To control your washing machine, LG's app asks for permission to use your phone's camera, microphone, and contacts — and to track your location even when you're not using the app. A washing machine needs none of these. LG uses the same app for all its smart products, so your laundry app carries the same permissions as a smart TV app. LG's washing machine app contains 14 tracking tools, including Google's advertising network (AdMob) and marketing platforms from Facebook, Salesforce, and Adobe. When asked directly whether they sell your data, LG's answer is deliberately unclear. A privacy watchdog gave the app a 'Warning' rating for these practices.
What they claim: LG ThinQ app requests CAMERA, RECORD_AUDIO, READ_CONTACTS, WRITE_CONTACTS, and ACCESS_BACKGROUND_LOCATION permissions — capabilities that have no relationship to operating a washing machine.
What we found: Layer A (App): LG ThinQ app (com.lgeha.nuts v4.1.28110) requests 39 permissions including CAMERA, RECORD_AUDIO, READ_CONTACTS, WRITE_CONTACTS, ACCESS_BACKGROUND_LOCATION, and ACCESS_FINE_LOCATION. Layer B (Firmware): The LG Smart Washer (WM4000HWA) is a washing machine with a Wi-Fi module (BEJLGSWFAC71) for remote start/stop and cycle monitoring. A washing machine has no camera, no microphone, no reason to access contacts, and no reason to track location in the background. These permissions exist because LG uses one app (com.lgeha.nuts) for ALL products including smart TVs with cameras — so a washing machine inherits TV-grade surveillance permissions.
What they claim: LG claims all access permissions are optional and the app works without them, but the app requests ACCESS_BACKGROUND_LOCATION and FOREGROUND_SERVICE_LOCATION — persistent location tracking capabilities that go far beyond optional convenience.
What we found: Layer A (Policy): LG's help page states: 'All the access permissions requested are optional access permission, so even if you do not allow them, you can still use the app except for the related services.' Layer B (App): The app requests ACCESS_BACKGROUND_LOCATION (tracks location when the app is not in use), ACCESS_FINE_LOCATION (GPS-precise location), ACCESS_COARSE_LOCATION, and FOREGROUND_SERVICE_LOCATION. Users on devRant report that the app requires location information or it will not start. Background location tracking from a washing machine app enables detailed household occupancy profiling.
What they claim: Smart Diagnosis feature uses the phone's microphone to record and transmit audio of the washer's sounds to LG servers, but the privacy policy does not adequately disclose this audio data collection from an appliance context.
What we found: Layer A (Firmware): Smart Diagnosis uses the phone's microphone to listen to the washer's operating sounds and transmit audio data to LG's servers for fault analysis. The app requests RECORD_AUDIO and MODIFY_AUDIO_SETTINGS permissions. Layer B (Regulatory): LG's US Privacy Center mentions 'Smart Diagnosis audio data (microphone recordings of appliance sounds)' but frames it as a diagnostic feature. The CCPA disclosure does not specify how long audio recordings are retained, whether they capture ambient household sounds beyond washer noise, or whether this audio data is used for any purpose beyond diagnosis.
What they claim: LG ThinQ app requests READ_CONTACTS and WRITE_CONTACTS for a washing machine, with no adequate privacy disclosure about why an appliance app needs access to the user's address book.
What we found: Layer A (App): The app requests READ_CONTACTS (read the user's contacts) and WRITE_CONTACTS (modify the user's contacts). LG states the contacts permission is for 'contacting the LG Service Center' — but this can be done with a simple phone number link, not full address book access. Layer B (Regulatory): LG's CCPA disclosure does not specifically address what contact data is collected through the ThinQ app or how address book data is used. The app also includes Facebook Login and Facebook Share trackers, which historically have used contact access for social graph building.
What they claim: Proactive Customer Care feature enables continuous monitoring and data collection from the washer, revealing household occupancy patterns (laundry frequency reveals when people are home, household size, vacation periods), but this surveillance capability is marketed as a convenience feature.
What we found: Layer A (Firmware): ThinQ cloud connectivity enables Proactive Customer Care — continuous health monitoring of appliance components that runs in the background. Usage patterns (cycle types, frequency, duration, settings) are transmitted to LG servers. Energy consumption data is collected. Layer B (Regulatory): LG's CCPA disclosure mentions collection of 'appliance usage data (cycle types, frequency, duration, settings)' and 'energy consumption data.' This continuous data stream reveals: when occupants are home (laundry happens when people are present), household size (laundry frequency correlates with number of residents), vacation periods (no laundry = nobody home), and daily routines.
What they claim: CVE-2023-44121 intent redirection vulnerability in LG ThinQ Service running as a system app could allow any installed app to access unexported activities across all apps on the device, compounding the risk of the washing machine app's extensive permissions.
What we found: Layer A (Firmware): CVE-2023-44121 is an intent redirection vulnerability in LG ThinQ Service (com.lge.lms2) that runs as a system app with android:sharedUserId='android.uid.system'. A third-party app can send a broadcast to redirect intents to arbitrary unexported activities of any installed app. CVSS 6.3, affects Android 9.0-13.0. Layer B (App): The ThinQ app's 39 permissions — including CAMERA, RECORD_AUDIO, READ_CONTACTS, ACCESS_BACKGROUND_LOCATION — become attack surface when combined with system-level vulnerabilities. An attacker exploiting CVE-2023-44121 could leverage these permissions through the compromised ThinQ service.
What they claim: LG ThinQ app embeds 14 advertising and analytics trackers including Google AdMob (an ad network) in an appliance control app, while LG's privacy policy is deliberately vague about whether user data is sold.
What we found: Layer A (App): Exodus Privacy report identifies 14 trackers in LG ThinQ: Adobe Experience Cloud, AltBeacon, Braze, Dynatrace, Facebook Analytics, Facebook Login, Facebook Share, Google AdMob, Google CrashLytics, Google Firebase Analytics, Keen, mParticle, Salesforce Marketing Cloud, and Treasure Data. Google AdMob is specifically an ad-serving network. Layer B (Regulatory): Common Sense Media rates LG ThinQ with a 'Warning' label. Their evaluation found that whether personal information is 'sold or rented to third parties' remains 'unclear' — LG's policy language is deliberately vague on this point. The presence of AdMob (an ad network) and mParticle (a customer data platform) strongly suggests data monetisation.
What they claim: LG ThinQ app requests AD_ID and ACCESS_ADSERVICES_ATTRIBUTION — advertising tracking permissions — for controlling a washing machine, revealing that the app's purpose extends beyond appliance control to advertising data collection.
What we found: Layer A (App): The app requests AD_ID (advertising identifier) and ACCESS_ADSERVICES_ATTRIBUTION (advertising services attribution tracking). These are specifically designed for tracking users across apps for advertising purposes. Layer B (Firmware): The LG Smart Washer's firmware capabilities are limited to Wi-Fi connectivity for remote control, cycle monitoring, and diagnostics. There is no legitimate appliance-control reason to track advertising identifiers. The combination with Google AdMob tracker confirms the app monetises user data through advertising.
What they claim: LG collects data from third-party data brokers and marketing companies to build profiles of washing machine users, going far beyond appliance functionality.
What we found: Layer A (Policy): LG's CCPA disclosure states it 'collects information from data brokers and marketing companies to understand user interests' and uses this to 'deliver tailored services and advertising, including aggregated information about lifestyle or purchase patterns of demographic groups.' Layer B (Regulatory): Common Sense Media found that 'data profiles are created for personalised advertisements' and 'third parties collect data for their own purposes.' LG is not just collecting data from its washer — it is enriching washer user profiles with purchased third-party data about their lifestyles and purchases.
What they claim: HomeHack vulnerability (2017) exposed approximately 1 million LG smart appliances including washing machines to complete account takeover, demonstrating that cloud-dependent design creates catastrophic security risks for devices that previously required no internet connection.
What we found: Layer A (Firmware): Check Point Research disclosed HomeHack vulnerability in LG SmartThinQ platform (October 2017). Critical authentication bypass allowed attackers to take over any LG account using only the victim's email address, gaining full control of all connected appliances — starting/stopping washing machines, changing cycle settings, monitoring usage patterns. Approximately 1 million devices affected. Layer B (Policy): LG markets ThinQ connectivity as a convenience feature ("remote start, cycle monitoring, smart diagnosis") without disclosing that this cloud dependency means a single security flaw could give attackers control of all household appliances simultaneously.