The times when all that our TV sets could do was show us ‘regular’ TV stations are now over.
These days, such ‘old-school’ TVs are increasingly being replaced with their ‘smart’ successors, which we can use for streaming video and audio, playing games, browsing the internet, and downloading and using apps – all of that thanks to their internet connectivity.
This evolution is part of a wider trend that involves connecting consumer electronics and everyday objects to the internet, creating a rapidly growing mass of various Internet-of-Things (IoT) devices in the process.
However, the internet connectivity of smart TVs and the perilous state of security in the IoT space in general open the floodgates to a deluge of threats to our privacy and security.
Research has shown that various attacks against smart TVs are possible and practicable, often requiring no physical access to the device or interaction from the user. It has also been demonstrated several times that, once compromised, an Internet-enabled TV can serve as a springboard for attacks at other devices within the same network, ultimately targeting a user’s personal information stored on even juicier targets such as PCs or laptops.
Watch you(r) back
Now, you probably enjoy watching your smart TV, but chances are that you don’t want it to watch you, too. But ‘watch its watchers’ is precisely what these TVs can do.
Back in 2013, researchers demonstrated that, by exploiting security holes in some models of Samsung’s internet-capable TVs, it was possible to remotely turn on the built-in camera and microphone. In addition to converting the TVs into all-seeing, all-hearing devices, they were able to take control of embedded social media apps, posting information on the users’ behalf and accessing files. Another researcher showed off an attack that allowed him to insert fake news stories into the browser of a smart TV.
Malware, too, can find its way into smart TVs and convert them into bugging devices. In this attack vector, which has also been proven practicable, hackers could create a legitimate app before releasing a malicious update that would then be automatically downloaded onto a smart TV fitted with a built-in microphone.
In 2014, a loophole in a widely used interactive TV standard known as HbbTV came to light. It emerged that attack code could be buried into ‘rogue’ broadcasts and target thousands of smart TVs in one fell swoop, hijacking these as well as other devices in the network, stealing logins, displaying bogus adverts, and even sniffing for unprotected Wi-Fi networks. In addition, the attack was found not to require any special hacking smarts.
Issues with HbbTV were in the spotlight again in 2017. A security researcher demonstrated a technique for deploying a rogue over-the-air signal to compromise internet-enabled televisions. Once taken over by the attacker, the TV could be used for an apparently endless list of malicious actions, including to spy on the user via the TV’s microphone and camera and to burrow deep into the local network. As many as 9 in 10 smart TVs sold in recent years were estimated to be prone to this hack. As with the earlier example, the victim would spot no outward signs of something being amiss.
In February 2018, US non-profit organization Consumer Reports released the results of hack tests on internet-connected TVs of five brands, each of which features a different smart TV platform. “Millions of smart TVs can be controlled by hackers exploiting easy-to-find security flaws”, said the organization. The devices were found to be susceptible to rather unsophisticated hacks that would enable an attacker to flip through channels, crank up the volume to blaring levels, install new apps, and knock the device off Wi-Fi – all of that remotely, of course.
The review also found that users need to consent to the collection of very detailed data about their viewing habits – unless they’re ready to forgo the smart features of their new smart TV. Over the years, several manufacturers have been found to engage in the behind-the-scenes acquisition of, and trafficking in, data about the viewing habits of consumers.
Having a listen
Concerns about the implications of smart TVs for privacy were also raised in 2015, when Samsung’s ‘voice recognition’ function as another layer of convenience that enables you to give voice commands to your smart TV came to the fore. The company warned its customers who use the voice activation feature on their smart TVs that their private conversations would be among the data captured and shared with third parties. In addition, the voice information picked up in such ‘official snooping’ was not always encrypted, potentially enabling intruders to listen in on private conversations.
All told, the security conversation is here to stay, as a range of private and security concerns persist while more and more consumers are snapping up smart TVs. According to one projection, over 750 million smart TVs will be in use worldwide by the end of 2018.
Smart TVs afford us the opportunity to use them for purposes that are more commonly associated with computers. In fact, that’s what these TVs have become – internet-connected ‘computers’, much like mobile phones. It would no doubt help if we thought of them as such and treated them accordingly.
Written by Tomas Foltyn, security writer at ESET.