LG TVs at risk from hackers spying on users — what to do now

News
By last updated

Even smart TVs can be taken over by hackers by exploiting the right flaws

LG C2 OLED TV streaming
(Image credit: Tom's Guide)

If you thought protecting your smartphone and laptop from hackers was bad enough, a new report has revealed the types of vulnerabilities that can be hiding in the background of the best TVs.

According to a new blog post from Bitdefender, many of the best LG TVs running webOS versions 4 through 7 contained a number of vulnerabilities that, if exploited, could allow an attacker to add themselves as a user and gain root access to your TV. From there, they could use command injection to drop dangerous malware, snoop on the traffic coming and going from your TV and even move laterally across your home network.

It’s worth noting that Bitdefender was only able to gain unauthorized access to LG TVs connected via Ethernet. Still, the firm’s security researchers identified over 91,000 TVs with the vulnerable service in question exposed online by using Shodan, a search engine for internet-connected devices. While the majority of the vulnerable LG TVs were located in South Korea, Bitdefender found thousands in the U.S. and in other countries around the world.

Whether you own an LG TV yourself or one of the best smart TVs for streaming, here’s everything you need to know about these vulnerabilities, along with some steps you can take to ensure your TV isn’t taken over by hackers anytime soon.

From adding an extra user to taking over a TV

As it has its own smart home cybersecurity hub, Bitdefender routinely purchases and audits popular IoT hardware for vulnerabilities to help educate both businesses and consumers on the dangers connected devices can pose. This is exactly what the firm did with several LG TV models.

In doing so, its security researchers discovered a vulnerability (tracked as CVE-2023-6317) that an attacker could exploit to add an extra user to an LG TV. Bitdefender found that this new user could be granted elevated privileges by leveraging another flaw (tracked as CVE-2023-6318). According to Bitdefender, the first vulnerability has been confirmed to affect LG TVs running webOS versions 4.9.7, 5.5.0, 6.3.3-442 and 7.3.1-43.

Another vulnerability (tracked as CVE-2023-6319) was also discovered, which allows commands to be injected into webOS by manipulating a library used to show music lyrics. Of the four flaws discovered by Bitdefender’s security researchers, this one is the most concerning since it could be used to drop malware onto a vulnerable LG TV. The final flaw (tracked as CVE-2023-6320) allows an attacker to inject authenticated commands by manipulating an API endpoint.

Fortunately, Bitdefender found all of these flaws before an attacker could in November of last year. The cybersecurity firm then reported them to LG, and the Korean hardware maker proceeded to fix all of them before Bitdefender released its report on the matter.

How to keep your smart TV safe from hackers

How to Update LG TV Software

(Image credit: Tom's Guide)

Just like with the best phones and best laptops, the most important thing you can do to keep your smart TV safe from hackers is to keep it regularly updated. Hackers and other cybercriminals often target devices that aren’t running the latest software, which is why it’s so important to keep your devices updated, even if frequently installing the latest updates and patches can get annoying. If you're having difficulties updating your own TV, here's a guide on how to update LG TV software.

From here, there are a few other things you can do to prevent your TV from falling victim to an attack. For starters, you want to ensure you’re using strong passwords with all of your online accounts. If you have trouble coming up with these on your own, you can always turn to one of the best password managers for help since they all contain password generators. Likewise, there are plenty of free password generators online, but they won’t securely store and autofill your passwords for you.

Since all of the internet traffic coming into your home and leaving your house passes through one of the best Wi-Fi routers, you also want to keep your router up to date too. Newer Wi-Fi routers come with their own apps, which make it very easy to download and install the latest updates. However, if you have an older router, you can always manually update it yourself.

As our TVs are often in the center of our households and now contain plenty of our personal and financial data, they will likely become a target for hackers just like our phones and computers. This is why you need to keep all of your devices updated and secured using strong passwords that you don’t reuse across multiple online accounts.

More from Tom's Guide

See more Computing News
TOPICS
Anthony Spadafora
Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
An Android bot next to an Android TV remote
Millions of Android TVs hijacked in massive botnet — how to see if yours is at risk
Green skull on smartphone screen.
Over 1 million Android devices infected with password-stealing, pre-installed botnet malware — how to stay safe
tv remote in front of tv
A new feature is cropping up on several new smart TVs — and you’ll want to turn it off immediately
Google Pixel 9 held in the hand.
Google just fixed a zero-day kernel flaw used by hackers and 47 other vulnerabilities — update your Android phone right now
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
Graphic of fibre optic cables attacking code
An estimated 46,000 VPN servers are vulnerable to being hijacked
Latest in Online Security
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Thursday, March 27 (#655)
The Signal app logo displayed on an iPhone, with a screenshot of the Signal app in use displayed on a monitor in the background.
Signal — everything you need to know about the app at the center of the group chat scandal
Robert Downey Jr. revealed as Doctor Doom for "Avengers: Doomsday"
Marvel reveals 'Avengers: Doomsday' casting — the latest updates and every actor
Wyze Cam v3
Wyze adds AI-powered filter to its security cameras to cut down on notifications that are “no big deal”
Mark Grayson (Steven Yeun) as Invincible in his blue suit during a scene from "Invincible" season 3 on Prime Video.
'Invincible' season 4 release window just announced — here's when it's coming
Microsoft Copilot app running on a phone with Microsoft logo in background
Microsoft 365 Copilot debuts new research tools for work: here's what that means
More about online security
23andME box

23andMe has declared bankruptcy — here's how to delete your data now

A man filing his taxes electronically on a laptop

AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
NYT Strands on a cellphone

NYT Strands today — hints, spangram and answers for game #389 (Thursday, March 27 2025)
See more latest
Most Popular
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #389 (Thursday, March 27 2025)
NYTimes Connections
NYT Connections today hints and answers — Thursday, March 27 (#655)
Mark Grayson (Steven Yeun) as Invincible in his blue suit during a scene from "Invincible" season 3 on Prime Video.
'Invincible' season 4 release window just announced — here's when it's coming
The Signal app logo displayed on an iPhone, with a screenshot of the Signal app in use displayed on a monitor in the background.
Signal — everything you need to know about the app at the center of the group chat scandal
Microsoft Copilot app running on a phone with Microsoft logo in background
Microsoft 365 Copilot debuts new research tools for work: here's what that means
Wyze Cam v3
Wyze adds AI-powered filter to its security cameras to cut down on notifications that are “no big deal”
Bella Ramsey and Isabela Merced in The Last of Us season 2
'The Last of Us' season 2 episode 1 title and runtime revealed
Robert Downey Jr. revealed as Doctor Doom for "Avengers: Doomsday"
Marvel reveals 'Avengers: Doomsday' casting — the latest updates and every actor
Mark Duplass and Ellen Pompeo in "Good American Family" on Hulu
Hulu top 10 shows — here's the 3 you need to stream right now
Walter Clayton Jr. #1 of the Florida Gators attempts a shot in the second round of the NCAA Men's Basketball Tournament in the build up to the March Madness Sweet 16 (Photo by Jared C. Tilton/Getty Images)
March Madness Sweet 16 live stream: How to watch 2025 NCAA basketball online, schedule, what TV channel is it on?