Who's watching your TV? Sony quietly killed three critical Bravia TV bugs
Owners of several Sony Bravia models should check that their smart TVs are running the latest firmware to ensure they're still not vulnerable to three security flaws, one of which can result in "complete remote code execution with root privilege".
Security
The flaws, reported by researchers at Fortinet, were plugged in over-the-air (OTA) firmware updates Sony shipped in August. After completing the rollout in early August, Sony published an advisory detailing the flaws at the end of the month.
Fortinet's FortiGuard Labs researchers found the vulnerabilities in the Sony TVs' Photo Sharing Plus application. These included a stack buffer overflow, a directory traversal bug, and a command injection flaw.
According to Fortinet, the command injection flaw is the bug that could lead to remote code execution with root privilege.
"Since they can be exploited remotely without authentication by attackers who are connected to the same local network, customers should upgrade their TVs as soon as possible," the researchers warn.
SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)
Sony Bravia TV owners should have automatically received the firmware updates assuming they've not changed the device's default settings.
By default the affected Bravia TVs are set to automatically receive updates when they connect to the internet.
Despite this default, Sony has advised users to visit the Download section of the TV's product page and check it's running the fixed firmware.
Affected Bravia TVs include models from Sony's R5C, WD75, WD65, XE70, XF70, WE75, WE6, and WF6 series.
Fortinet notified Sony's product security incident response team in March, which the company immediately acknowledged. After confirming the flaws, Sony began shipping the OTA updates on June 1.
The researchers note that Sony's response suggests smart TV security is getting better, but warned that privacy issues remain.
Smart TVs though are just part of a growing number of connected devices that could give remote attackers a foothold in homes or businesses.
The makers of several smart camera brands have patched serious flaws that attackers could use to spy on users.
Previous and related coverage
Flaw let researchers snoop on Swann smart security cameras
Anyone could watch and listen to the live stream from the internet-connected smart camera.
The spy on the corner of your desk: Why the smart office is your next security nightmare
Smart office devices could create a major security headache: do you really know what those gadgets can do?
IoT security warning: Your hacked devices are being used for cybercrime says FBI
Vulnerable devices like routers and webcams are providing an easy means of cyber criminals conducting attacks - and staying anonymous while doing it.
Researchers find security flaws in popular smart cameras
Researchers have discovered that cyber-attackers can remotely gain control of an IoT camera, allowing them to spy on users and more.
Working from home: 5 hidden downsides no one talks about TechRepublic
More and more Americans are trading a cubicle for a couch, but it does come with some obstacles. Here are the main challenges and how to handle them.
Consumer Reports finds Samsung, Roku TVs vulnerable to hackingCNET
Certain smart TVs not only raise privacy concerns but can be controlled by hackers exploiting easy-to-find security flaws, according to the publication.