Security News

Bitdefender researchers have uncovered four vulnerabilities in webOS, the operating system running on LG smart TVs, which may offer attackers unrestricted access to the devices. The number of potentially exploitable internet-connected devices is likely smaller, as LG has patched the vulnerabilities on March 22, 2023, and some of the users have either applied the updates or have set their TVs to perform updates automatically.

Multiple security vulnerabilities have been disclosed in LG webOS running on its smart televisions that could be exploited to bypass authorization and gain root access on the devices.The findings come from Romanian cybersecurity firm Bitdefender, which discovered and reported the flaws in November 2023. The issues were fixed by LG as part of updates released on March 22, 2024.

Security researchers at Bitdefender have discovered four vulnerabilities impacting multiple versions of WebOS, the operating system used in LG smart TVs. The flaws enable varying degrees of unauthorized access and control over affected models, including authorization bypasses, privilege escalation, and command injection. The potential attacks hinge on the ability to create arbitrary accounts on the device using a service that runs on ports 3000/3001, which is available for smartphone connectivity, using a PIN. Bitdefender explains that although the vulnerable LG WebOS service is supposed to be used only in local area networks settings, Shodan internet scans show 91,000 exposed devices that are potentially vulnerable to the flaws.

Security researchers have pinned a DDoS botnet that's infected potentially millions of smart TVs and set-top boxes to an eight-year-old cybercrime syndicate called Bigpanzi. "The potential for Bigpanzi-controlled TVs and STBs to broadcast violent, terroristic, or pornographic content, or to employ increasingly convincing AI-generated videos for political propaganda, poses a significant threat to social order and stability," said researchers at Chinese security biz Qianxin.

Infosec in brief Bot defense software vendor Human Security last week detailed an attack that "Sold off-brand mobile and Connected TV devices on popular online retailers and resale sites preloaded with a known malware called Triada." Human named the campaign to infect and distribute the Android devices BADBOX. The infected devices were sold for under $50. Human's researchers found over 200 models with pre-installed malware, and when it went shopping for seven particular devices found that 80 percent of units were infected with BADBOX. Analysis of infected devices yielded intel on an ad fraud module Human's researchers named PEACHPIT. At its peak, PEACHPIT ran on a botnet spanning 121,000 devices a day on Android.

Two Android apps available on the Google Play store have been found to contain malware this week. Smart TV remote app packs 'Joker' malware.

Security researchers at Human Security have discovered a massive botnet of Android devices being used to conduct fraud in the connected TV advertising ecosystem. The sophisticated mobile botnet, dubbed Pareto, is made up on nearly a million infected mobile Android devices pretending to be millions of people watching ads on smart TVs and other devices.

The streaming box allows arbitrary code execution as root, paving the way to pilfering social-media tokens, passwords, messaging history and more. A critical bug in the Hindotech HK1 TV Box would allow root-privilege escalation thanks to improper access control.

Samsung brags to advertisers that "First screen ads", seen by all users of its Smart TVs when they turn on, are 100 per cent viewable, audience targeted, and seen 400 times per TV per month. "Dear Samsung, why are you showing Ads on my Smart TV without my consent? I didn't agree to this in the privacy settings but I keep on getting this, why?" said a user on Samsung's TV forum, adding last week that "There is no mention of advertising on any of their brand new boxes".

Researchers have uncovered the biggest connected-TV ad fraud operation they've ever seen, fueled with fake ad views seen by bogus eyeballs that actually belonged to a bot network they named ICEBUCKET. Bot-mitigation security firm White Ops said on Thursday that at its peak - January 2020 - the ICEBUCKET bot operation impersonated more than 2 million people in over 30 countries. ICEBUCKET also cooked up 300 publishers out of thin air, then stole advertising dollars by tricking advertisers into thinking there were real people on the other side of the screen.