Your vacuum cleaner can spy on you and send the video to hackers.

Sound like a science fiction horror story? 

It's reality in 2017.

Researchers at CheckPoint - one of the firms that brought firewalls to the mainstream in the early days of the commercialized Internet - discovered that a vulnerability in the LG SmartThinQ app that accompanies the firm's smart devices. As can be seen in the video below, by exploiting that weakness, the researchers were able to force an LG Hom-Bot smart vacuum cleaner to relay a video feed to them from its camera to them.

The vulnerability apparently emanated from how SmartThinQ handled authentication and authorization of users - improperly connecting the authentication and authorization phases -  effectively allowing the researchers to login as themselves and then change their identities to those of other users when obtaining authorization "tokens" - that is, the tickets that allow users to access the device's video feed.

What this means is that if you have a vulnerable app and use a Hom-Bot with it anyone who knows your username - which is typically your email address - could potentially access your device's video feed or other data from the device.

Furthermore, besides creating a problem for Hom-Bot, the vulnerability may affect other LG smart devices that connect to the same app.

LG has already fixed the vulnerability, so, if you have any LG smart device and use SmartThinQ, make sure to download the latest version (1.9.23).

That said, this particular incident once again shows just how vulnerable people's privacy can become when they use smart devices. Even folks who properly configure devices can be at risk if the devices themselves - or any apps which with they communicate - suffer from weaknesses. I am quite certain that as Internet of Things technology continues to spread we will see many more similar cases. So, as always, make sure to weigh conveniences' and risks before deploying any smart device.

Published on: Oct 28, 2017