Samsung Smart TVs vulnerable to JavaScript hacking, researchers find

Security flaws in Skype app

The rise of the Internet-connected Smart TVs could be exposing consumers to unexpected security threats thanks to a raft of vulnerabilities buried in their operating software, two researchers told the Black Hat conference last week.

According to Aaron Grattafiori and Josh Yavor of iSEC Partners, Smart TVs were open to a variety of compromises in the Linux platform, the webkit-based browser running atop this, and the bundled Internet apps.

These flaws could allow attackers to access any data stored on the systems generated by browsing activities as well as manipulate webcams to conduct surveillance.

Integrated apps for systems such as Skype or Facebook were also obvious targets which they demonstrated using remote a JavaScript code injection exploit to access a user's credentials.

Possibly the most extraordinary discovery was text messages created within the Skype app were treated as code. This allowed them to send JavaScript that would be executed by the software, taking control of the application. Malicious JavaScript could also be buried invisibly on a website visited by the browser.

The attack was demonstrated against Samsung Smart TV but could also in principle be used against other makes of Smart TV as well, they said.

The problems are theoretical for now. Very few TVs contain yet contain enough data that would be useful to an attacker let alone technology such as webcams to be hijacked. On the other hand, neither do Smart TVs (basically the entire TV market going forward) come with any form security that could detect an attack if it did occur.

Meanwhile, the makers of Smart TVs aren't obviously geared up to patch software should such a thing ever be necessary. TVs can receive over-the-air (OTA) updates that are slow or more rapid Internet-based updates but both options require the infrastructure to connect to possibly millions of TV sets as if they were computers.

"Because the TV only has a single user any type of compromise into an application or into Smart Hub, which is the operating system the smarts of the TV has the same permission as every user, which is, you can do everything and anything, "Grattafiori told Mashable.

On a positive note, Samsung had been "very responsive" to the research when contacted by Grattafiori and Yavor earlier this year, developing a patch in advance of the Black Hat presentation.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechskypesecurityFacebook

More about FacebookLinuxSamsungSkypeSmart

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

More videos

Blog Posts