Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Television

Now Even the FBI is Warning About Your Smart TV's Security (techcrunch.com) 126

If you just bought a smart TV on Black Friday or plan to buy one for Cyber Monday tomorrow, the FBI wants you to know a few things. From a report: Smart TVs are like regular television sets but with an internet connection. With the advent and growth of Netflix, Hulu and other streaming services, most saw internet-connected televisions as a cord-cutter's dream. But like anything that connects to the internet, it opens up smart TVs to security vulnerabilities and hackers. Not only that, many smart TVs come with a camera and a microphone. But as is the case with most other internet-connected devices, manufacturers often don't put security as a priority. That's the key takeaway from the FBI's Portland field office, which just ahead of some of the biggest shopping days of the year posted a warning on its website about the risks that smart TVs pose. "Beyond the risk that your TV manufacturer and app developers may be listening and watching you, that television can also be a gateway for hackers to come into your home. A bad cyber actor may not be able to access your locked-down computer directly, but it is possible that your unsecured TV can give him or her an easy way in the backdoor through your router," wrote the FBI. The FBI warned that hackers can take control of your unsecured smart TV and in worst cases, take control of the camera and microphone to watch and listen in.
This discussion has been archived. No new comments can be posted.

Now Even the FBI is Warning About Your Smart TV's Security

Comments Filter:
  • Is there a living room in the USA that both China and Russia DON'T have under video and audio surveillance by now? Seems a little late to shut the barn door now.

    • Re: (Score:1, Troll)

      Oh, no. Those pesky Russians again. They must be the most clever people on the planet. They do everything! And I've never met one, but I think they are all out there, watching us, stealing our stuff and electing people.

      • Oh, no. Those pesky Russians again. They must be the most clever people on the planet. They do everything! And I've never met one, but I think they are all out there, watching us, stealing our stuff and electing people.

        We should definitely hire them for advertising. They have almost superhuman powers.

        • Oh, no. Those pesky Russians again. They must be the most clever people on the planet. They do everything! And I've never met one, but I think they are all out there, watching us, stealing our stuff and electing people.

          We should definitely hire them for advertising. They have almost superhuman powers.

          One thing is beyond your ridicule. They are very, very intelligent, and clever as well. There is no question that they have the ability as well.

          The question for you to answer, is that if you were an adversary of the US, and you had the intelligence and capability, would you not use it at every juncture?

          Explain why you would not if you thing they aren't.

          Then again - this really isn't on topic. The designers of the smart televisions are responsible for any spying they do, not people in a country that

          • You had the intelligence and capability, would you not use it at every juncture?

            Ah yes, the good old "wouldn't you?" argument Not everyone is an opportunistic scavenger.

            • You had the intelligence and capability, would you not use it at every juncture?

              Ah yes, the good old "wouldn't you?" argument Not everyone is an opportunistic scavenger.

              I believe that history argues against you, because someone always will. It doesn't take everyone.

          • by guruevi ( 827432 )

            The thing is, if anyone had such universal powers of hacking and surveillance, they wouldn't start with Joe Schmoe, they'd start with the big city mayors and senators and congress critters. And if someone did have those powers, they'd be running the show by now, which there is no evidence, hence it's a conspiracy theory.

            So if you live in Washington, DC and purchase a smart TV...

            • Re: (Score:3, Interesting)

              Perhaps you missed the memo, but we all know that the Russians got Trump elected. Everyone wanted Hillary, but those darn Russians!

            • The thing is, if anyone had such universal powers of hacking and surveillance, they wouldn't start with Joe Schmoe, they'd start with the big city mayors and senators and congress critters. And if someone did have those powers, they'd be running the show by now, which there is no evidence, hence it's a conspiracy theory.

              So if you live in Washington, DC and purchase a smart TV...

              The point is sowing discord, not hacking mayors.

              Although I suspect someone has something on Lindsey Graham. Who knows where that came from.

          • Then again - this really isn't on topic. The designers of the smart televisions are responsible for any spying they do, not people in a country that (to my knowledge) doesn't design them.
            Sure. But at the same time they don't bother with any real securing of their backdoors into the device in question (why should they, just makes it harder on themselves) so it ends up trivially easy for someone else to access it, too.
      • IKR!!! I mean really, what country is going to waste time and resources trying to influence and undermine the government of another?!?!?!?!?!? Its just such a stupid idea that clearly anyone that suggests it is a liberal-pinko-gun hating-tree hugging-never trumper who should be immediately dismissed, mocked and tweeted about.
      • I've met a dozen Russians. They're all an order of magnitude smarter than you.
    • ...ummm and you for got about the Americans! I'm sure the CIA is in there too.

    • ... mine.

    • Well there are a few ways to prevent this. First why have a TV in the first place? Second if you do have one employ a hardware firewall and block everything but oirt 80. If you're the more enterprising type you can do specific blocks to manufacture, google et a.
      • Or simply not allow the smartTV to connect through WiFi or cable. Or run a "blind" DNS server (Technitum provides one for free for Windows) and configure the TV to use that DNS server instead of your standard DNS server.

        The latter is what I do, as my smartTV acts up in very irritating ways when I leave it not connected to my network. But mine is a cheap model from an pretty unknown brand (Kiland) in these parts of the world.

        Big name brands are likely to behave (much) better when you leave them disconnected

        • I think that TV manufacturers are wise to the DNS trick.

          I noticed in my firewall that my Vizio TV would make DNS queries to a hard-coded list of servers unrelated to what I had given it. It saw that it wasn't getting the DNS results it wanted and so fell back to a list of its own.

          I have since ceased trying to block everything my TV does and just reset it to factory defaults and never entered a wifi password. So, now it is just a dumb TV.

      • by mccrew ( 62494 )

        First why have a TV in the first place?

        Oh my God, this is you [theonion.com], isn't it?

        Second if you do have one employ a hardware firewall and block everything but oirt 80. If you're the more enterprising type you can do specific blocks to manufacture, google et a.

        Close. You just don't set up your TV to connect to the internet.

    • Is there a living room in the USA that both China and Russia DON'T have under video and audio surveillance by now?

      Yeah. Mine. FWIW I know I'm far from alone, too, so it's only the actual dumb people who aren't paying attention and filling their homes with 'digital voice assistants', having their totaly un-secure smartphones physically attached to them 24 hours a day, and buying ridiculous garbage like 'smart TVs' and 'Internet of Things' nonsense like internet-connected refrigerators. Call it 'evolution in action', I guess.

    • I'll put a Smart TV in my bedroom. The spies will need oil-tankers filled with eye-bleach when I'm through.
  • You run a much higher risk just by browsing the web without an adblocker/element blocker. It would be tough to hack a TV. The only "hacks" I have seen require you to be on the same wifi as the TV and use some APIs. That isn't really hacking, as you are just using documented APIs.

    • Re:Overblown (Score:5, Insightful)

      by Opportunist ( 166417 ) on Monday December 02, 2019 @09:25AM (#59476348)

      It's not tough to hack a TV. We're at the point where opening the wrong stream is enough to get infected simply because the security of smart-TVs is not even an afterthought. It's nonexistent.

      Makers of TV have no history of security. The designers and makers of their hardware have no experience in secure design because for the longest time this was not a necessity when developing these appliances. And of course these people now have a security consciousness that is about on par with what we had in the PC world in the 1990s. You have people who know very well how to create the software needed to get these boxes to do what they're supposed to do, just as we had very good programmers in the 1990s who knew how to write programs that would do what they were supposed to do well, but they have zero experience with dealing with malicious outside actors that abuse and leverage shortcomings of their code when you introduce malicious content. Because up to this point, they didn't have to deal with it. Why would anyone do this to their own box? Of course nobody would do that. Destroy someone's computer for fun? What for? But if you can leverage this to make this computer do your bidding because the computer is connected to the internet and is now something you can control, there is a motivation to do this.

      It's now happening to TVs (and other Intelligentely Designed Internet Of Things gadgets), simply because up until this point, the people designing these products didn't have to take malicious outside actors into account. They eventually will. Probably even before people have been burned enough that they will demand "dumb" devices instead again.

      Hopefully not.

      • I didn't read past the first sentence. So go ahead: "hack" a TV without being on the same wifi network or installing some software on the TV. I'll look forward to your Defcon presentation.

      • We're at the point where opening the wrong stream is enough to get infected

        Most smart TVs don't include a browser just apps for services like netflix or hulu in order to open the wrong stream you would need to jail break the tv first and install a browser, use a free app that somehow got into the app store and was compromised, or compromise a service like netflix or hulu. If you can compromise a local device it would be much easier. You might be able to get a compromised file on a local media server (torrent users) but I'm not sure that would work if they are transcoded on the med

        • Not having a browser doesn’t mean TVs are more secure. It means that one point of vulnerability doesn’t exist. The real issue is that most TV manufacturers have little experience with security. A dumb TV just received signals. Now they have to design security.
      • by gl4ss ( 559668 )

        you would need to be in a position to reroute the traffic for the tv in the first place - that is if you're using it for normal usage using apps on the tv like netflix, hulu or whatever - very few people actually use them for browsing random web pages.

        you know who is the most likely party to hack your tv is? fucking FBI.

        and they put more effort into the tv's to lock them down from 3rd party crud and free booting of what you want usually due to the focus on DRM.

        and look the securitys just shite for the brows

        • It's trivially easy to get into a position to reroute the traffic from the tv. Most TVs these days are not equipped with a RJ45 anymore but rely on WiFi. With a default WiFi config that not only defaults to a WiFi turned on but also connects to any non-secured AP offering itself. The paranoid tinfoil hatter in me would say that's to ensure its master gets the data it wants even if you don't bother to configure the WiFi, the official bit of course being that this means you can get your Netflix fix as hassle-

      • Why are y'all talking about these things as "TVs" still. What they are are embedded computers running specialized applications. Many of these "smart TVs" are just running Android of one flavor or another.

        • Re: Overblown (Score:4, Interesting)

          by NoMoreACs ( 6161580 ) on Monday December 02, 2019 @11:23AM (#59476904)

          Why are y'all talking about these things as "TVs" still. What they are are embedded computers running specialized applications. Many of these "smart TVs" are just running Android of one flavor or another.

          With Android's (in)security record, that makes me feel ever-so-much-more happy, thanks!

  • As bad enough as the Kardashians are, I don't think reality TV would be as bad as me scratching my balls.
    • by Ol Olsoc ( 1175323 ) on Monday December 02, 2019 @09:29AM (#59476362)

      As bad enough as the Kardashians are, I don't think reality TV would be as bad as me scratching my balls.

      Time for one of Olsoc's turds of wisdom:

      No matter how darn good that soap smells, never come out of a public bathroom sniffing your fingers.

  • With Roku, Amazon "sticks", cable boxes, etc. why do TV's need any "smarts" at all?

    Why not just use a monitor with HDMI ports?

    • Re:why? (Score:5, Funny)

      by 93 Escort Wagon ( 326346 ) on Monday December 02, 2019 @09:18AM (#59476330)

      But without “smarts”, how are the manufacturers going to convince you to replace your television every three or four years? Do you really want to go back to those dark old days when people kept their TVs for a decade or more?

      I shudder just thinking about it.

      • Gross. Just reading that makes me want to throw some things out and just buy new things.

        • Well as I said earlier - you can hack the TV physically. It's a pretty sure bet the camera is just connected via a ribbon cable.
          • Well as I said earlier - you can hack the TV physically. It's a pretty sure bet the camera is just connected via a ribbon cable.

            Assuming, of course, that the POST firmware in that TV doesn't require a response from the camera module to boot-up.

    • The TV manufacturer collects data about what you are watching. That is why TVs need the "smarts".

      • Just don't connect your "smart" TV to the internet. If you need firmware updates, connect it for that and then reset it to factory defaults and don't enter the wifi password again.

        • Correct. I was just answering why TV manufacturers put "smarts" in their TVs.

        • Just don't connect your "smart" TV to the internet.

          Does this work as well as not connecting your car to the internet?

          Sorry to break it to you, but they only require your connection for large bandwidth stuff. For small bandwidth stuff, they can just make a deal with big telecom to transport over 3G/4G/5G.

          • Sure, they could, but Cell Radios cost money as does the service and the software to run it all. TV's are consumer devices which are manufactured by the thousands, they are all about saving pennies on cost where they can and multiplying the savings into real money. You are talking about throwing in another $10 worth of stuff at a minimum, which simply isn't worth it.

            Besides, the average consumer will connect it up to their wi-fi and give them what they seek for free. Only the odd security wise techie typ

    • I agree... Buying a "smart" TV is pretty stupid given how long manufacturers actually support those things with regular software updates and such. The last TV I had that was "Smart" stopped getting software updates in about 3 years and I ended up buying a Roku to replace the "Smart" part. That doesn't keep manufacturers from selling TV's using that "Smart" feature list, they know it's a cheap way to differentiate their product from the others. Really it's worthless junk they add on for marketing reasons.

      S

      • This is a good stance. We have an old Sony whose smart features have degraded to uselessness, and a newer Samsung that still gets used over the attached console for most smart things. The latter is much easier for the children to use, even with a nice Logitech remote on the Sony setup to make fussing with the correct input easier.
      • I always have some type of box hooked up to the TV, or at worst, it just plugs into the cable decoder. The "smart" TV function is completely useless for me. Most of the apps will never be upgraded after a few years, and by that time, the DRM won't work with them anyway. Plus, apps come and go.

        Instead, I have found monitors, or even digital signage screens a lot more useful than TVs, just because they don't come with that junk, and don't need network access.

    • There are multiple reasons not to use a monitor. Size and cost are the main ones. I don’t see 65” monitors that are cheap. That monitor also isn’t likely to have multiple HDMI inputs and be controlled by a remote control. Also the monitor will not likely be able to accept OTA signals by itself. Sound on a monitor might also be subpar. Personally I don’t use any smart features on my TVs for many reasons but there are reasons of TV over monitor.
  • Is it worth setting up multiple SSIDs at home or is that not enough separation? With all of the smart things and home automation stuff, kids tablets... according to the router there are around 30 unique devices right now and I assume it'll continue to grow.
    • Re:Distinct SSID (Score:4, Informative)

      by Holi ( 250190 ) on Monday December 02, 2019 @09:18AM (#59476324)
      Multiple VLANS maybe, but multiple SSIDs alone do nothing for security.
    • Nah. Too late. Your kids are probably Russian agents already.

    • by DogDude ( 805747 )
      assume it'll continue to grow.

      That's a strange thing to say. Don't you have control over what devices are in your house, attached to your router?
      • Nominally. As the home's CIO I wield considerable veto powers, but the other humans that reside there have murcurial technology requirements with novel use cases and who knows what sort of IoT LEGO/Barbie sort of thing will be under the tree later courtesy the grandparents. Maybe I should make my eldest get a network security certification.
    • by DogDude ( 805747 )
      No, as somebody else said, you need to separate your network into distinct vlans. SSID alone won't do anything. Let all of the junk devices connect to one, and let your important stuff connect to the other. The risk is letting the junk devices communicate on the same LAN as your real devices.
  • "With the advent and growth of Netflix, Hulu and other streaming services, most saw internet-connected televisions as a cord-cutter's dream.

    I wish people would stop using that word, "cord-cutters". Unless they're switching to satellite internet, they're not cutting cords, they're just switching from one cord to a different cord (or, often, from one cord to a different signal coming down the same cord).

  • by Joe Gillian ( 3683399 ) on Monday December 02, 2019 @09:36AM (#59476398)

    The problem here is that there's no option anymore to just buy a non-smart TV. Most TV manufacturers refuse to make them because there's way more profit to be had with a smart TV: not only do they get the full retail price of the TV, but they also get money from all of the companies whose apps are loaded by default and from advertisers who can pay to have their ads injected into the TV's firmware (things like banner ads that come up when you change channels). They want it to be as hard as possible to block the stuff as well, so that they can guarantee the advertisers that people are seeing the ads.

    Short of the government stepping in and putting heavy fines into place for security breaches, there's not much you can do to stop it.

    • by leonbev ( 111395 )

      You can still turn the Wi-Fi off on most of these "smart" TV's. As long as it stays off, you're probably somewhat safe.

      But, yeah... we're already getting to the point now where older smart TV's are no longer getting security updates. It's only a matter of time until these devices start frequently showing up in botnets.

      • You can still turn the Wi-Fi off on most of these "smart" TV's. As long as it stays off, you're probably somewhat safe.

        But, yeah... we're already getting to the point now where older smart TV's are no longer getting security updates. It's only a matter of time until these devices start frequently showing up in botnets.

        I would submit that most, if not all, TVs hardly have enough extra, well, anything, to sit there and participate in a botnet while still managing to act like a TV.

  • While I know that NAT is not a security solution by itself, can someone explain to me how a remote actor who is outside of a NAT could compromise a device inside of it unless the NAT forwards at least some of its incoming requests to that device, or else the remote actor is explicitly impersonating the particular domains that the device inside of the NAT might otherwise want to connect to at the time it tries to connect to it (which would affect desktop computers just as readily as smart TV's, would it not?)
    • There are some re-binding attacks that leverage weaknesses in consumer-grade routers when browsing certain sites. The basic idea is that you load some malicious javascript from some site or ad network which attempts to rebind certain DNS queries to your local router's internal address. By doing that, it can then attempt to leverage flaws or weak passwords to gain access and/or issue UPNP commands to open ports through your NAT to internal devices.

      If your smart tv has a built-in web browser, don't use it.

      Als

  • Is that so hard? (Score:5, Insightful)

    by Impy the Impiuos Imp ( 442658 ) on Monday December 02, 2019 @09:53AM (#59476488) Journal

    I want two hard-wired LEDs, one for mic and one for camera, any time they are powered on, such that it cannot be finessed off with software.

  • by 140Mandak262Jamuna ( 970587 ) on Monday December 02, 2019 @10:00AM (#59476524) Journal
    My good old DLP, bought in Circuit City in 2006 finally died last Thursday. So got a new one, a smart TV. Did not give it any WiFi access. But pretty soon it could become impossible to secure it.

    My CPAP (continuous positive air pressure) machine for my apnea was upgraded last week. The older model had a small display screen giving average number of hours of use, number of days of use etc. The insurance company used to bug me for these usage details. The nurse was so happy, "We wont nag you anymore! This machine comes with its own modem (?) and it can file the reports automagically through the cell network! We will know the hours of use!"."

    With a start I realized the LTE chip is cheap, ridiculously cheap!. Candybar phones are now less than 25$, retail. Bulk order without phone hardward, and a simple data connection, it could be as cheap as 5$. It will not be costly for any device maker, to bypass the WiFi and directly make an LTE phone home function built into the TV or any appliance for that matter. Fridge, washing machine, hair drier ... any powered device can call home and spy on you for just 5$!

    • by leonbev ( 111395 )

      Personally, I'd be happier if these smart devices had LTE modems connected to public networks instead of being on my Wi-Fi network. That way, if they get hacked, they can't be used as a gateway to the rest of my networked devices.

      • Why not setup a guest network and with no access to your local vlan? (isn't that feature included in most new routers)

    • Not sure what you are talking about. You can buy $5 LTE single chips on Aliexpress. In bulk they are around $1. Why would this be news to you? If you are using the ResMed CPAP then you can turn off the LTE. If you don't, the Russians might asphyxiate you while you are sleeping.

      • Thanks for cheering me up, buddy!

        If it is cheaper than I thought, it would be even more tempting for manufacturers to sneak in spying hardware in.

        • Here is an even bigger shocker: you are being spied upon RIGHT NOW by the tech companies. There are about 8 trackers RIGHT NOW on this VERY WEBPAGE. You can see them if you install the Ghostery extension. And you know what? They didn't even have to buy a $1 chip or install any hardware.

          • Its one thing to spy on my browsing. I use many aliases and I randomly switch them, and try to create some sort of separation between the routine surfing handles and other handles with more personal identifiers.

            Its an entirely different thing to put a pin hole camera and a microphone and listen to conversations, and phone home.

    • LTE basic connection chips and supporting hardware costs less than $2 in bulk, it’s the corporate leasing of the data over the network that winds up costing more. Companies gladly pay your iot cell phone data bill to harvest and sell your data. The only limiting factor is this data needs to be low bandwidth to be profitable in general. The cost of the bandwidth is steadily dropping so yes that’s exactly what’s going to happen.
    • Well... as long as they are using their bandwidth (and hence, their dime), that's a step in the right direction.... they want my viewing data? They can be the ones to pay the transport costs....

  • I'm not your average home owner, I have more smart devices then I have non smart devices, including wifi light switches, numerous Google home and Alexa devices, security cameras and smart TV's, and a custom raspberry Pi controller to do custom automation.

    not a single one of them is on the same network as anything I care about, like my computers or smart phones.

    Router manufacturers need to start building this in as an easy to toggle "smart home mode" which picks up on things like smart devices and isolates t

  • ...gonna be some bored ass hackers if our TV had a microphone and camera and they were using them to spy on us....

  • I don't own a smart TV, I own a older Sony and ASUS laptop. I put a piece of a post-it over the camera om my ASUS so The Man can't watch me.. Paranoid? I guess so.
  • I bought a on-sale Samsung smart TV about a year ago, it is an older model and does not seem to get the most recent app updates. Any Disney+ is not available at all.

    If I was to do it again I would get the largest non-smart TV my budget could afford and use a Roku/Firestick for the streaming functionality. I would also get a Tivo/Tablo OTA DVR for recording stuff off an antenna.

  • This is a legitimate question I have, what exactly are they worried about with hackers and smart tvs? Pretty much every broadband connection comes with a generic firewall type device which should stop someone from accessing the TV directly (minus people who poke holes in it and things like that, but I can't imagine those are the people they are worrying about). They aren't worried about someone clicking on something on the PC and then letting someone get to the TV, because they say the worry is the opposite

  • Wait, but if my smart TV can't talk to my smart toaster and my smart fridge, how will it know to make toast and then order bread that's really clay to make more toast when the toast commercial shows up on TV and I accidentally press the info button trying to make the stupid popover disappear?

"The most important thing in a man is not what he knows, but what he is." -- Narciso Yepes

Working...