The humble television is the latest in a long line of devices to receive “smart” enhancements that make it operate like a stripped-down computer rather than a simple display device. Features like a web browser and social network support can add convenience, but they also introduce potential security flaws. Here are three ways a hacker might infiltrate your home television.
In late 2013, for example, researchers at the Black Hat USA conference demonstrated a variety of attacks against Samsung’s SmartTV operating system. These attacks could steal local user credentials, read the browser history and cache, or tamper with and crash the TV’s built-in Skype app. And this wasn’t the first report; in late 2012 another pair of researchers posted a video showing they had learned to remotely take control of a Samsung television, though they did not explain how.
These problems are not surprising. Any device that runs popular web APIs will be vulnerable to exploits targeting them, and smart TVs are no exception. Samsung, to its credit, patched many of the problems when they appeared, but the existence of such wide-ranging issues shows smart televisions have become a new frontier in Internet security.
While some major television makers have designed their own operating system, others rely on Android. Many “smart TV” add-on boxes use Android, as well; Amazon has a long list of products running various versions of the OS.
These devices are vulnerable to many of the issues that haunt Android smartphones. Google’s operating system is the most targeted mobile OS in the world, so there’s no shortage of malware for users to avoid. Potential threats range from simple ad injectors that plague users with unwanted content to full-blown Trojans that can follow your every move and log passwords that you enter through your television or Android smart TV box.
The bad news is that Android has inherited the curse of Windows. Everyone uses it, so malware targets it in hopes of reaching a broad pool of potential victims. On the plus side, though, there are many Android security apps available and the tricks you’d normally use to help secure your smartphone will work with an Android smart TV, as well. Unlike users of a custom TV operating system, who are at the mercy of manufacturer updates, Android users can take a pro-active approach.
The Man In The Middle
Hybrid Broadcast Broadband, an emerging industry standard for television, promises added convenience. Users can view programs that have already played, for example, and can access interactive content like polls and shopping apps. In short, HbbTV is the next evolution for set-top boxes, and it’s gradually seeing adoption across the world with Europe as the leading market.
There is, however, a problem with the standard’s security. Transmissions sent via HbbTV do not require a verified origin, which makes them vulnerable to man-in the-middle attacks. Malicious data injected into the stream can easily pose a whatever source it’d like. To make matters worse, this standard is compatible with over-the-air transmission. An OTA HbbTV single is like a giant, unsecured access point.
In theory, then, a hacker with a transmission source could inject whatever data they’d like OTA viewers to receive. This could include not just broadcast data but data relating to television functions or even the function of devices connected to the TV.
HbbTV is not yet broadly used. The consortium behind the standard has used this as justification for lax security, stating any attack “would cost too much and not cover enough people” to be effective. This does not deny the underlying problem, however, and doesn’t change the fact such an attack will become more tempting as HbbTV sees broader use.
Should You Be Worried?
All of these potential threats are tempered by the fact no known attacks have taken place “in the wild.” Researchers have shown it can be done, but users have not yet been targeted – to anyone’s knowledge, at least.
This means your smart TV probably won’t be infected tomorrow. On the other hand, there was once a time when smartphone owners did not fear malware; now new threats appear every day. The first few people to download an SMS virus were statistically unlikely to be victims, but that knowledge didn’t help them when they received a $1,000 bill from their cellular provider.
There are some steps you can take to make yourself less vulnerable, though, and all of them are simple.
- Use a router with an enabled firewall
- Keep web browsing on your television to a minimum
- Never install apps from an unofficial source
- Download an antivirus app if Android is your operating system
- Disconnect your TV from the Internet if you don’t use its online features
- Keep current with your TV’s software updates
- Cover the webcam, if one is included
Such tips may seem ineffective or inconvenient, but they’re the only source of defense in this frontier. We’re unlikely to see antivirus and firewall functions built into smart TVs until in-the-wild attacks occur.
What do you think of television security? Is it a legitimate problem, or not worth consideration? Let us know in the comments.
Image Credit: Wikimedia/Paul & Aline Burland