Smart? Don't ThinQ so! Hacked robo-vacuum could spy on your home

Security researchers dismantle LG's IoT appliance range


LG SmartThinQ smart home devices were totally hackable prior to a recent security update, according to new research.

The so-called HomeHack vulnerabilities in LG's SmartThinkQ mobile app and cloud application created a means for hackers to remotely log into the SmartThinQ cloud application and take over the user's LG account, Check Point security boffins said.

Once in control of an account, any LG device or appliance associated with that account could be controlled by the attacker – including a robot vacuum cleaner, refrigerators, ovens, dishwashers, washing machines and dryers, and air conditioners. Devices could be switched on and off, settings changed and more.

IoT hackers might be able to gain control of the LG Hom-Bot vacuum cleaner's video camera. The technology streams live video to an associated LG SmartThinQ smartphone app as part of its HomeGuard Security feature. Hacking the system therefore creates a spying risk (as demonstrated below).

Youtube Video

The vulnerabilities in the SmartThinQ mobile app allowed researchers to create a fake LG account before using this to take over a user's legitimate LG account, and in turn gain remote control of the user's smart LG appliances.  Check Point disclosed the vulnerability on July 31. LG fixed the reported issues at the end of September.

Koonseok Lee, manager of smart development team at LG Electronics, said: "In August, LG Electronics teamed with Check Point Software Technologies to run an advanced rooting process designed to detect security issues and immediately began updating patch programs.  Effective September 29 the security system has been running the updated 1.9.20 version smoothly and issue-free. LG Electronics plans to continue strengthening its software security systems as well as work with cyber-security solution providers like Check Point to provide safer and more convenient appliances."

Users of the LG SmartThinQ mobile app and appliances should ensure they have updated to the latest software versions from the LG website. To address the specific vulnerability identified by Check Point, users should update their LG SmartThinQ app to the latest version (1.9.23), either via Google play store, Apple's App Store or via LG SmartThinQ app settings.

LG's range of smart appliances and safety solutions allow users to monitor and maintain their homes from a smartphone. Sales of the Hom-Bot robotic vacuum cleaner alone exceeded 400,000 in the first half of 2016.  In 2016, 80 million smart home devices were shipped worldwide, a 64 per cent increase on the year before. ®

Similar topics

Broader topics


Other stories you might like

  • AMD refreshes Ryzen Embedded line with R2000 series
    The target? Thin clients and industrial devices – with new SoC family running up to 4 independent displays

    Embedded World AMD is bringing to market a new generation of Ryzen chips for embedded apps promising more CPU cores, enhanced built-in graphics and expanded I/O connectivity to drive kit such as IoT devices and thin clients.

    Crucially, AMD plans to make the R2000 Series available for up to 10 years, providing OEM customers with a long-lifecycle support roadmap. This is an important aspect for components in embedded systems, which may be operating in situ for longer periods than the typical three to five-year lifecycle of corporate laptops and servers.

    The Ryzen Embedded R2000 Series is AMD's second-generation of mid-range system-on-chip (SoC) processors that combine CPU cores plus Radeon graphics, and target a range of embedded systems such as industrial and robotic hardware, machine vision, IoT and thin client devices. The first, R1000, came out in 2019.

    Continue reading
  • What if ransomware evolved to hit IoT in the enterprise?
    Proof-of-concept lab work demos potential future threat

    Forescout researchers have demonstrated how ransomware could spread through an enterprise from vulnerable Internet-of-Things gear.

    The security firm's Vedere Labs team said it developed a proof-of-concept strain of this type of next-generation malware, which they called R4IoT. After gaining initial access via IoT devices, the malware moves laterally through the IT network, deploying ransomware and cryptocurrency miners while also exfiltrating data, before taking advantage of operational technology (OT) systems to potentially physically disrupt critical business operations, such as pipelines or manufacturing equipment.

    In other words: a complete albeit theoretical corporate nightmare.

    Continue reading
  • Israeli air raid sirens triggered in possible cyberattack
    Source remains unclear, plenty suspect Iran

    Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

    While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

    Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

    Continue reading

Biting the hand that feeds IT © 1998–2022