Feeds

Samsung's smart TVs 'wide open' to exploits

The downside to being 'more like a PC'

Internet Security Threat Report 2014

Samsung's Smart TV has a vulnerability which allows remote attackers to swipe data, according to security researchers.

Malta-based security start-up ReVuln claims to have discovered a zero-day vulnerability affecting Smart TV, in particularly a Samsung TV LED 3D.

Smart TV can be used to browse the internet, use social networks, purchase movies and perform many other functions. A demo video produced by ReVuln shows how a "vulnerability for such devices can be used to retrieve sensitive information, monitor and root the device," according to Luigi Auriemma of ReVuln. Exploits developed by ReVuln appear to allow it to access remote files and information (including viewing history) as well as the ability to siphon off data on USB drives attached to a compromised TV.

"This specific vulnerability affects almost all the Samsung televisions of the latest generations, so multiple models," Auriemma told El Reg.

"We plan to invest more time and effort on the home devices security in the near future testing the products of many other vendors (we chose Samsung because it's the current market leader in this sector) and moreover finding new types of attacks and ways to use such vulnerabilities. The televisions are just the beginning," he added.

ReVuln says it plans to sell information on the vulnerabilities, rather than report them to equipment manufacturers, in order to "speed up" the development of a fix. Consistent with this general policy, ReVuln is not going into details about the flaws it claims to have discovered.

Security flaws in advanced television sets, which are becoming more like computers, and set-top boxes, has elicited the interest of other security researchers over recent months.

For example, Adam Gowdiak of Security Explorations discovered a possible mechanism for infecting set-top boxes with malware back in January. The attack created the means to either steal or share a satellite signal from a pay-TV subscriber. Proof-of-concept malware developed by Gowdiak offered a means to defeat the Conax conditional access system, the cryptographic technology designed to prevent this type of set-top-box hijacking and unauthorised sharing of satellite programming. The same trick might also be used to capture HD content for later distribution over the internet.

Security Explorations said all four satellite receivers (ITI5800S, ITI5800SX, ITI2850ST, ITI2849ST) tested in its lab, each manufactured by Advanced Digital Broadcast for ITI Neovision, are allegedly vulnerable. Each implements Conax conditional access using an additional security feature called chipset pairing. Flaws in chipset pairing lay at the heart of the multiple vulnerabilities uncovered by Security Explorations.

Unlike ReVuln, the Polish security research start-up notified firms that either supplied or used the affected technology.

Gowdiak presented details of the security vulnerabilities at the at Hack In The Box Security Conference in Amsterdam in May.

Set-top boxes and smart TVs are commonly (but wrongly) thought to be immune from malware and hacking attacks. In reality television systems are becoming more like PCs than the dumb devices of yesteryear, a factor that opens them up to potential security exploits. ®

Internet Security Threat Report 2014

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.