Smart TV hack highlights risk of 'The Internet of Everything'

A smart TV is only as smart as the person controlling it. So if the person in control is a hacker, the owner could have a problem. Researchers at security consultancy ReVuln say some smart TVs are vulnerable to hacking.

It is another example of what experts say is the ever-expanding attack surface of devices that traditionally never faced the Internet, but are now "smart."

The researchers at the Malta-based company said they found a vulnerability in a number of smart TVs made by Samsung Electronics that gave them root access to the TV and any attached USB drives.

They posted a video titled "The TV is Watching You," which appears on a number of security vendor websites, including Kasperky Lab's Threatpost. While there is no voiceover, the video shows the researchers accessing the TV settings and channel lists, SecureStorage accounts, widgets and their configurations, the history of USB movies, the ID, firmware, whole partitions and any attached USB drives.

They were also able to retrieve the drive image, mount it locally and check for information like usernames, passwords, financial documents, or any other type of material on USB drives.

Luigi Auriemma of ReVuln told the IDG News Service that hackers could even use the integrated webcam and microphone to watch the victim. And he said the vulnerability is not confined to the single model that ReVuln tested.

"The vulnerability affects multiple models and generations of the devices produced by this vendor, so not just a specific model as tested in our lab at ReVuln," the report said.

Samsung did not respond to a request for comment, but ReVuln emailed a statement saying there is no firmware update yet, "as the details regarding this vulnerability have not been shared with the vendor."

The statement added that ReVuln has only tested Samsung, but said: "We think that other brands of TV may be affected by similar issues."

James Arlen, senior security consultant with Leviathan Security Group and a hacking expert, said the TV is just one example of the "Internet of Things" and other non-computer resources in homes that amount to "a huge new attack surface."

"I recently counted the number of IP addresses in my house and came up with all kinds of new things that require Internet access - not just the computers, game systems, tablets and music players, but also the bathroom scale, the thermostat and more," he said. "Televisions are one of many, but also the most likely to have lots of interconnection possibilities."

He said the problem is not new, noting that, "printers got smarter and became a threat," and that the number of smart devices continues to expand.

Dan Frye, general manager of services at MAD Security, agrees. "A common way to get into enterprise networks is through printers attached to the corporate network. A TV on the corporate net is really the same thing," he said. "In essence, you've got a computer inside some device, whether it be a printer, a TV, a toaster, the Coke machine, etc., and that computer is just as vulnerable to attacks as a normal computer would be."

"Any new piece of technology that connects to the Internet is a probable attack surface," said Matt Johansen, WhiteHat Security threat research manager. "Look at the recent research by Barnaby Jack about insulin pumps and pacemakers."

"Who would have thought these devices would ever be susceptible to hackers?" Johansen said. "But if a hacker gets their hands on any device long enough, they'll figure out a way to break it. It was hotel door locks, slot machines in the past and it will be the smart toasters and refrigerators in the future."

Gary McGraw, CTO of Cigital, said most people don't think of their TV or other household devices as computers, but they are. "Your TV is just a computer with a monitor," he said. "And it knows a lot about you -- what you've watched, whether you were home at the time."

There is some disagreement over how much of a priority security is for devices that have only recently begun to face the Internet. "Focus on delivering the product to market means that the 'Ship It' award is more important than 'Is it Hackable?'" Arlen said.

Frye agrees that security standards for such devices are "immature." But he said vulnerabilities are found "everywhere, all the time, in products that certainly take security into account. Microsoft, Google, and Apple are all great examples."

McGraw said while the vulnerability discovered by ReVuln is real, he doesn't think Samsung is necessarily lax on security. "They make the most popular Android phone out there," he said. "So they are in the [security] wars."

To deal with the ongoing threats, both consumers and enterprises need to "control your exit path," Arlen said. "Most consumers are unaware of what traffic passes in or out of their primary systems, so they're going to be even more unaware of the traffic to and from devices that are 'furniture' rather than computers."

"More manufacturers across lots of industries need to employ or engage with the "hacker-ish" community to solve the problems prior to the shipping of the product," he added.

Frye said that once products are released, manufacturers need to treat them like computers, and "have a way for people to report vulnerabilities and a way for patches to be deployed out to their consumers."

Samsung has begun treating smart devices like computers. "Samsung has actually taken a step in a great direction with a TV bug bounty program for researchers to submit bugs to receive a reward ($1,000), which has been useful for the likes of Google, Facebook, Mozilla, and even PayPal," Johansen said.

However, every computing device is potentially vulnerable, and with "The Internet of Everything" there will be more of them all the time. "This problem will only get worse as we integrate more things into our home networks," Frye said. "It's the TV now, but smart devices, smart meters for our power, the toaster, thermostat -- they're all at risk in the same way."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsSmart TVData Protection | MalwareReVulnSamsung Electronicslegalinternet of everythingsoftwaredata protectioncybercrime

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place