Tin Hat Time – Scrap your Smart TV!

[Ed P]

Only conspiracy theorists,  terrorists and students in Hall need worry at the moment. However the ease of making a Software Radio opens this up to widespread attacks by ‘bad-actors’ doing Smart TV sweeps & exploits from cars within the near future. Let us just hope that the Smart TV hack blogged about in Ars (link), get some firmware fixes pdq

[JayCeeDee]

Interestingly enough the link mentions Samsung TV’s. They were the one that had voice control warnings back in 2015!! Link. I presume the two could be combined for an excellent spy mike!!

[Bob Williams]

I have a Sony ‘dumb’ TV, connected to a Sky Q box. As it receives a DVB-T signal, I guess that includes my service. Now, if they want to hear two somewhat deaf septuagenarians shouting at the TV and each other, they are very welcome. If they want to confuse my dear SWMBO even more by hacking the thing, they can be my guest.

As long as they ignore what happens when some political dipstick opens his/her orifice and attempts to make me believe in the sincerity and truth behind his/her words.

When the Thought Police arrive at your door, think -
I'm out.

[JayCeeDee]

After a quick Google to confirm my initial thoughts, it only involves Samsung and possibly LG TV’s too, as far as eavesdropping is concerned.

“Dumb” and even Smart TV’s are only going to be overheard if voice control is either activated, or added on as an aftermarket addition.  link

You’re safe…………..ish!! :yahoo:

[Ed P]

In fact if you carefully read the article and do a bit of extrapolation it says that nearly ALL smart TVs are vulnerable as they are based on an ancient release of Linux which is rarely if ever patched to remove all the many Linux vulnerabilities that have emerged in the intervening years. Assuming the broadcast signal is able to set up a root account, then further broadcasts can take over the control of the Linux computer at the heart of the TV. If this is attached to your network it is almost certainly a trusted device and could in theory then mount attacks against more capable PCs. It isn’t just the mumbling and cussing of a typical family TV room but full access to any or all your computerised financial affairs.

In short this could be all the potential headaches of the IoT and ip cameras but without the pain of trying to get through passwords and firewalls.

Luckily I think there is a little time to fix these issues before they impact on more than conspiracy theorists etc.

[Richard]

Assuming for one moment that you set up your transmitter and send out a message to all the TVs in an area, what happens then? All of the Tvs can maybe, perhaps send everything they hear to ? What would they then do with all the noise that can bumbling in?

This of course begs the question, what is so smart about a TV that will start off with several possible features, only for them to get disabled due to a lack of updates, withdrawal of services, etc.? Why even have voice responses, some ‘remote controls’ are pretty dire after a few feet’s distance on a good day, I can imagine that voice over 20 foot or so would be a nightmare.

[JayCeeDee]

Richard wrote:

Why even have voice responses, some ‘remote controls’ are pretty dire after a few feet’s distance on a good day, I can imagine that voice over 20 foot or so would be a nightmare.

Quote taken from my link above – my second post – :-

“This warning applies only to Samsung TVs that have always-on listening features. These sets usually have a microphone built into the remote, allowing you to issue commands to the TV after speaking a particular phrase that wakes up the system or by hitting a button. ”

At my computer desk, if I’ve got the TV going in the background, either waiting for a programme to start  or keeping an eye on the news, I can control the TV or the Sky box from about 15 feet. Newer remotes are a generation apart from those from a few years ago.

[Ed P]

Richard, it is in the article:

” … the attack gave Scheel the ability to remotely connect to the TV over the Internet using interfaces that allowed him to take complete control of the device. The infection was also able to survive both device reboots and factory resets.”

and their referenced earlier paper:

“…. our findings are significantly broader than the specific devices that we used in our analysis; indeed, any future device that follows these specifications will contain these same vulnerabilities. Exploiting these vulnerabilities, an attacker can cause many thousands of devices to interact with any web-site, even using any credentials stored in the TV sets for accessing services such as social networks, webmail, or even e-commerce sites. This capability can be leveraged to perform “traditional” attack activities: perform click-fraud, insert comment or voting spam, conduct reconnaissance (within each home network or against a remote tar-get), launch local or remote denial of service attacks, and compromise other devices within the home network or even elsewhere. Beyond these, the attacker can also control the content displayed on the TV, to craft phishing and other social engineering attacks that would be extremely convincing, especially for TV viewers who are educated to (and have no reason not to) trust their screens”

Complete control of an embedded Linux computer means that you can set up root with your own password. Once there you can call mother in GCHQ/NSA etc and download more instructions to do a network scan or anything that can be done by a Trojan. If the network is is on the ‘wanted’ list then the target is completely compromised. So much for today’s environment when only Nation States have access to the TV broadcasts, tomorrow is something else as that is the one where the Black Hats can cruise around neighbourhoods taking over networks setting up bots etc.

I’m not really too worried about GCHQ/NSA as they can only afford to go for specific targets and hopefully do not do anything for trivial reasons. Black Hats do it for lulz or criminal intent and are far more of a worry!

[The Duke]

I’m going to take control of all the tvs when X factor is on,  get them to call my premium rate number when voting.  :yahoo:

 

[Richard]

Ed, my question was why even have a TV with those sorts of capabilities? I still do not have a clear answer to that point. I do understand that once an invader is inside the place they can run amok. I have even less idea why I would want one with voice listening abilities. It is not as though you can dictate anything useful such as emails or letters to the darned this nor can you have a conversation with it either.

Interestingly the plasma TV (that shows its age) has a very effective remote even at well over 25 feet, a more recent PVR is iffy at more than about 18 feet.

[Richard]

The Duke wrote:

I’m going to take control of all the tvs when X factor is on, get them to call my premium rate number when voting.

I thought that x factor was a good reason to turn the darned thing off, perhaps even pull the plug to keep safe from the excruciating performances.

[Bob Williams]

It would be good to know that someone is actually listening when I shout at the TV, though.

Steve & Richard: I look at X factor as Televisual Torment. I don’t know of anyone who likes it, but it is just another of those talentless shows that are accompanied by moronic screaming, whistling and whooping. Every public performance seems to be subjected to this nowadays. When my gdaughter’s Dance Company put on a show at the local theatre, the young performers (some as young as 4) were screamed at by two teenage girls behind me. I asked if they needed medical treatment for their hysteria, or were they subject to Epilepsy?

That seemed to quieten them.  :wacko: :yahoo:

When the Thought Police arrive at your door, think -
I'm out.

[Ed P]

Richard, I think it is getting to be pretty difficult to buy non-Smart TVs.

a) The public want them – so that is what vendors stock (roughly 50% are ‘smart’ at the moment.) The public want a Smart TV as British TV is fairly dire so people watch Netflix etc via their Smart box.

b) The manufacturers are getting additional revenue streams from selling or pushing services etc.

 

[Richard]

Ed P wrote:

Richard, I think it is getting to be pretty difficult to buy non-Smart TVs. a) The public want them – so that is what vendors stock (roughly 50% are ‘smart’ at the moment.) The public want a Smart TV as British TV is fairly dire so people watch Netflix etc via their Smart box. b) The manufacturers are getting additional revenue streams from selling or pushing services etc.

Elsewhere it has been suggested that the public are frequently unaware of what they wish for, so I can understand point (a), hopefully I can dip into the pool of the almost 50% and find one that does not have such features. I have an Amazon Fire stick, but have yet to watch anything as the UI was too much hard work. For me the idea of subscription services is a total turn off, so I will happily be one of a small and perhaps dying herd

Given (b) I either avoid the misleadingly named ‘smarts’ and do not fall for the tricks or I do not connect the idiot box to WiFi or Ethernet. I need to retain my own revenue streams not help other richer ones increase theirs. Then at least I will not pay for smarts that turn out to have a short and possibly dangerous (to me) life.

I presume that the reprogrammable boxes in question should be put on a different LAN address scheme and avoid the interconnect with other home systems. Please pardon my ignorance, but do these TVs have access to credit or charge-card mechanisms for paid for services?

Scary.

Steve, Doesn’t everyone block premium rate numbers from their phones anyway?

[Ed P]

Smart TVs have a browser, so have all the benefits and insecurities that go with it. I think securing Smart TVs is non-trivial as they normally use a wifi connection to the router and seem to default to DHCP.  Probably the better way of securing them would be to label them non-trusted in firewalls.

I have never seen the code-base for Firestick but I would be reasonably surprised if it does not conform to the code used in Smart TVs so it probably has the same inherent vulnerability of any IoT device – it uses an ancient unpatched form of Linux and it connects to the Internet.

[Dave Rice]

The Amazon Fire o/s is a fork of Android. It receives regular updates in the same manner and has an Amazon curated store (although as has been discussed here before you can get Google Play Store on there as I have).

I believe most Smart TVs also use Android rather than straight Linux, but LG use WebOS and Samsung have their own Tizen (both Linux kernel based).

[JayCeeDee]

Just came across this Wiki on my research. Shows systems and platforms. See LIST – 4th box-out down.

[Ed P]

According to the research paper, the core problem goes a bit deeper.

“In the attempt to bring modern broadband Internet fea-
tures to traditional broadcast television, the Digital Video
Broadcasting (DVB) consortium introduced a specifi-
cation called Hybrid Broadcast-Broadband Television
(HbbTV), which allows broadcast streams to include em-
bedded HTML content which is rendered by the televi-
sion. This system is already in very wide deployment
in Europe, and has recently been adopted as part of the
American digital television standard”

In the context of the research paper I read this as saying that the ‘door-opener’ to local user access is  access is an inherent part of the standard!

“… To create an autostart broadcast-dependent application, the broadcaster includes in the MPEG transport stream an additional application information table (AIT) describing the broadband-based application, then references this table in the program mapping table(PMT) describing a certain TV channel. The HbbTV specification defines two possible ways of providing the application’s actual web content (i.e.,HTML pages, images, and scripts). One way is to have the AIT include a URL that points to a web server hosting the application. ”

Put simply this gives the ‘broadcaster’ local user access privilege, and of course the same for any LAN/WAN connected device.  Whether this gives ‘root’ to the TV depends as said on the TV/device’s OS patching. However generally speaking gaining local user access is more than half the battle for a hacker, local privilege escalation bugs are relatively common. However in the context of gaining local user access to the household LAN such an exploit is at best a moot question!

The time to get really worried is when you read that an Software Defined Radio (SDR) has been hacked to generate DVB signals in the UK spectrum, as that is when BlackHats will start cruising neighbourhoods. Next week maybe! link

Until then we need only worry whether GCHQ has gone to the dark-side.

[edited to remove some funky line-breaks in the quotes]

[Richard]

Thank you, that will take some time to appreciate. It does sound like the law of unintended consequences biting the backside of those who let it come near to them. The question then becomes how hard does it really bite?

[Bob Williams]

This is my ‘Dumb’ TV:

https://tinyurl.com/j3ondts

Maybe not cutting edge, not UHD and perhaps lacking in the bells & whistles department, but we like it and the picture is great. 40″ is quite enough for our tiny lounge, with the TV on the chimney breast and us on the reclining settee, viewing is fine. It is connected via Optical, which defeated a tendency to lose speech sync occasionally. They do come in larger sizes. I got mine at a lower price after a haggle with the Sky and Curry’s guys, but I believe the set is cheaper at Argos atm.

When the Thought Police arrive at your door, think -
I'm out.

[Author]

Posts