Forgot your password?
typodupeerror
Security Television Entertainment

Spoiler Alert: Your TV Will Be Hacked 211

Posted by Soulskill
from the let's-hope-so dept.
snydeq writes "With rising popularity of Internet-enabled TVs, the usual array of attacks and exploits will soon be coming to a screen near you. 'Will Internet TVs will be hacked as successfully as previous generations of digital devices? Of course they will. Nothing in a computer built into a TV makes it less attackable than a PC. ... Can we make Internet TVs more secure than regular computers? Yes. Will we? Probably not. We never do the right things proactively. Instead, we as a global society appear inclined to accept half-baked security solutions that are more like Band-Aids than real protection.'"
This discussion has been archived. No new comments can be posted.

Spoiler Alert: Your TV Will Be Hacked

Comments Filter:
  • Heh (Score:5, Funny)

    by jeesis (2494876) on Wednesday April 18, 2012 @04:14AM (#39720823)
    No longer will I need a universal remote to screw with the neighbors television.
    • Re:Heh (Score:5, Interesting)

      by AmiMoJo (196126) <mojo@NOspAm.world3.net> on Wednesday April 18, 2012 @06:38AM (#39721365) Homepage

      I recently got a Panasonic smart TV. There is an Android app that lets you control it from your phone/tablet, and you can push photos and video directly from the device onto the TV screen. It works over wifi and there isn't any kind of authentication or code. In other words if your neighbours have insecure wifi and a Panasonic TV you and display whatever you like on their screen.

      I'm sure many other smart TV platforms are similarly insecure, in that they assume your wifi network is a secure environment.

      • by Eraesr (1629799)
        My Samsung can do the same (although I don't need a separate app for it, my HTC Sensation has support for Wifi media player devices out-of-the-box) but on the TV I do need to explicitly grant the device access to my TV.
        • My Samsung *does* have the option to "allow all" I believe. I wouldn't put it past the regular user to use that option the first time they're bothered.
          • Surprisingly, it will probably be easier to hack a future TV appliance than to actually have multiple vendors agree on a common protocol to share media.

            I'm still waiting for DLNA to support more than the 3-4 codec formats with which it works.

          • So then it is the dumb users fault. How is this different from any other security situation? If you "allow all" on your firewall/ACL/TV/IPSEC/other security device you don't really want or understand security and should not be the one making security decisions.
      • Re:Heh (Score:5, Interesting)

        by mcgrew (92797) * on Wednesday April 18, 2012 @08:45AM (#39722255) Homepage Journal

        My ten year old analog TV does that -- I have a computer plugged into it. The only difference is the computer isn't inside the TV. I can bluetooth pictures from my phone, wifi files to it from my notebook, and I use a wireless mouse as a remote control and the internet for "cable".

        But nobody's hacked it yet. In fact, in 30 years of computing I've only been hit three times (my house has been broken into more often), none with any permanent damage. The first was the Michelangelo virus I got by putting one of my own floppies (five inch variety) in a computer at work, and learned that being smart is no defense against viruses -- the woman who infected the work computer held a PhD, but she was pretty clueless about computers.

        The second time was a targeted attack by a bunch of young people I'd made fun of on my web site (I made fun of everyone, I was the Don Rickles of the Quake world). All they did was replace a picture of a bunch of down's syndrome kids with a basketball team. I wonder of those guys are now lulzsec? It was over 15 years ago.

        The third time was when Sony rooted my box with their goddamned XCP trojan. That one really fucked up my computer BAD, took quite a while to repair the damage Sony's vandalism had done.

        So judging from my own (admittedly limited) experience with being cracked, I worry far more about some big international corporation that has no fear of law enforcement than I am some Russian cyberburglar or teenage cybervandal.

        And hey, this is only tengentally on topic but can we take our verbage back that was stolen and twisted by the muggles? Don't call them "hackers" unless they wrote the malware. Call them cybervandals or cyberburglars instead. Lets (at least among ourselves) reserve the word "hacker" for someone who writes quick and dirty one time use code and folks who modify hardware. I mean, come on, I've been both a hardware hacker and a code hacker, but I've never broken into someone's computer without their begging me to (working of a bios password on an old laptop now, have to take the whole damned thing apart to do it).

        • Re:Heh (Score:5, Funny)

          by cyber-vandal (148830) on Wednesday April 18, 2012 @09:00AM (#39722377) Homepage
          You insensitive clod!
        • by ArsonSmith (13997)

          I have found that PhD means you are very focused, not necessarily smart. You just happen to know way more about one thing than most anyone else at the expense of being well rounded.

          Just my anecdotal observation YMMV.

          • by Dishevel (1105119)

            Unless of course you are very smart. In that case you can have a focused area of knowledge that you know incredible amounts about and still be well rounded.

          • by mcgrew (92797) *

            She wasn't the brightest bulb on the tree, but she knew her stuff. There's another guy with a PhD who's dumb as a box of rocks, but everyone else I ever knew with one was very intelligent.

            I found out how to tell the smart ones from the dumb ones -- the dumb ones always add the "PhD" to correspondence and want everyone to call them "doctor". I knew the smart ones for years before I knew they had the degree.

          • I totally agree. We have 2 PhDs in our family and I'm smarter then both of them combined. Great guys, good at what they do, but fucking shite for lateral thinking.
    • by tlhIngan (30335)

      I have probably a first generation of these "smart TVs". I played with it for all of 5 minutes before I got bored and unplugged the network connection.

      Faee it - even if the vast majority of TVs sported WiFi adapters and Ethernet ports, a good majority wouldn't be connected either out of sheer laxiness or incompetence, or users not caring at all (they wanted a TV first).

      So the attack surface is huge, but it's a lot smaller in that most won't be network connected anyways - people would do their Netflix and su

  • by thsths (31372) on Wednesday April 18, 2012 @04:36AM (#39720895)

    These are often forgotten by engineers. Usually they are formulated as thing you do not want your TV to do:

    - not damage your furniture
    - not start a fire
    - not weight a ton
    - not hack your network

    You would think these are simple and logical expectations. The problem is, they are hardly good marketing, so they may not receive the necessary priority. But they can be very bad marketing if a story hits...

  • Barney (Score:3, Funny)

    by DarkXale (1771414) on Wednesday April 18, 2012 @04:36AM (#39720897)
    One day, our TVs shall be hacked, and they shall show nothing but that damned purple Dinosaur.
    • by geekmux (1040042)

      One day, our TVs shall be hacked, and they shall show nothing but that damned purple Dinosaur.

      The new goatse...only much more offensive.

      • by FudRucker (866063)
        you can now get goats.cx in high definition, you'll be able to count the pubic hairs that border around the event horizon
  • Please can we have a list of TVs capable of running OpenBSD?

    Or even NetBSD?

  • Why not yet ? (Score:5, Interesting)

    by nonos (158469) on Wednesday April 18, 2012 @04:49AM (#39720957)

    I'm wondering why my tv hasn't been hacked with air waves : one morning, I switched it on and it told me a firmware update had been uploaded over the air during the night.

    What can stop hackers to send rogue fw updates over the air ?

    Also, is it possible to exploit mpeg2 video decoder bugs to takecontrol of tv ?

    Any info of previously discovered hacks of this kind ?

    • by profplump (309017)

      Appliances with heavy compute loads typically have dedicated hardware (or at least an FPGA) to do their primary task -- your TV almost certainly does demuxing, MPEG decoding, and AC3 decoding outside the main CPU. So even assuming a poorly written software the hardware design does quite a bit to protect you from inline attacks.

      You'd probably have better luck attacking something like the closed-caption system, or the virtual channel number or the like. That stuff is low-bandwidth enough that it may happen on

    • by AmiMoJo (196126)

      What can stop hackers to send rogue fw updates over the air ?

      They are required to be cryptographically signed in most places. Of course if the master key leaks you are screwed.

      Also, is it possible to exploit mpeg2 video decoder bugs to takecontrol of tv ?

      Probably not because it is decoded by a dedicated DSP that is separate from the CPU, and is not capable of executing code in the same way.

      • by drinkypoo (153816)

        Also, is it possible to exploit mpeg2 video decoder bugs to takecontrol of tv ?

        Probably not because it is decoded by a dedicated DSP that is separate from the CPU, and is not capable of executing code in the same way.

        MAYBE. Could use an integrated CPU+GPU. Could be that MPEG2 is handled in software while MPEG4 is handled in hardware, this is not unusual today.

    • You didn't switch it on. It was never off.

      Modern appliances can only be turned off if you attach them to a power strip.

      Drill, baby, drill!

    • by The Moof (859402)

      What can stop hackers to send rogue fw updates over the air ?

      One would hope that the update process includes some kind of authentication and cryptographic verification. However, you and I know the reality is that some manager thought this wasn't cost effective to implement.

      Also, is it possible to exploit mpeg2 video decoder bugs to take control of tv?

      Probably, but I believe it's like writing Mac viruses a decade ago - too specific of a platform with too small of a footprint to monetize by creating exploits. Given the proprietary nature of the hardware and software, you're probably only going see proof of concept exploits, possibly some exploi

  • by Anonymous Coward on Wednesday April 18, 2012 @04:57AM (#39720989)

    Bonus points for the first ones to rickroll on every channel at once.

    And... go

  • Dumb displays (Score:5, Insightful)

    by mehrotra.akash (1539473) on Wednesday April 18, 2012 @04:57AM (#39720991)
    I prefer my TV's to be dumb displays
    They should be limited to take video in, modify resolution/contrast/etc as per settings and display it on the screen, and provide a control interface
    IF I want to play media on it, I will use a device for that
    Modularity is better
    • by Chrisq (894406) on Wednesday April 18, 2012 @06:00AM (#39721213)

      I prefer my TV's to be dumb displays

      ... Like your women?

    • by FudRucker (866063)
      I agree with you on that, TVs should be kept simple because the more features they add to them the more things can break and the more things can be exploited and internet enabled TVs could turn a 600 dollar TV in to a huge expensive brick
    • Re:Dumb displays (Score:5, Insightful)

      by cbope (130292) on Wednesday April 18, 2012 @06:47AM (#39721413)

      The more functionality that becomes "built-in", the quicker that "display device" will become obsolete. Is it any wonder why the manufacturers are pushing smart TV's so hard?

      First, there was TV!
      Then widescreen!
      Then HD Ready!
      Then Full HD!
      Then LED!
      Then 3D!
      Now Smart TV!

      The rate of obsolescence has really increased in the past 15 years or so with TV's. That's why I waited for Full HD to drop into my price range, and I bought a good, high-end LCD of a decent size with HDMI inputs. I can plug anything into it. I do not miss LED, 3D or smart TV. I can play back blu-ray at full quality, which is enough. I have an HTPC connected to it for browsing and media playback.

      I prefer to keep my displays dumb and put the smarts elsewhere. That is unless you want to buy a new TV every few years... (I certainly have better things to spend my money on)

      • I prefer to keep my displays dumb and put the smarts elsewhere.

        The problem is that, for much of the viewing audience, there is no 'elsewhere'.

        • A $250-300 PC would last you much longer without getting outdated than the builtin media players and web browsers on TV's which essentially get outdated after 4-5 years (or less)
          And, the demographic that pays the premium for a "Smart TV" probably already has multiple computing devices: most of which would be TV compatible which can host the smarts
          Some features like onscreen widgets may be missed, but thats a small compromise for a much longer lifespan
        • by CastrTroy (595695)
          So many things you can just plug into the TV now. Plug in your Wii/XBox360/PS3 and you can watch movies play games, browse the internet (Wii is pretty weak on this, not sure about the other two). There's also a plethora of boxes like Roku, AppleTV, LG, and others that a dumb simple to just plug in and use, so that you can watch all your shows streaming over the Net. My new (although old model) Android phone can plug into HDMI. Back in the old days, it was quite hard to get a computer to plug into a TV a
      • by V!NCENT (1105021)

        Meh... I want a server somewhere in my house, a TV sized screen in the living room, a tablet screen and a desktop screen.

        All data Plan9 from Bell Labs style on the server (removeable harddrive slots with clone functionality for backup storing purposes when they get full and content goes on newer, larger and faster harddrive).
        Apps in the form of GTK3/Qt HTMLv5 style, steamed over the home network/VPN and all local apps via Java/GNU Smalltalk (platform abstracted code, platform abstracted packages, Op

    • by GauteL (29207)

      I prefer my TV's to be dumb displays
      They should be limited to take video in, modify resolution/contrast/etc as per settings and display it on the screen, and provide a control interface
      IF I want to play media on it, I will use a device for that
      Modularity is better

      I hear you, but this (the current) approach has some serious drawbacks, including cable mess and multiple remotes (or one poor universal), power extensions when you only have two sockets, etc.

      The right approach would be for each TV to come with a hidden and swappable "smart" unit (or bought "naked" if you wish), controlled by the main TV's remote control, powered by the TV and with a standardised interface. This way, you'd have the best of both worlds, you'd be rid of the cable and remote control mess and i

  • Because all I'm getting are repeats
  • by AuMatar (183847) on Wednesday April 18, 2012 @05:18AM (#39721045)

    The ultimate TV hack, one that will make you the most infamous hacker in the US. Make it so that during the last quarter of the superbowl, the entire country gets rickrolled and are unable to return to the game. If it's a close game, wait til the very end (last year doing it on Brady's last drive would be perfect).

  • by travellerjohn (772758) on Wednesday April 18, 2012 @05:26AM (#39721079) Journal
    An internet enabled TV is going to be irresistible to TV companies. Perfectly legally they will get together with the manufacturers to personalise you TV experience. Given half a chance they will monitor your viewing, suggest programs, personalise adverts, maybe even personalise the news. Not so bad you might think: I never have to see Sarah Palin on the TV again. More likely, if they think you are an independent voter in a swing state, it is back to back political adverts for you for the next six months. Don't be surprised if your remote dont seem to work half way through a PAC spot. Remember If You're Not Paying for It; You're the Product
    • by Craefter (71540)

      I was thinking along the same lines. In the near future you will probably be labled a thief if you don't sit out the commercials and zap to other channels. The content delivery program will also offer you a rebate if the camera on top of the TV detects that you are intently watching the commercial breaks..... and smiling.

  • Oh, the times ahead! There is so much fun to come! That will give a whole new meaning to the word 'entertainment' !
  • I dont care what any of this hype says, if your TV is gonna get hacked then why are we not seeing all the BluRay players from all these same companies that are running Linux and the interactive services getting hacked?

    Every single BLuRay player sold runs linux and most have ethernet on them for interactive services on the disc or built into the player. Panasonic has one that has hulu, netflix, and an app store + video skype. These are not getting hacked.

    And I WISH they would get hacked, cracked, and s

  • by ledow (319597) on Wednesday April 18, 2012 @05:52AM (#39721179) Homepage

    I wonder how they intend to hack my TV when it's not plugged into either Ethernet or wireless networks. Because even if I did have an "Internet TV", it wouldn't be plugged in.

    If it was, it would be behind my firewall/router. If they were relying on me to visit a malicious website to "infect" my TV, they'd be sadly disappointed - I can't imagine that many people use their TV like that given that every year or so the requirements change. If you can see a modern Internet site (e.g. Flash, Silverlight, etc.), then chances are that your software is pretty up-to-date and no worse than a PC that was similarly updated.

    Of those that don't handle interactive content directly, it's either not a risk (it's pretty hard to crash AND compromise an embedded browser with just a badly formed HTML page or similar), or it goes through some sort of remote proxy (e.g. Opera Mini) that will probably be working to stamp out the problem for you.

    Above all that, beyond playing tricks and crashing my browser, I'd be interested to know what incentive they would have to do that? I don't plug credit card numbers into my TV. I watch TV on it. If you're silly enough to plug in things like Facebook, Twitter, etc. passwords into your TV, then maybe they could cause a little havoc ("Guess what John watched last night on the Adult Channel?") but that's about it.

    Or is this just a ruse to sell "Antivirus for your TV"?

    These devices are pretty passive, unless you make them do something. You're pretty safe while your internal network is clean (and if it isn't, your TV is the least of your worries). To infect would require some kind of active participation (same as any well-managed PC) that, maybe, possibly, it wouldn't be able to handle safely. But, chances are, the havoc it could wreak would be nothing compared to that same user on their laptop.

    Of course it's something to think about but I don't think such a big fuss should be made. Hell, people still haven't worked out that a smartphone is yet-another-computer that they have to manage properly, with bad consequences if they don't (run up enormous bills, etc.). But even they aren't that much of a problem. I've never had anyone come to me about fixing their smartphone because of things like this, but I get 2-3 a week about their laptops etc. I've certainly never had anyone ask about their TV unless it was a dumb TV or literally how to wire it to their Internet connection / Wii / whatever.

    I think infinitely more dangerous than a TV would be:

    - smartphones
    - gaming consoles with internet access / wireless
    - smart meters with internet access / wireless
    - Skype phones
    - Internet connected printers
    - etc.

    And a lot of those have been running around people's houses (some targetted at non-techy users) for years. Yes, it's almost certainly possible to "attack" my printer / TV / Skype phone. But it's almost certainly not worth the effort to a) discover what model I use, b) link that to an IP address, c) somehow enter my network and intercept communications to it, d) figure out how to do something clever on that device when actions that are much easier to do and hide mean you can compromise similar people anyway.

    Worst case scenario is that your TV web browsing is an "insecure" as your laptop web browsing. But with much less potential impact.

  • There seem to be plenty of efforts to ensure security when other peoples' money is at stake. Last time I checked, HDMI is the new cable standard and that has absolutely NOTHING to do with signal quality, it's a hardware-enforced "copy prevention" scheme.

    I was going to say "other peoples' money (particularly not the customer's)" but then I remembered - in the free TV equation I'm NOT the customer. I'm the product (well, my eyes). In that sense, I concede their need to 'protect' their baited hook...they NE

  • by Trogre (513942) on Wednesday April 18, 2012 @06:59AM (#39721453) Homepage

    Because I won't put it on the Internet. That's what I have an HTPC for. And I know how to secure that. It's looking likely I will still have an HTPC in 10 years time, and nothing except standalone computers and perhaps a smartphone connected to the Internet.

    Short-sighted you say? No, I've merely learned my lessons.

  • Why is this news? Being reactive has ALWAYS been cheaper than being proactive, in any field, not just technology.

    Companies/government/etc. will go proactive to avoid accidents/hacks/RRODs/etc. if you're willing to pay more. Are you?

  • Improving security cost more and does more than a BS laws, but Bad Security (BS) laws only cost a few politicians and will exempt TV makers and Cable/Sat providers from all liability. Corporate-Welfare is best for the Plutocrat Republic, never good for US.

    Hack2Secure

  • They're making Windows TVs now?!? ;-)

    • by CastrTroy (595695)
      With Windows 8 coming out, and running on ARM, plus the already existence of Windows Phone that runs on phones/ARM, I don't think it will take long before we see a TV running windows, or possibly a set top box running windows, kind of like the AppleTV.
  • Having just finished reading this reminder [phys.org] gives me an even worse feeling that science will die to profit seekers. Especially with the ad potential.

  • In this day and age, there is significant pressure to bring a product to market before your competitor and to recoup your research costs. This is probably why device security is an afterthought. The internet has made controlling the flow of information very difficult, adding to that pressure to bring the innovative product to the market and establishing that product as the leader - it is all about beating your competitor to the punch. I do think it is a conscious decision to take a reactive approach to i
  • Why would you want a display connected to the internet? It makes no sense. Just don't connect it the internet and you're done.
    Hell, do you actually *need* it connected to your private network at all? Will it make movies look better, or have *any* advantage?

    It's just crap that people want because of good marketing, not anything that they really need anyway.

    • by aaarrrgggh (9205)

      Personally, I got a smart TV so Netflix would be built in. No cable TV subscription now. An accessory box would have worked, but it adds an extra remote to the mix. It needs to sit on a DMZ (in retrospect), but that isn't too big of a hassle. There are much better targets for hackers than my TV, and LG's insight that I browse /. from my TV is of pretty limited value.

  • 1. No unencrypted incoming connections. The only incoming connection possibly allowed is a limited function remote control (turn off, if it has DVR capabilities, allow changes to the recording schedule). Why does a device for viewing content need incoming connections or a web server?

    2. No OTA updates. Firmware updates must be cryptographically signed, and the update must be initiated by the device itself, not "pushed". Signed updates can also be installed from a USB flash drive, no network required.

    3. Built

    • Why does a device for viewing content need incoming connections or a web server?

      Because it's acting as a NAS to which the authorized user can upload video to a connected USB hard drive.

      Firmware updates must be cryptographically signed

      With what certificate? All Android apps are cryptographically signed, but almost all devices allow use of applications signed with a self-signed certificate because much of Android security relies on key continuity management. And what's the key difference between a "firmware update" and an "app" anyway?

      If it supports Wi-Fi, Require WPA/WPA2 connections. Do not allow use of WEP

      In other words, do not allow use of a Nintendo DS on the same AP. It's a very popular device that supp

  • a serious of questions and answers to themselves? Yes, yes I do.

  • My TV's IP address is 192.168.0.3. Come at me bro.
  • Seems like all I really want is a 50-60 inch monitor I can plug stuff into. Don't need 3D. Don't need gesture recognition. Don't need wireless internet on my monitor. Just a bunch of inputs and a way to select them. Everything else can be done off-display by a more upgradable device.

There is no royal road to geometry. -- Euclid

Working...