Feeds

Samsung's smart TVs 'wide open' to exploits

The downside to being 'more like a PC'

Next gen security for virtualised datacentres

Samsung's Smart TV has a vulnerability which allows remote attackers to swipe data, according to security researchers.

Malta-based security start-up ReVuln claims to have discovered a zero-day vulnerability affecting Smart TV, in particularly a Samsung TV LED 3D.

Smart TV can be used to browse the internet, use social networks, purchase movies and perform many other functions. A demo video produced by ReVuln shows how a "vulnerability for such devices can be used to retrieve sensitive information, monitor and root the device," according to Luigi Auriemma of ReVuln. Exploits developed by ReVuln appear to allow it to access remote files and information (including viewing history) as well as the ability to siphon off data on USB drives attached to a compromised TV.

"This specific vulnerability affects almost all the Samsung televisions of the latest generations, so multiple models," Auriemma told El Reg.

"We plan to invest more time and effort on the home devices security in the near future testing the products of many other vendors (we chose Samsung because it's the current market leader in this sector) and moreover finding new types of attacks and ways to use such vulnerabilities. The televisions are just the beginning," he added.

ReVuln says it plans to sell information on the vulnerabilities, rather than report them to equipment manufacturers, in order to "speed up" the development of a fix. Consistent with this general policy, ReVuln is not going into details about the flaws it claims to have discovered.

Security flaws in advanced television sets, which are becoming more like computers, and set-top boxes, has elicited the interest of other security researchers over recent months.

For example, Adam Gowdiak of Security Explorations discovered a possible mechanism for infecting set-top boxes with malware back in January. The attack created the means to either steal or share a satellite signal from a pay-TV subscriber. Proof-of-concept malware developed by Gowdiak offered a means to defeat the Conax conditional access system, the cryptographic technology designed to prevent this type of set-top-box hijacking and unauthorised sharing of satellite programming. The same trick might also be used to capture HD content for later distribution over the internet.

Security Explorations said all four satellite receivers (ITI5800S, ITI5800SX, ITI2850ST, ITI2849ST) tested in its lab, each manufactured by Advanced Digital Broadcast for ITI Neovision, are allegedly vulnerable. Each implements Conax conditional access using an additional security feature called chipset pairing. Flaws in chipset pairing lay at the heart of the multiple vulnerabilities uncovered by Security Explorations.

Unlike ReVuln, the Polish security research start-up notified firms that either supplied or used the affected technology.

Gowdiak presented details of the security vulnerabilities at the at Hack In The Box Security Conference in Amsterdam in May.

Set-top boxes and smart TVs are commonly (but wrongly) thought to be immune from malware and hacking attacks. In reality television systems are becoming more like PCs than the dumb devices of yesteryear, a factor that opens them up to potential security exploits. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.