote attacks.
…
Impacted users should apply the update by going to the TV’s Settings > Support > Software Update, and selecting “Check for Update.” … Though TVs are less critical in terms of security, the severity of remote command execution remains potentially significant in this case—as it could give attackers a pivot point to reach … more sensitive devices connected to the same network.

It could? Anthony Spadafora tells us what to do now:

“Drop malware”
As our TVs are often in the center of our households and now contain plenty of our personal and financial data, they will likely become a target for hackers just like our phones and computers. [The] vulnerabilities … could allow an attacker to add themselves as a user and gain root access to your TV. From there, they could use command injection to drop dangerous malware, snoop on the traffic coming and going from your TV and even move laterally across your home network.
…
CVE-2023-6319 … allows commands to be injected into webOS by manipulating a library used to show music lyrics. Of the four flaws discovered by Bitdefender, … this one is the most concerning since it could be used to drop malware onto a vulnerable LG TV. … The most important thing you can do to keep your smart TV safe from hackers is to keep it regularly updated. … Cybercriminals often target devices that aren’t running the latest software, which is why it’s so important to keep your devices updated, even if frequently installing the latest updates and patches can get annoying.

Horse’s mouth? The aforementioned anonymous defenders of bits: Vulnerabilities Identified in LG WebOS

“Root”
We have found several issues affecting WebOS versions 4 through 7 running on LG TVs. These vulnerabilities let us gain root access on the TV after bypassing the authorization mechanism.
…
By setting a variable, the attacker can add an extra user to the TV set (CVE-2023-6317). Another vulnerability allows attackers to elevate the access they gained in the first step to root and fully take over the device (CVE-2023-6318). A third vulnerability (CVE-2023-6319) allows operating system command injection by manipulating a library. … The CVE-2023-6320 vulnerability lets an attacker inject authenticated commands by manipulating [an] API endpoint.

OK, got it. Patch now. And markgo has some extra advice:

Don’t hook your TV to the Internet. Ever.
…
TV manufacturers will never pay for proper security. Theirs is a low margin business and once the TV is sold, they aren’t going to spend any money to support it. Of course, they’ll still make money—by selling your viewing data and advertising.

It’s a trap! So says u/robot_:

Sounds like a trick to get me to reconnect it to the internet. Once I saw ads on my expensive ass OLED TV, I knew it was time to disconnect it from the network forever and let an AppleTV run the apps. I can’t believe anyone finds ads on a device they paid for acceptable.

But if you don’t connect it to the internet, how will it get updates? Kevin McMurtrie knows what to do:

You plug it in periodically, in the hopes that someday LG will fix bugs in HDMI/eARC or the video processors.

In fact, LG is pretty good about offline updates. As malor points out:

You can update LG OLEDs through USB, which is what I’ve been doing. The performance of my C2, as driven by my PC, has improved substantially with updates. The actual user-visible behavior hasn’t changed that I can see, but … I just use it as a dumb screen with no network. If they’ve done anything evil, … I would have no way to know.

Wait. Pause. Sloth doesn’t believe the hype:

Unless you have specifically added a port … forward on your router/firewall, this is a complete non-issue.

Meanwhile, here’s ecofeco’s simple summary:

Smart TVs: Dumb idea.

And Finally:

Pete should have many more subs than this

Hat tip: PhosphorBurnedEyes

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Noah Buscher (via Unsplash; leveled and cropped)