Samsung Smart TV: Basically a Linux Box Running Vulnerable Web Apps 166
chicksdaddy writes "Two researchers at the Black Hat Briefings security conference Thursday said Smart TVs from electronics giant Samsung are rife with vulnerabilities in the underlying operating system and Java-based applications. Those vulnerabilities could be used to steal sensitive information on the device owner, or even spy on the television's surroundings using an integrated webcam. Speaking in Las Vegas, Aaron Grattafiori and Josh Yavor, both security engineers at the firm ISEC Partners, described Smart TVs as Linux boxes outfitted with a Webkit-based browser. They demonstrated how vulnerabilities in SmartHub, the Java-based application that is responsible for many of the Smart TV's interactive features, could be exploited by a local or remote attacker to surreptitiously activate and control an embedded webcam on the SmartTV, launch drive-by download attacks and steal local user credentials and those of connected devices, browser history, cache and cookies as well as credentials for the local wireless network. Samsung has issued patches for many of the affected devices and promises more changes in its next version of the Smart TV. This isn't the first time Smart TVs have been shown to be vulnerable. In December, researchers at the firm ReVuln also disclosed a vulnerability in the Smart TV's firmware that could be used to launch remote attacks."
Re:To bad cable card failed and there has been lit (Score:4, Interesting)
Re:Yep. (Score:2, Interesting)
Re:Smart is as smart does (Score:4, Interesting)
I worry that it will become hard to buy one without a camera in a few years. Look at laptops, most have a built in webcam now. Years ago when I worked in a computer shop I saw a lot with tape over the camera, and sometimes offered to disconnect the camera and microphone internally while doing other work. Most are just USB cameras and two wire button mics that can be unplugged.
Re:Incredibly stupid is as stupid does (Score:4, Interesting)
they still sell phone switchboard systems that by default can be accessed by telnet with no password I disagree.
Not sure how I feel about this. Is no password better than "admin" or "password" or "1234" for the default password? Lets face it, each device that ships is going to have a default way of accessing it for configuration.... The problem really lies with the people that *leave* it at that configuration.