Security researchers have suspected for some time now that smart TVs, or at least the software systems inside them, are actually pretty dumb, and that these network-connected devices could be easy prey for hackers. At the Breakpoint security conference in Melbourne on Thursday, we found out exactly how dumb smart TVs can be. The answer? They're very dumb.
Quiet-spoken SeungJin Lee has been hacking since 2000, long before he became a graduate student at Korea University and, as of around a month ago, technical advisor for Samsung's security centre. He has also been nominated to the advisory council for the Korean military's Cyber Command.
Lee walked through the process of how he hacked his way into a typical smart TV from "an unnamed vendor" — a non-Japanese company whose name starts with a consonant in the second half of the alphabet. It was, like all smart TVs, a TV attached to a PC. Like many upper-range smart TVs, it included a camera, motion sensor, and microphone. This model had an ARM processor running Linux and, on top of that, the manufacturer's proprietary software — more than 200 megabytes of it.
Smart TVs have almost the same attack vectors as smartphones, Lee said, and he proceeded to describe more than 10 different vulnerabilities that would allow him to get a shell (command line) on the device. Without going into the technical details, the short version is that if at attacker can get onto the same network as the TV, then they can pwn it.
As Lee described his work, I was led to a clear conclusion: The software architecture of this smart TV from "an unnamed vendor" is rubbish.
For a start, all the apps run as "root", the administrative. "So that's a major fail," Lee said. Yes. Yes, it is.
The firmware was riddled with bugs that are classic security flaws. "There are many functions that handle string/data wrongly," Lee's slides said. Yes. Yes, there are.
Lee even found ways to conduct man-in-the-middle (MITM) attacks on the cryptographic systems that authenticate app updates. In other words, he can pretend to be the official app download site for "an unnamed vendor" to insert his own apps into the system. Some of the update processes didn't even check the digital certificates for authenticity.
Given that one of the software update paths is via the broadcast TV spectrum, this creates the theoretical possibility of setting up a fake TV broadcaster and infecting every smart TV of that model in an entire city all at once.
Now, this particular vendor's software did include a daemon (software service) called PREVENTER that monitored running apps and killed them if the code wasn't signed as genuine by the manufacturer's digital certificate. But PREVENTER was easy to defeat: Lee just told it to stop running.
"When I told this to the vendor, there was much shame," Lee said.
More than 80 million smart TVs were sold globally in 2012 — and presumably even more will be sold this year — finding their way into homes, upmarket hotels, schools, and corporate meeting rooms. With many if not all of them trivial to hack, the possibilities for committing mayhem are many.
A camera and microphone-equipped smart TV could be used for surveillance, just like a smartphone — only much, much better.
Lee's experiments in using a smartphone for surveillance, setting it to take a photograph once a minute, uncovered two problems. Only 1 percent of the resulting images were usable. The remaining 99 percent were just the darkness of his pocket, or rendered useless by motion blur. And all of this photography soon flattened the phone's battery.
A smart TV doesn't move and has mains power, so these two problems disappear. What's more, it can stream live video.
"Do not put the smart TV in the bedroom," Lee said.
The vendor's response was to point out that the TV can't take photos of stream video if it's turned off. True. But Lee could work around that, too, unless the device was physically unplugged from the power outlet. Turning the TV on and off is handled by a software function called TCTv::Power(). Lee hooked that function so that when it's called to turn the device off, it turns off the power indicator LED, but leaves the kernel and his rootkit running.
Since the TV has no fan or spinning hard drives, there's no sound to give away the fact that it's still turned on.
As a final touch, Lee showed how he could pop up a fake news headline graphic over the top of the genuine live video stream from a news channel.
When the Syrian Electronic Army hacked the Associate Press Twitter account and issued a fake news headline saying that US president Barack Obama has been injured, it wiped billions of dollars off the stock market. And that's the result from just one news source issuing a single sentence of disinformation.
Imagine what might be possible with a coordinated campaign, delivered across multiple platforms and faking multiple channels — either to support each other by delivering the same message, or to create utter confusion by delivering dozens of conflicting reports.
All of this is down to the simple fact that, yet again, devices are being connected to the network when they're simply not up to the task of defending themselves.
Back when the first computers got hit with malware, in the days of mainframes and routers and not much else, it was excusable. But after the same non-strategy of connecting first and thinking about defence later — after you're already pwned — has failed for mini computers, then personal computers, then networked printers, then wireless devices, then smartphones, doing the same dumb thing for smart TVs is, well, truly dumb.