It is another example of what experts say is the ever-expanding attack surface of devices that traditionally never faced the Internet, but are now “smart.”
The researchers at the Malta-based company said they found a vulnerability in a number of smart TVs made by Samsung Electronics that gave them root access to the TV and any attached USB drives.
They posted a video titled “The TV is Watching You,” which appears on a number of security vendor websites, including Kasperky Lab’s Threatpost. While there is no voiceover, the video shows the researchers accessing the TV settings and channel lists, SecureStorage accounts, widgets and their configurations, the history of USB movies, the ID, firmware, whole partitions and any attached USB drives.
They were also able to retrieve the drive image, mount it locally and check for information like usernames, passwords, financial documents, or any other type of material on USB drives.
Luigi Auriemma of ReVuln told the IDG News Service that hackers could even use the integrated webcam and microphone to watch the victim. And he said the vulnerability is not confined to the single model that ReVuln tested.
What is affected
“The vulnerability affects multiple models and generations of the devices produced by this vendor, so not just a specific model as tested in our lab at ReVuln,” the report said.
Samsung did not respond to a request for comment, but ReVuln emailed a statement saying there is no firmware update yet, “as the details regarding this vulnerability have not been shared with the vendor.”
The statement added that ReVuln has only tested Samsung, but said: “We think that other brands of TV may be affected by similar issues.”
James Arlen, senior security consultant with Leviathan Security Group and a hacking expert, said the TV is just one example of the “Internet of Things” and other non-computer resources in homes that amount to “a huge new attack surface.”
“I recently counted the number of IP addresses in my house and came up with all kinds of new things that require Internet access – not just the computers, game systems, tablets and music players, but also the bathroom scale, the thermostat and more,” he said. “Televisions are one of many, but also the most likely to have lots of interconnection possibilities.”
He said the problem is not new, noting that, “printers got smarter and became a threat,” and that the number of smart devices continues to expand.
Dan Frye, general manager of services at MAD Security, agrees. “A common way to get into enterprise networks is through printers attached to the corporate network. A TV on the corporate net is really the same thing,” he said. “In essence, you’ve got a computer inside some device, whether it be a printer, a TV, a toaster, the Coke machine, etc., and that computer is just as vulnerable to attacks as a normal computer would be.”
“Any new piece of technology that connects to the Internet is a probable attack surface,” said Matt Johansen, WhiteHat Security threat research manager. “Look at the recent research by Barnaby Jack about insulin pumps and pacemakers.”
“Who would have thought these devices would ever be susceptible to hackers?” Johansen said. “But if a hacker gets their hands on any device long enough, they’ll figure out a way to break it. It was hotel door locks, slot machines in the past and it will be the smart toasters and refrigerators in the future.”
Gary McGraw, CTO of Cigital, said most people don’t think of their TV or other household devices as computers, but they are. “Your TV is just a computer with a monitor,” he said. “And it knows a lot about you—what you’ve watched, whether you were home at the time.”
There is some disagreement over how much of a priority security is for devices that have only recently begun to face the Internet. “Focus on delivering the product to market means that the ‘Ship It’ award is more important than ‘Is it Hackable?'” Arlen said.
Frye agrees that security standards for such devices are “immature.” But he said vulnerabilities are found “everywhere, all the time, in products that certainly take security into account. Microsoft, Google, and Apple are all great examples.”
McGraw said while the vulnerability discovered by ReVuln is real, he doesn’t think Samsung is necessarily lax on security. “They make the most popular Android phone out there,” he said. “So they are in the [security] wars.”
To deal with the ongoing threats, both consumers and enterprises need to “control your exit path,” Arlen said. “Most consumers are unaware of what traffic passes in or out of their primary systems, so they’re going to be even more unaware of the traffic to and from devices that are ‘furniture’ rather than computers.”
“More manufacturers across lots of industries need to employ or engage with the “hacker-ish” community to solve the problems prior to the shipping of the product,” he added.
Frye said that once products are released, manufacturers need to treat them like computers, and “have a way for people to report vulnerabilities and a way for patches to be deployed out to their consumers.”
Samsung’s bug bounty
Samsung has begun treating smart devices like computers. “Samsung has actually taken a step in a great direction with a TV bug bounty program for researchers to submit bugs to receive a reward ($1,000), which has been useful for the likes of Google, Facebook, Mozilla, and even PayPal,” Johansen said.
However, every computing device is potentially vulnerable, and with “The Internet of Everything” there will be more of them all the time. “This problem will only get worse as we integrate more things into our home networks,” Frye said. “It’s the TV now, but smart devices, smart meters for our power, the toaster, thermostat—they’re all at risk in the same way.”