Smart TVs are dumb, and so are we

Smart TVs are dumb, and so are we

Summary: Korean hacker SeungJin Lee can turn a smart TV into a surveillance and disinformation machine, thanks to the vendor's slack security coding. When will we learn?

SHARE:
TOPICS: Security
12

Security researchers have suspected for some time now that smart TVs, or at least the software systems inside them, are actually pretty dumb, and that these network-connected devices could be easy prey for hackers. At the Breakpoint security conference in Melbourne on Thursday, we found out exactly how dumb smart TVs can be. The answer? They're very dumb.

Extraordinarily dumb.

Embarrassingly dumb.

stilpic
(Image: Stilgherrian/ZDNet)

Quiet-spoken SeungJin Lee has been hacking since 2000, long before he became a graduate student at Korea University and, as of around a month ago, technical advisor for Samsung's security centre. He has also been nominated to the advisory council for the Korean military's Cyber Command.

Lee walked through the process of how he hacked his way into a typical smart TV from "an unnamed vendor" — a non-Japanese company whose name starts with a consonant in the second half of the alphabet. It was, like all smart TVs, a TV attached to a PC. Like many upper-range smart TVs, it included a camera, motion sensor, and microphone. This model had an ARM processor running Linux and, on top of that, the manufacturer's proprietary software — more than 200 megabytes of it.

Smart TVs have almost the same attack vectors as smartphones, Lee said, and he proceeded to describe more than 10 different vulnerabilities that would allow him to get a shell (command line) on the device. Without going into the technical details, the short version is that if at attacker can get onto the same network as the TV, then they can pwn it.

As Lee described his work, I was led to a clear conclusion: The software architecture of this smart TV from "an unnamed vendor" is rubbish.

For a start, all the apps run as "root", the administrative. "So that's a major fail," Lee said. Yes. Yes, it is.

The firmware was riddled with bugs that are classic security flaws. "There are many functions that handle string/data wrongly," Lee's slides said. Yes. Yes, there are.

Lee even found ways to conduct man-in-the-middle (MITM) attacks on the cryptographic systems that authenticate app updates. In other words, he can pretend to be the official app download site for "an unnamed vendor" to insert his own apps into the system. Some of the update processes didn't even check the digital certificates for authenticity.

Given that one of the software update paths is via the broadcast TV spectrum, this creates the theoretical possibility of setting up a fake TV broadcaster and infecting every smart TV of that model in an entire city all at once.

Now, this particular vendor's software did include a daemon (software service) called PREVENTER that monitored running apps and killed them if the code wasn't signed as genuine by the manufacturer's digital certificate. But PREVENTER was easy to defeat: Lee just told it to stop running.

"When I told this to the vendor, there was much shame," Lee said.

Quite.

More than 80 million smart TVs were sold globally in 2012 — and presumably even more will be sold this year — finding their way into homes, upmarket hotels, schools, and corporate meeting rooms. With many if not all of them trivial to hack, the possibilities for committing mayhem are many.

A camera and microphone-equipped smart TV could be used for surveillance, just like a smartphone — only much, much better.

Lee's experiments in using a smartphone for surveillance, setting it to take a photograph once a minute, uncovered two problems. Only 1 percent of the resulting images were usable. The remaining 99 percent were just the darkness of his pocket, or rendered useless by motion blur. And all of this photography soon flattened the phone's battery.

A smart TV doesn't move and has mains power, so these two problems disappear. What's more, it can stream live video.

"Do not put the smart TV in the bedroom," Lee said.

The vendor's response was to point out that the TV can't take photos of stream video if it's turned off. True. But Lee could work around that, too, unless the device was physically unplugged from the power outlet. Turning the TV on and off is handled by a software function called TCTv::Power(). Lee hooked that function so that when it's called to turn the device off, it turns off the power indicator LED, but leaves the kernel and his rootkit running.

Since the TV has no fan or spinning hard drives, there's no sound to give away the fact that it's still turned on.

As a final touch, Lee showed how he could pop up a fake news headline graphic over the top of the genuine live video stream from a news channel.

When the Syrian Electronic Army hacked the Associate Press Twitter account and issued a fake news headline saying that US president Barack Obama has been injured, it wiped billions of dollars off the stock market. And that's the result from just one news source issuing a single sentence of disinformation.

Imagine what might be possible with a coordinated campaign, delivered across multiple platforms and faking multiple channels — either to support each other by delivering the same message, or to create utter confusion by delivering dozens of conflicting reports.

All of this is down to the simple fact that, yet again, devices are being connected to the network when they're simply not up to the task of defending themselves.

Back when the first computers got hit with malware, in the days of mainframes and routers and not much else, it was excusable. But after the same non-strategy of connecting first and thinking about defence later — after you're already pwned — has failed for mini computers, then personal computers, then networked printers, then wireless devices, then smartphones, doing the same dumb thing for smart TVs is, well, truly dumb.

Topic: Security

About

Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • Linux?

    Noooooooooooooo
    hubivedder
    • All the TV's software runs as "root".

      And by the sound of it, the TV's software is rubbish. Pwning the TV is therefore just a matter of finding a single hole in bad code.
      Zogg
    • It would have been better...

      ...if all the software had been running as "administrator" under Windows? Also, the system could have as easily been running under BSD, or any of the several surviving flavors of commercial UNIX.

      Running everything with elevated privileges is just plain stupid, no matter what the OS is.
      John L. Ries
      • or, if you'd like...

        ...running as "System" under Windows (services are easy to configure that way).
        John L. Ries
  • Smart TVs are Useless

    I have a "smart TV".
    The "smart" functions are basically useless and unbelievably slow.

    You are much better off buying a dumb panel with the best quality picture you can afford.
    Then just hook up a Media Center PC to it.
    ITenquirer
  • So my old TV is still better?

    I have a 720p display from 2009 in my living room. Image quality is great (I can't tell the difference between 720p and 1080p from my sofa so it's more like "good enough for me") and it does everything I need it to do.
    Heck, next gen consoles won't even be able to run all games at 1080p so why should I give a damn about 1080p?
    It also doesn't have any gimmicks that I don't need. I stream movies to it from my PC through my PS3, that's the most "advanced" thing I am doing with it.
    This TV has never given my any trouble at all and I am perfectly happy with it. And now I read that smart TVs are not only rubbish because they are not very good at what they are doing but also incredibly unsafe when connected to my network, which I need to do in order to actually use all the smart features they have?
    Yeah, I really don't see any reason to buy a new TV now. I don't need 1080p, there is no content for 4K yet (only if I were to stream 4K stuff, which I don't have, from my PC) and smart TVs enable hackers to watch me sleep. No thank you!
    mathiasappel@...
  • No regulatory interest = massive threat

    Imagine - governments worldwide let the car industry "self regulate"!
    Imagine - there are no safety and security regulations or legislation for the air transport industry!

    Richard A Clarke clearly issued the warning many years ago that lack of political will meant that in the USA a national critical information infrastructure had been created with no real security concerns at all.

    We have had the parameters for cyber-security for many years - remember the "Orange Book" - yes, released 30 years ago in August 1983! ( PS: The media/press seem to have ignored that fact.)

    We all have to make it clear to our political and thus democratic "masters" that the world cannot continue in a total "legislation free zone" when it comes to the ICT industry! ( No - it really is time to stop blaming the end-user / consumer for all cybersecurity problems. They really cannot re-configure that TV operating system!)

    This is just another clear example of how totally lax attitudes to a critical industry can create major national and international problems.

    However, I am not "holding my breath" for any action from Australia's government, politicians or regulators. So - well - use a "dumb" TV like I do.... and do not link it to any WiFi or Ethernet connections. ( BUT just wait till TV groups offer "Buy and Pay" now services along with the usual TV ads with an "intelligent" remote! Cyber criminals will be simply drooling!)
    w.caelli@...
  • So THAT's how they will do it!

    Remember Orwell's all-knowing, all-seeing screens? You'd NEVER buy one if it said what it had in mind on the box, right? Well now we know how it will happen. If all this is possible with sloppy Smart TV programming, then imagine with "officially sanctioned" designs.

    Build the things, prove they are "secure", get the public to eat it up, and get them out to all the homes. (Don't be surprised if, in some countries they became the standard, say, using the requirement of a "channel" for public announcements.) Then (remember, these have been vetted by some consumer agency or government communications arm) when penetration reaches a certain percentage and there are no longer any new options but those designs the backdoor is opened.

    And your bedroom TV can rate your performance, instead of the other way around.

    Don't say you haven't been warned. And we deserve it. Why do we insist on being hell-bent on EVERYTHING having a connection to the Internet. Your TV will send you pic to the Health Department, which will lock up your fridge and disable the car saying you are fat and need more exercise. (Hey, maybe SOME of this won't be so bad...)
    jwspicer
  • Hopefully...

    ...Samsung's own offerings will be much less hackable in the near future (I assume that's why Mr. Lee is working there).
    John L. Ries
  • Better advice

    Put your Smart TV wherever you please but firewall it, do not be an idiot and expose it on a public IP, take the usual precautions, I imagine your network connected air conditioner and washing machine have similarly poor security. These are things that are designed for convenience not security. If you really have a problem with the thought of someone hacking your Smart TV - Don't plug the thing in! - It really is that simple, if it's not network connected it's not a network risk, use it just like a traditional TV.
    Freman
  • Does anyone know of some sites where you can watch the "bedroom" TV...

    ...streams? Now that's entertainment.
    Playdrv4me
  • Smart TV senses dumb users

    Just goes to show that you can't believe everything you see/read on your (smart) TV!

    Glad my non-networked TV can't watch me pick my nose when I'm alone and bored by its content, but I do like my 1080p.

    Manufacturers will no doubt be scrambling to secure their future systems and advertising hype geared to overdrive as new models are produced with advanced security and bimonthly patches keep ahead if the game.
    david66lewis