Smart TVs new Web threat frontier

Lack of security measures such as antivirus and intrusion detection system means Internet-connected TVs susceptible to online scams and bot campaigns too, security watchers warn.
Written by Ellyne Phneah, Contributor

Smart televisions (TVs) are an emerging source of threats because of their constant connectivity to the Internet as well as the lack of antivirus and intrusion detection systems (IDS) for such devices, note security watchers.

Jonathan Andresen, Asia-Pacific vice president of marketing at Blue Coat Systems, noted that as with other devices with Internet access, smart televisions are susceptible to Web-based security threats too.

Elaborating, he said smart TVs bring two potential risks. The first is when cybercriminals run scams to trick victims into calling premium-rate numbers in order to purchase the content they saw advertised on TV. These scams are common and worked well with mobile phones, Andresen said.

The bigger risk, he added, is TVs that have been infected and are then used to monitor network traffic. From the traffic information gathered, this provides cybercriminals with greater opportunities to launch targeted attacks through frequently visited sites, said the Blue Coat executive.

The Firesheep attack on Facebook accounts in 2011 showed that even novice hackers can gain access to victims' online accounts with relative ease, he pointed out. Firesheep is a Firefox add-on that allows hackers to see everything their victims are doing on the Internet, he explained.

Guillaume Lovet, senior manager of FortiGuard Labs Threat Response Team at Fortinet, added that with more appliances becoming "smart" and connected, it is "normal" that smart TVs are now considered a possible platform for Web threats.

This could lead to the compromise of a TV operating system and allow attackers to be in control of the device, who are likely to plant bots upon successful exploitation, Lovet warned.

Both executives' comments came after the security firm Codenomicon released a whitepaper describing how six well-known TV manufacturers' products failed to pass the "fuzzing" test. It stated that fuzzing is a black-box technique with which abnormal inputs are generated and fed to the test system to monitor the device's behavior.

None of the manufacturer's top smart TV model cleared all the tests related to critical communications protocols, Codenomicon noted.

Consumers have limited defense
The Fortinet executive said to safeguard their TVs, consumers can request for a clean pipe from their Internet service providers (ISPs). "ISPs can take on the role of making sure the pipes are clear of infection vectors, enabling consumers to safely access all their connected smart devices at home," Lovet said.

Users should also make sure their TV systems have automatic updates enabled to fend off the latest threats, he added.

That said, he noted that consumers cannot do much to protect their connected TVs as antivirus and IDS are not available for these devices.

Smart TV maker Samsung told ZDNet Asia that before product launches, it would convene a security taskforce to review all possible security loopholes. This way, it can take immediate action to rectify vulnerabilities should there be any detected.

For example, the taskforce will examine all open ports and perform fuzz testing to check for potential denial-of-service attacks, conduct real-time monitoring, and take immediate action against exploit attempts to gain root access into the TV's operating system, the spokesperson said.

Ultimately, Andresen said as long as these new, connected appliances have few security measures in place, "cybercriminals are here to stay and will continue to design and launch sophisticated attacks".

Editorial standards