Vacuum Cleaner can Clean and Spy

Monday, October 30, 2017 @ 02:10 PM gHale

A vulnerability in LG’s smart home infrastructure could allow attackers to take control of LG SmartThinQ home appliances, including dishwashers, refrigerators, microwaves, dryers, and robotic vacuum cleaners.

There are dangers of attackers being able to switch on or off certain devices.

Industrial Networks on Internet: Report
IT/OT Convergence, a SANS Focus
ARC-SANS: Security Education for Industry
ICSJWG: Putting Numbers Behind Risk

Check Point researchers showed how an attacker could turn LG’s Hom-Bot vacuum cleaner into a real-time spying device through its integrated video camera.

The company presents the Hom-Bot vacuum it as a hybrid between a vacuum cleaner and a watch guard, with HomeGuard security that can send out alerts when it detects movement. This function is designed to enable users to turn on the built-in video camera positioned on top of the Hom-Bot vacuum, which then provides a real-time video stream to the smartphone application.

However, this camera, in the case of account takeover, would allow the attacker to spy on the victim’s home, with no way of them knowing, with all the obvious negative consequences of invasion of privacy and personal security violation.

Click here to view a video on the spying vacuum.

To hack the vacuum, researchers disassembled the Hom-Bot to find the UART (Universal Asynchronous Receiver/Transmitter) connection. They found it, connected to it, and were able to manipulate it to the point of receive access to the filesystem.

“While debugging the main process, we looked for the code responsible for Hom-Bot’s communication with the SmartThinQ mobile application. This is when we had the idea to investigate the SmartThinQ application – leading to the discovery of the HomeHack vulnerability,” the researchers said in a blog post.

To delve into the SmartThinQ application and the backend platform, they installed the app on a rooted phone and employed debugging tools.

After bypassing the app’s anti-root and SSL pining mechanisms, they were able to intercept the application traffic. Then they created an LG account and logged into the application.

Reviewing the login process, researchers found there is no direct dependency between step 1 (authentication request that verifies user credentials) and later ones (2 and 3) that create a signature based on the username and use it to get the access token for the user account.

“This means that the attacker could use his username to pass step 1, and then change the username to the victim’s in steps 2 and 3. Step 4 would allow the attacker to complete the login process to the victim’s account,” the researchers said.

The researchers disclosed the vulnerability to LG on July 31, and LG responded by fixing the reported issues in the SmartThinQ application at the end of September.

Users of the LG SmartThinQ mobile app and LG’s smart appliances should update them to the latest app (v1.9.23) and software versions.

“As more and more smart devices are being used in the home, hackers will shift their focus from targeting individual devices, to hacking the apps that control networks of devices. This provides cyber criminals with even more opportunities to exploit software flaws, cause disruption in users’ homes and access their sensitive data,” said Oded Vanunu, head of products vulnerability research at Check Point in a post. “Users need to be aware of the security and privacy risks when using their IoT devices and it’s essential that IoT manufacturers focus on protecting smart devices against attacks by implementing robust security during the design of software and devices.”

To protect their devices, users of the LG SmartThinQ mobile app and appliances should ensure they are updated to the latest software versions from the LG website. Check Point also advises consumers to take the following steps to secure their smart devices and home Wi-Fi networks against intrusion and the possibility of remote device takeover:
• Update LG SmartThinQ app to the latest version (V1.9.23), you can update the app via Google play store, Apple’s App Store or via LG SmartThinQ app settings
• Update your Smart home physical devices with the latest version, you can do that by clicking on the smart home product under smartThinQ application Dashboard

Leave a Reply

You must be logged in to post a comment.