A significant security flaw has been identified in LG’s WebOS platform, which powers their range of smart televisions. This vulnerability enables attackers connected to the same local network to bypass authentication protocols and gain complete control over the affected devices. The issue was brought to light during the TyphoonPWN 2025 hacking competition, where it earned first place for its severity and potential impact.
Understanding the Vulnerability
The root of this security concern lies within the `browser-service` component of LG’s WebOS. This service becomes active on port 18888 when a USB storage device is connected to the TV. It provides an API endpoint, `/getFile`, designed to allow peer devices to download files from specific directories on the television.
However, due to inadequate input validation on the `path` parameter, the service is susceptible to path traversal attacks. This oversight permits unauthorized users to request and download any file from the TV’s filesystem without the need for authentication.
Exploitation Process
By exploiting this path traversal flaw, an attacker can access sensitive system files. A primary target is the database file located at `/var/db/main/`, which contains authentication keys for clients that have previously paired with the TV’s `secondscreen.gateway` service.
With these keys in hand, the attacker can impersonate a legitimate client and connect to the `secondscreen` service, effectively bypassing all authentication checks. This connection grants them high-privilege access to the TV’s core functions.
Potential Consequences
Once authenticated to the `secondscreen` service, the attacker possesses the necessary privileges to enable developer mode on the device. This capability allows them to install any application, including malicious software designed to spy on the user, steal personal data, or enlist the TV as part of a botnet for coordinated cyberattacks.
A proof-of-concept has demonstrated how an attacker can leverage this access to execute arbitrary commands, effectively gaining root control and taking over the television. The entire exploitation process can be automated with a simple script, facilitating rapid attacks once initial access to the local network is achieved.
Mitigation Measures
In response to the disclosure of this vulnerability, LG has released a security advisory urging users to update their devices with the latest firmware to mitigate the threat. Users are advised to:
– Update Firmware: Ensure that the TV’s firmware is up to date. LG has released patches addressing this vulnerability, and applying these updates is crucial for security.
– Network Security: Limit the TV’s exposure to untrusted networks. Since the attack requires the attacker to be on the same local network, securing your home network with strong passwords and encryption can reduce the risk.
– Disable Unnecessary Services: If possible, disable services that are not in use, especially those that open network ports, to minimize potential attack vectors.
Broader Implications
This vulnerability underscores the importance of robust security measures in smart devices. As televisions and other household appliances become increasingly connected, they also become potential targets for cyberattacks. Manufacturers must prioritize security in their designs, and consumers should remain vigilant about updating and securing their devices.
Conclusion
The discovery of this critical vulnerability in LG’s WebOS TVs highlights the evolving landscape of cybersecurity threats in the realm of smart home devices. By staying informed and proactive, both manufacturers and consumers can work together to mitigate these risks and ensure a safer digital environment.
