By: Nicholas West | Activist Post
As people begin acquiring greater numbers of smart tech gadgets to manage their lives and homes, each one of these items is being revealed as an open invitation to be spied upon.
We’ve heard about vulnerabilities being exposed in children’s toys, baby monitors, smart TVs, smartphones and smart meters, to name a few. A look at the graphic below illustrates a potential reality for full-spectrum hacking that makes one episode from Mr. Robot not seem fantastical in the least.
Often it is not the software of the products themselves, but the third party apps and programs that also are used to operate these systems.
Tech giant LG is the latest to be alerted by private researchers of a major vulnerability that could have allowed hackers to take over their line of smart home products including all major appliances, air conditioners and even the camera embedded in smart vacuum cleaners that also supposedly serves as home security.
Motherboard reports how the flaw was discovered, as well as the stunning ease with which anyone could have gained remote access simply by using an e-mail address:
The flaw was found by researchers from Check Point in the user authentication process between the SmartThinQ mobile app and LG’s back-end platform. This application allows users to remotely control different functions of their appliances, including turning them on and off. For example, users can preheat their oven or start their AC unit before they get home, can check their smart refrigerator’s inventory before stopping by the supermarket or can see when their washing machine finished a cycle.
The flaw, which Check Point dubbed HomeHack, was privately reported to LG in July and was quietly patched at the end of September. It enabled attackers to easily hijack people’s SmartThinQ accounts and gain control over their linked devices by knowing only their email addresses.
To pull off the attack, hackers would have needed to modify LG’s app on their own device in order to disable some security checks and then manipulate the log-in process to use the victim’s username—their email address—instead of their own, the Check Point researchers said in a report released today. This process did not require the victim to click on anything, nor would it have alerted them of any suspicious activity.
The researchers’ video can be viewed below which offers up exactly what a hacker might see as they enter your home through a smart device:
Fortunately, it doesn’t appear that any actual hacks have taken place on the millions of smart devices that LG has sold, but it is a bit disconcerting that they were alerted many months ago and made a patch without notifying the public of possible intrusion.
One has to wonder how many other issues are being continuously discovered without our knowledge and what level of exposure is being purchased in the name of convenience and security. If we have learned anything thus far in the pursuit of an Internet of Things: the more problems we look for, the more we find.