How to root your LG TV (If you live in Italy)

Posted on Sep 4, 2025

This post should have been written at least three years ago, but here we are.

At the end of 2021, while stuck at home with COVID and confined within my four walls, I was watching YouTube videos while my mom had the TV tuned to the italic Canale 5.

What caught my attention was that even though Italy was still broadcasting in low-quality SD (580p) in 2022, a banner on the screen appeared to be rendered at a much higher resolution. Even stranger: during the entire previous week of isolation, that banner never showed up.

The only difference? This time, the TV was connected to my phone’s hotspot.

The Curiosity Spark

I started inspecting the Grande Fratello (Big Brother) banner. With a very janky setup, I:

  • Fired up my phone’s USB hotspot.
  • Connected my laptop to that.
  • Created a Wi-Fi hotspot on the laptop and connected the TV to it.
  • Started sniffing traffic with Wireshark.

Once the TV tuned to the correct station, I saw that:

  • DNS queries were made to Mediaset’s servers.
  • Subsequent requests were plain old HTTP (yep, no HTTPS).
  • Among the resources fetched? .class files. Yes .class files in plain HTTP.

The TV

Some quick context on the victim device here: it is an LG TV 43UF6407 and it uses the WebOS 2.0 operating system. This TV does not support HbbTV but it supports MHP a protocol only known in Italy and a few other countries in its DVB-T form.

The Exploit

So I inspected and reversed some of those .class files, then patched one to execute arbitrary commands.

Steps I took:

  • Hosted one my patched .class file.
  • Changed DNS records on my laptop.
  • Fired up a local web server.

When the TV booted and tuned to the channel, it fetched my resources and executed the command inside the .class file:

curl http://mylaptop.lan/pwned

I immediately saw the request on my laptop — confirming remote code execution. Next, I swapped the payload to start a telnet daemon:

telnetd -l /bin/sh -F

The Surprise

Upon connecting to the telnet endpoint, I wanted to attempt privilege escalation. The surprise?

I was already root.

So this protocol already executes untrusted code in a JVM sandbox. The LG implementation even contains the exec API (which is not even required by the MHP standard).

And they also executed everything as root.

Bigger Picture: The MHP Problem

Here’s the scarier part.

The MHP standard (Multimedia Home Platform) — the thing that makes all this possible — is used by tons of TVs in Italy.

The first .class file is actually sent nationwide through DVB-T broadcasts.

This could mean that a malicious attacker with a rogue DVB-T transmitter could broadcast a malicious .class file to any nearby TVs?

Actually the MHP protocol has some kind of signature checking to determine API priviledges but I could not verify how the TV would react under the more restricted circumstances, being that I do not own a DVB-T transmitter nor a faraday cage to not get in trouble.

Aftermath

So all in all this was a cool vulnerability that could be further explored, in the meantime with root access, I installed the alternative app store on my TV using my own method. And that’s how the Grande Fratello banner led me to owning an LG TV.

Responsible Disclosure

This vulnerability has been reported to LG which assessed the problem but did not fix it since it does affect only devices released until 2016.