How secure is your TV—and should you care?
Why choosing your next television could involve more than just finding the best picture quality for the price.
You probably remembered to lock the front door of your house this morning. But what about the back door—and not just the one leading to your backyard?
In the future, your back doors may be in your smart TV, a device serving not just as entertainment, but also as a control panel for your entire home. And you may have trouble knowing if those back doors are really locked, or left wide open.
“Smart TVs are opening a new window of attack for cybercriminals, as the security defenses of the devices often lag far behind those of smartphones and desktop computers,” reported CSO Online.
“…Manufacturers are emphasizing convenience for users over security, a trade-off that could have severe consequences,” the article continued.
For some cybersecurity experts, the threat of a TV hack is not a big concern.
“The fact that someone could hack a television set is interesting, but not something that would keep me up at night out of worry for losing personal data,” an anonymous ex-CIA security expert told Archer News.
“Cyber criminals are in the business of stealing your personal information for their private gain,” he said, “So, the real question that needs to be answered is, ‘What possible interest would a cyber criminal have in a television set?’”
Your television may offer up your sensitive information, say some cybersecurity experts.
“At home, if your smart TV is compromised, it could be used to capture everything from viewing habits to credit card numbers while shopping online through the TV’s web browser,” said Patrick C. Miller with Archer Security Group.
“Many people think of these smart TVs as a regular TV with some cool new features,” added Miller. “What isn’t fully understood is that they are running fully-featured operating systems (Android/Chrome) and are essentially as capable as most modern computers. This also means they are subject to the same threats and vulnerabilities as any modern phone, tablet or laptop.”
But some experts say smart TVs often have less security protection than phones and laptops.
“Basically with these TVs, if you are in the same room, you’re always going to be treated like you’re the owner of the TV,” said Tripwire researcher Craig Young in the CSO Online article.
Young also told CSO Online that some TV models can’t tell if the person sending commands over the network is the person in the same room, or somewhere else, meaning another person could potentially take remote control of your TV—and any personal information passing through it.
A spy in the boardroom
A cyber invader may be interested in something other than your credit card number.
“Some smart TVs are also equipped with digital cameras and microphones to enable digital communications,” said Patrick Coyle with Chemical Facility Security News. “This could provide hackers with yet another route of access to invade your privacy. What you do or say in front of your smart TV could be shared with the world.”
You may find that unnerving. But if you’re at work, the consequences could be financial, and potentially severe.
“There is a history of hacking video conferencing systems to eavesdrop on conversations, from the FBI to corporate boardrooms,” said Miller.
“Smart TVs are far more feature-rich and may even be less expensive than a traditional monitor, which means they will be the technology of choice for boardrooms, conference rooms, lobbies, etc.” added Miller. “This is effectively placing a listening and/or video monitoring ‘bug’ in your environment—possibly in your most secret environments.”
Remote control for your entire home
It’s not just your television at risk. For example, Samsung just announced that some of its new TV’s for 2016 will be able to serve as a hub for all of your connected devices at home.
The Samsung site says there are more than 200 devices you would be able to connect to your TV, and they go beyond locking your doors, watching security cameras, setting your thermostat and starting the laundry.
Product descriptions on the site say, by using smart sensors, you can “do things like know when kids come home from school and automatically turn on the lights, be alerted if there’s unexpected entry in your home and trigger an alarm to blare, secure dangerous or off-limit areas of your home like cleaning supply cabinets, and gain peace of mind by knowing when people come and go.”
Another product description explains you can “automatically shut off a water valve if there’s a leak, ring an alarm to notify you of a little water before it becomes a big problem, or automatically turn on a space heater or window A/C unit in response to unexpectedly hot or cold temperatures in areas of your home like a basement or study.”
All this, using your television as a central command point.
Just a TV?
There could be danger if you continue to think of your television as simply a place to watch your favorite shows, according to some experts.
“The problem is that we—the common folk—see these devices no differently than we did before they became part of an overwhelmingly ginormous network of things and people,” said Stacy Bresler with Archer Security Group. “The attitude that your TV is still just a TV, or your washer and dryer are still just a washer and dryer, will make these easy targets for hackers.”
Bresler said the hacker trying to get into your home may not be the ones you read about in the news, trying to take down governments.
“I mean the curious tinkering-type persons who just have to see how it works and what they can make it do,” said Bresler. “This new wave of connected appliances is going to give way to the next John Drapers (a.k.a. Captain Crunch) of the world.”
Draper is said to be one of the world’s first hackers. He learned to manipulate phone systems in the late sixties and early seventies using toy whistles from Cap’n Crunch cereal. He reportedly taught Steve Wozniak and Steve Jobs how to hack phone systems before they founded Apple.
Bresler said after curious, independent hackers try their hand at invading home systems through televisions, criminals may follow.
“Cybercrime usually takes a bit longer to materialize, but there is no doubt that if there is money to be made—or avoidance of spending money, then the bad guys will exploit the discoveries of the curious,” Bresler said.
Samsung announced new security features for its “smart TV ecosystem” on December 30.
The company said on its site that there are three layers of protection. One is a virtual barrier to protect core service operations, with a secure number pad to safeguard personal info.
The second, it said, is data encryption with an anti-malware system that detects and blocks unauthorized programs.
The third is more secure hardware, Samsung said.
“By dividing the Tizen OS into two parts including the main and the security space, data for each space is secured separately. Also, public key used for verifying personal information is included in the hardware chip,” the statement reads.
Need more info
Samsung’s announcement may not be enough for some cybersecurity experts.
“I think it’s great that Samsung is making an effort to build security into their TVs,” said Jim Feely with Archer Security Group.
But, he said, the information available on the system is from the company’s press release.
“It’s not particularly technical and is mostly marketing speak. It’s hard to evaluate the technology based on the marketing,” said Feely. “I’m looking forward to seeing how transparent they are with technical details.”
Bresler said smart TV security systems like the one announced by Samsung may not be fully secure.
“Whenever someone says ‘virtual,’ I immediately I stop listening,” said Bresler. “It is virtually inevitable that a virtual solution is going to be actually compromised.”
“Sorry,” he added. “It may hold water for a while, but it isn’t the cat’s meow.
He also wants to see more technical details and get more answers.
“Anti-malware system? Is that their own? How does that get updated? I’m curious to know more about this element,” Bresler said. “A solution that can detect changes to ‘stuff’ and then disallow anything that isn’t expected is a good step to take. Not sure I understand their approach though.”
“They appear to be saying the right things from a privacy perspective,” he added. “Still, I would need to be convinced me that they aren’t susceptible to a DoS (denial of service) or other types of non-privacy attacks.”
Secure now, what about later?
Another expert says the product you buy now may not have security support later on.
“Large companies often talk the talk with regard to support for IoT (Internet of Things) devices in the beginning, but the truth is that these devices are not likely to be the focus of the company two years from now,” said Bob Beachy with Archer Security Group.
“A company like Samsung may have released two new generations of smart TVs by then, and have updates for old devices in their rear-view mirror, aside from a vested interest in moving you over to their newer ‘more secure’ products,” he said.
What can you do?
Some experts recommend that you have a household plan for things like TV security, discussing the risks and what kind of information is acceptable to put into your connected devices and websites on the Internet.
Some companies are focusing on security for smart home devices, looking for communications that are out of the ordinary. CSO Online reported that F-Secure’s Sense product and a Dojo-Labs product “monitor home network traffic flowing to many devices for signs of trouble.”
“It’s clear that people in the industry are thinking about this problem,” Young said in the CSO Online story.
While you look for security features on your next connected device, you may also need to decide if you really want to make that purchase.
“There should be an understanding that there is some risk associated with any device we use to connect to the Internet, including those with well-advertised security features,” said Beachy.