Vacuum cleaners can also spy on you (if connected)

A loophole made it possible to take control of any connected object from the manufacturer LG. In particular, it allowed the use of a robot vacuum cleaner to film the interior of a house.

Are you a fan of robot vacuum cleaners? It is true that these devices are efficient, but the fact that they are connected and equipped with sensors creates a risk to our privacy. Check Point experts have just revealed a flaw called HomeHack, allowing remote control of an LG Hom-Bot vacuum cleaner and spy on the user with the integrated camera. To prove it, the researchers made a demonstration video.

Now corrected, this flaw had a much broader impact because it concerned the whole range of connected LG objects: vacuum cleaners, refrigerators, ovens, washing machines, dryers, air conditioners, etc. Millions of users were potentially exposed to this vulnerability. The problem was actually with LG’s SmartThinQ mobile application. Available on Android and iOS, it allows the user to log into their LG account and access the control functions of their connected object (s).

Unfortunately, the authentication procedure was not correctly programmed. After creating their own LG account, the researchers set up a Man-in-the-middle device to intercept requests and replace their identifiers with those of others. And bim, they were connected to a third party account. To do this, however, it was necessary to decompile the Android mobile application and remove two safeguards that the manufacturer had implemented. The first one prevented the app from running on a rooted smartphone; the second one stopped a middle-man interception by checking the authenticity of the HTTPS certificate (“Certificate pinning”).

Check Point discovered this flaw last July. LG released a patch in September. If you are a user of LG connected objects, make sure you have the latest version of the mobile application (1.9.23). It is also advisable to update the firmware of the devices, which you can do directly from the application dashboard.