Forgot your password?
typodupeerror
Television Java Security Linux

Samsung Smart TV: Basically a Linux Box Running Vulnerable Web Apps 166

Posted by Soulskill
from the for-sufficiently-dumb-values-of-smart dept.
chicksdaddy writes "Two researchers at the Black Hat Briefings security conference Thursday said Smart TVs from electronics giant Samsung are rife with vulnerabilities in the underlying operating system and Java-based applications. Those vulnerabilities could be used to steal sensitive information on the device owner, or even spy on the television's surroundings using an integrated webcam. Speaking in Las Vegas, Aaron Grattafiori and Josh Yavor, both security engineers at the firm ISEC Partners, described Smart TVs as Linux boxes outfitted with a Webkit-based browser. They demonstrated how vulnerabilities in SmartHub, the Java-based application that is responsible for many of the Smart TV's interactive features, could be exploited by a local or remote attacker to surreptitiously activate and control an embedded webcam on the SmartTV, launch drive-by download attacks and steal local user credentials and those of connected devices, browser history, cache and cookies as well as credentials for the local wireless network. Samsung has issued patches for many of the affected devices and promises more changes in its next version of the Smart TV. This isn't the first time Smart TVs have been shown to be vulnerable. In December, researchers at the firm ReVuln also disclosed a vulnerability in the Smart TV's firmware that could be used to launch remote attacks."
This discussion has been archived. No new comments can be posted.

Samsung Smart TV: Basically a Linux Box Running Vulnerable Web Apps

Comments Filter:
  • Yep. (Score:5, Informative)

    by Anonymous Coward on Saturday August 03, 2013 @08:31PM (#44467801)

    I have two Sam'sDung SmartTVs. Yes, all these TVs are glorified Linux boxes running a badly collected series of apps. There is little to integration. Some won't accept keyboard input while other do. You either watch TV or run an App. Most apps are poor. The browser won't run most web pages and crashes. Yes, crashes. In this day in age it is hard to believe in your browser crashing nearly every time you try to use it.

    As for security, I no longer use any of the apps as none are worth anything. Netflix is okay but not great but since I've gone back to DVDs from streaming I am blocking the ports (6000 mainly and I forget if another is in use) to stop the TV from phoning home every time it is turned on.

    I blocked the ports because my firewall was showing connections to my LAN from very strange locations; Brazil, Japan, Russia. The problem is that Samsung's 'partners' are unknown to me and I'm sure it is these apps that doing the calling out. Who knows who wrote them, what is in them, and what they can really do.

    The TV isn't bad when hooked up to my modified version of the PS3 media server project.

  • Re: Yep. (Score:2, Informative)

    by spire3661 (1038968) on Saturday August 03, 2013 @11:27PM (#44468117) Journal
    Antenna Win 7 DVR (w/nightly compression) has been up for 3 years. Win 7 off-site DVR w/CableCARD has been up for 2 years. NO administration required beyond initial, cheaper then a TiVo and MUCH more flexible. If you design something to function as an appliance, with a defined role, its easy to keep admin to a minimum.
  • Re: Yep. (Score:4, Informative)

    by fuzzyfuzzyfungus (1223518) on Saturday August 03, 2013 @11:37PM (#44468147) Journal

    Why does connecting the PS3 to the network require the TV to be connected to the network too? Can't the PS3's TV output be connected to the TV's signal input?

    "The PS3 media server project" is a UPnP/DLNA media server [ps3mediaserver.org] originally designed to stream media to PS3s (hence the name). In this case, somebody apparently has the TV directly connecting to the media server software running on their computer, skipping the need for some sort of streamer box.

Never try to teach a pig to sing. It wastes your time and annoys the pig. -- Lazarus Long, "Time Enough for Love"

Working...