It doesn’t take long for security research into IoT vulnerabilities to swerve into creepy territory. As more internet-capable home appliances with built-in cameras, microphones and sensors replace legacy appliances, the potential for exploitable security flaws that might be used for incredibly invasive privacy violations dramatically increases.
The latest such finding comes via an examination conducted by researchers at Tel Aviv-based security firm Check Point Software into South Korean multinational firm LG’s SmartThinQ range of connected devices. These include washing machines, dryers, refrigerators, dishwashers and vacuum cleaners that can be controlled via a web application.
Why someone might need a Wi-Fi connected vacuum robot remains an open question, but LG has created three versions of the Hom-Bot, which sell for $700 and up.
LG also markets the Hom-Bot as a security device. An onboard camera doubles as a motion detector, sending alerts via the web app to its owner.
Check Point, however, found a vulnerability in an LG portal login process that allowed its researchers to take control of the Hom-Bot and its camera, giving them access to live-stream video from inside a home. A demonstration video kicks off with a peppy ukulele number that quickly turns dark when Hom-Bot begins creeping around a house and an office and capturing surreptitious video.
“This camera, in the case of account takeover, would allow the attacker to spy on the victim’s home with no way of them knowing, with all the obvious negative consequences of invasion of privacy and personal security violation,” Check Point researchers say in a blog post.
A spokeswoman for LG says it fixed the vulnerability on Sept. 29. She adds that LG launched a security program with Check Point earlier this year designed to find security issues within its IoT products.
“We are expanding our next-generation smart appliance lineup and prioritizing the development of safe and reliable software,” she says. “Strengthening our software security system is a top priority at LG, and partnering with cybersecurity solution experts such as Check Point will be part of our strategy.”
Debugging a Vacuum
The IOT vacuum vulnerability wasn’t necessarily easy to find. Check Point did a comprehensive, under-the-hood examination of the Hom-Bot’s code and how it communicates with SmartThinQ, LG’s mobile application for its web-connected appliances.
To its credit, LG had built-in protections to try to blunt any such code autopsies. The SmartThinQ application was designed to stop running if it detected it was running on a “rooted” Android phone, referring to any device that’s been modified by a third party who wants to gain high-level access to the innards of its operating system.
By rooting the Android device, Check Point researchers say they were able to obtain a copy of the SmartThinQ application, via an Android debug bridge tool, and eventually to decompile it. To evade the root protections, Check Point removed the functions that would cause SmartThinQ to defend itself by shutting down, and then recompiled this protection-free version of the application for study.
Next up for analysis was the application’s traffic with the Hom-Bot. Again, Check Point says that LG practiced good security. LG uses SSL pinning, which is designed to avoid man-in-the-middle snooping by taking extra steps to sure that an application is only communicating with an authorized server.
To inspect the traffic, Check Point removed the SSL pinning feature from the code. Again, however, these aren’t trivial steps, but they remain entirely feasible for any advanced attacker.
After neutering LG’s code of its root and SSL pinning protections, Check Point says it quickly spotted an authentication problem: LG’s infrastructure allowed anyone with knowledge of a specific username to gain access to that account, allowing them to remotely activate and access a vacuum’s real-time video stream.
Check Point explains how it works. First, an attacker creates a SmartThinQ account. After logging into the account, the attacker changes the username to the victim’s username, which generates a token that allows an attacker to access the account.
Check Point doesn’t specify how a victim’s username could be obtained, but that information tends to not be random. Like passwords, many users reuse usernames across different web services. In theory, an attacker could also craft a malicious email to trick a target into sharing their SmartThinQ account username.
The flaw in SmartThinQ app has now been patched. Check Point says it informed LG of the vulnerability on July 31 and that LG “responded responsibly.”
How to Get Patched
All SmartThinQ users should follow these two steps to get the latest updates, Check Point researchers say:
- Update app: “Update LG SmartThinQ app to the latest version (V1.9.23), you can update the app via Google play store, Apple’s App Store or via LG SmartThinQ app settings.”
- Update devices: “Update your [LG] smart home physical devices with the latest version, you can do that by clicking on the smart home product under SmartThinQ application dashboard (if an update is available you will get a popup alerting you).”