Feature: Page (1) of 1 - 12/01/15

New SmartTVs Could Open the Door to Hackers

By Craig Young, Cybersecurity Researcher for Tripwire

!-- AddToAny BEGIN -->
TVs are one of the hottest selling items for consumers during the holidays and more than 90% of them will be connected to the internet by 2016 according to a Futuresource Consulting study which also predicts Smart TV sales will continue to grow at a CAGR of 21% through 2018.*1

SmartTVs are a great gift, but consumers should be aware that connecting a new SmartTV to a home network may open the doors for hackers. Hacking a smart TV doesn't sound too terrible to most consumers, but attackers can use a successful SmartTV attack to gain access to all the devices on your home network; this can include access to financial data on personal computers as well as other confidential information.

Smart TV attacks are relatively easy to implement, and they affect businesses as well as consumers. Gaining access to a corporate network through a smart TV can provide access to a wide range of corporate data.

The security risks of smart TVs cannot be understated.  These devices often contain a variety of out of date software libraries with known vulnerabilities.  These vulnerabilities are compounded by the presumption that anyone on the local network should have access to all TV functions.  This definitely makes smart TVs easier to use, but it also makes it easier for attackers to exploit them using a variety of techniques.

Securing Smart TVs in the Enterprise
SmartTVs are finding their way into enterprise environments with greater frequency as businesses seek to upgrade their conference and board rooms. Based on my recent research, I would strongly advise businesses using these devices to keep them off the corporate network and ensure that the USB ports are not exposed.  As with a traditional computer, I have found that simple network requests or the insertion of a USB stick can sometimes be enough to give an attacker full control over the computing resources within a TV.  If this TV is attached to a network with valuable data, it becomes a pivot point for the attacker. 

It is also worth noting that many of these TVs come equipped with remote controls that respond to voice commands and cameras for video conferencing; these features make them a perfect tool for corporate espionage.  To reduce the attack surface of smart TVs, enterprises should not use the teleconference software bundled with consumer TVs. Instead, they should stick with more traditional teleconference solutions that use the TV as a screen.

Securing Smart TVs for Consumers
For consumers, removing the TV from the resto of their home network can greatly diminish its value, but in many cases it is appropriate to put the TV on an isolated 'guest' network to avoid the possibility of the TV becoming a pivot point to attack other systems on the network. 

Many consumers will also likely defer installing updates on the home TV, which is a serious mistake as these updates may contain critical security fixes.  Smartphone applications, browser plugins, and even malicious web sites are all potential sources of threats for devices in a home network including the TV.  By keeping the TV on an isolated network, these infection sources will not be able to locate an attack the set.

Business + Personal Means More Threatlandscape to Cover
As of this month, the Identity Theft Resource Center has identified more than 175,681,126 records that were breached in these vertical markets: Banking, Credit and Financial, Business, Education, Government and Military and Medical and Healthcare. *2 As we have seen with the TalkTalk Breach, a 15 year old was associated with this serious attack so you have everyone from teenagers to organized crime syndicates attacking anything they can and such devices as SmartTVs are very easy. Even within the security community, the level of risk is not fully realized.

With the mix of business and personal information on all types of devices, it means that your exposure to possible attacks by hackers, insiders or someone you know goes up exponentially.
Changing passwords as much as possible and instituting the latest patches as they become available is the best the defense, but still not an infallible one. Isolating networks is another approach, but it does take the convenience out of the equation. However, when you find that someone can hack your business TV and has used it to listen in on your board of directors meeting or has hacked into your TV and emptied your bank account, then convenience becomes much less important.

*1 http://www.ooyala.com/videomind/blog/smart-tv-adoption-%E2%80%93-and-connectivity-%E2%80%93-soars-will-4k-stunt-its-growth
*2 http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf
Craig Young is an award winning cybersecurity researcher with Tripwire's Vulnerability and Exposures Research Team (VERT).

Craig's has uncovered router security flaws, Google authentication vulnerabilities, and has filed numerous CVEs. Recently, Craig Young won the SOHOplessly Broken router hacking contest at DefCon 2014.

1 http://www.telegraph.co.uk/technology/apple/9355995/Apple-drops-virus-immunity-claim-for-Macs.html
2 https://twitter.com/mikko/status/187885952109252608
3 http://www.businessinsider.com/right-now-there-are-125-billion-windows-pcs-worldwide-2011-12
4 http://download.microsoft.com/download/0/3/3/0331766E-3FC4-44E5-B1CA-2BDEB58211B8/Microsoft_Security_Intelligence_Report_volume_11_English.pdf

Related Keywords:Smart YV, TV Hacks. Threat Security

Source:Digital Media Online. All Rights Reserved

Our Privacy Policy --- @ Copyright, 2015 Digital Media Online, All Rights Reserved