Do you think that your Lg Home Appliance is safe and secure and that there is no way it could be turned into a Spy Robot? Hackers disagree and have proof of concepts in the wild
The bad news?
This proof of concept includes the possibility for hackers to remotely take control of LG’s Hom-Bot which is a camera-equipped vacuum cleaner. THis robotoic cleaning device provides hackers with the ability to spy on anything within the Hom-Bot’s area.
Even worse, this vulnerability doesn’t even require the hacker and targeted device to be on the same network.
This attack, called HomeHack, resides in the mobile app and cloud application that is used to control the Hom-Bot and other SmartThinkQ home appliances, providing remote control of any appliance controlled by the app.
Want To See It In Action?
The above video goes through what the researchers have demonstated about the risks this vulnerability has created via the LG Hom-Bot. While over 1 million users have this device and application installed and in operation, the vulnerability appears to not only be avaialble but widly used in the wild.
This issue is caused by the way the SmartThinQ app processes logins, then once the hacker has access to the login ( generally via a medium level of skill and the email address of the target ) they have access to the account and all associated devices.
Because the vulnerability is processed simply via bypassing the login using the HomeHack flaw, there is no need for the attacker to be on the same logical network as the device. Normal and generally accepted IoT security tips such as abvoiding the use of default credentials, using a secure password and updating firmware of the device when possible also fail to thwart this vulnerability.
How Is This Done?
You may be asking yourself, how can this hack be done?
First and foremost, the hacker needs to have a rooted device which is required to intercept traffic from the app with the LG server.
To thwart this, the LG App has a built-in anto-root mechanism that will automatically close if it detects that the smartphone is rooted as well as SSL pining which restricts the possibility of intercepting traffic. You may wonder, then how does this work? Check Point researchers said that hackers could first decompile the source code of the app, remove the functions that enable the SSL pinging as well as the ant-root preventive measures from the apps core code, then, recompile the code and install the modified app on a rooted device. Simple enough right?
Once this initial step has been completed, hackers can then run the modified application on their smartphone and then set up a proxy which would allow them to intercept traffic from the application.
Check Point researches have analyzed the actual process of the SmartThinQ application and found the following 4 steps: