Internet-connected HDTVs could be used by hackers to infiltrate home networks, according to a firm that markets device security software for smartphones, VoIP devices and TVs. Mocana's not-exactly-disinterested warning follows tests by the firm on a range of inter-connected TVs, during which a security flaw was discovered in the …
at least until a fix is released...
er, so how many flash upgradable TVs are there? Mine isn't. I suspect that a TV firewall is a LONG way in the future.
A title is not required
Well probably loads. I've just bought a new TV, FreeSat receiver and BluRay player (Samsung, Humax & Sony). Each one can have its firmware upgraded from a USB flash drive plus Ethernet, DVD-R and over the air. In fact, all were delivered with out of date firmware.
Er, most new large TVs are flash upgradeable
Most new large TVs are flash upgradeable. My 32" LG, for example, has a USB port and runs Linux - throw in a stick with the new firmware on and it'll upgrade the set for you. Amusingly, someone leaked the engineer backdoor sequence to get into the service menu for an older firmware release (it was blocked after the leak though) and the menu lets you enable features in more expensive models - whoops! So a quick downgrade, enable features and upgrade again got my set playing movies, music and photos from the USB port, which it couldn't previously do.
Over the air
My LG TV updates over the air automatically and it wasn't an expensive model so I'm guessing that a lot of TVs will have this functionality.
I've got an LG too, but...
...since models go 'obsolete' quite quickly these days, when the new models come out, don't expect any updates to them.
"I suspect that a TV firewall is a LONG way in the future."
Maybe so, but there's nothing to stop you putting a router (with its own user locked down firewall) between the TV and the internet.
Already had one..
I've only had the TV 2 months and have already had 1 OTA update so far so there is at least some support. I'm guessing internet connected TVs will be able to update over the internet rather than via the TV signal like my TV.
What would stop someone with a mobile transmitter and the right software
Sending out their own updates to these TVs?
Reading the PDF, it's a Skype capable TV with the manufacturer redacted to Xxxxxxx. So that'll be Samsung then.
It's definitely Panasonic Vieracast, not Samsung. The URLs in the linked-to article make this a certainty.
Beer, coz it's now Friday evening.
Internet connected TV = SONY/MPAA/BPI lawyers sitting in your living room and controlling what you can/cannot watch on it. If not now, then soon enough.
If you connect your TV to the Internet you deserve to be hacked, if you just buy an "internet-enabled" TV you are half way there...
Oh yes, how right you are.
Anyway it's time for your medication now...
Check your own prescription first, mate, before you touch the keyboard.
I'm not a betting man....
But I suspect it's Panasonic Viera's, and the website that is mentioned (albeit redacted) is http://www.vieracast.tv
I reckon it's Panasonic Viera..
Document mentions .eu and .tv domains and accessing home-screen.js
Google home-screen.js and you get http://customvieracast.blogspot.com/2010_05_01_archive.html
Read that document and you see "Looking at the code in home-screen.js I can see that it downloads from vieracast.eu (EU market) vieracast.tv (US market) depending on where you are."
Gee, there's a bit more
all home connected games consoles are just the same dummies on unprotected/registered ports, your DVD players, etc.
El Reg you do fail badly you mutants -- who on earth will do a SW upgrade to their tele?
Seems you are relatively uninformed then
I know the Sony Bravia range needed a software update when they used to refuse to come out of standby mode (apparently an overflow problem in a counter)
My Samsung certainly has the option for a software update and if I used the built in Freeview tuner I would probably carry out the update just to try and get something more usable (but I don't so I wont)
Did one last night actually.
So there's at least one, and it was a lot easier than upgrading Windows.
"I know the Sony Bravia range needed a software update when they used to refuse to come out of standby mode"
That only means too things:
a) The manufacturer got lazy - "I'll have a beer rather than debug that firmware properly, after all the luser can always be forced to update it later..." and
c) The TVs have got more "features" than they need to have
What it DOESN'T mean:
a) The Internet connectivity for TVs is a necessary or a good thing.
.. it's Samsung!
There are lots of clues in the doc, but one simple test is who makes Skype enabled TVs.
If you are going to redact, do it properly!!
Looking at their list of afflicted applications, it matches with what I have on my Panasonic.
Sony have their own walled-gardens of course, as do other manufacturers.
The article confirms that the TV in question contains no actively listening services (quite rightly, why would it). Their whole premise appears to be based on the fact that they have redirected the TV (through local DNS redirection) to retrieve manufacturer-supplied scripts that have been doctored.
Rightly, as no authentication is performed on the source of these scripts, they are able to rewrite them as they like and do what they will with them. The TV in question accepts them as authentic and then the fun begins. So of course they can change things in these circumstances.
Frankly, if my home network has been compromised to that degree, then not getting youtube on my telly is the least of my worries.
That said, interesting article. I think it's of more use as an educational jumping-off point, give some people some ideas on how to customise or open-up the walled gardens the manufacturers have locked them into. Nice bit of fun in other words :-)
shame i don't know anyone with a Panasonic Viera..
..but a quick google of "home-screen.js" shows that these things have been pointed out before on user forums.
No real interest in the PDF, but it's a slow day so I thought I would take a butcher's. What's with excessive hyphenation ? Surely someone as technically-aware as this bunch could work that out ?
I've updated the software on my TV a few times since July. Part and parcel. Not a problem, nothing to see here, move along etc.
One would hope the base OS itself is actually verified before installation. Understandable that content isn't, of course. Still don't regard this as an issue to get me worried
They're all computers
Most appliances, even "unsophisticated" ones, are just computers with specialised peripherals. Alas, those who provide network interfaces don't often "realize" what they're doing; leaving the computer wide open to being "owned".
What is probably closer to the truth is that they don't have the resources to build in the necessary protection for the "feature" that the marketing department has dreamed up and advertised 16 hours before product launch?
And TV is, by definition, networked. How about malware payloads carried by digital TV signals, injected to attack particular TV engines? Right past the firewall of a domestic network.
Want to attack other networked computers pretending to be appliances made by competitors?
My blue light special movie player frequently offers firmware upgrades, the last of which disabled playing NETFLIX. The Blu-Ray spec intimates movie playing can be likewise crippled.
HDNA gives your player/TV hooks into the rest of your network, especially mass storage.
Where things will get scarey is when a camera and mic become* a "feature" of a TV.
Makes buying a TV for your girlfriend a great christmas present. Of course skype would be on it. Trivial** to turn on the cam remotely and invisibly. A friend keeps a piece of tape over the lens on his lappy for just that reason.
These guys have identified a genuine need. But then so have the makers of duct tape.
*Technology predicted for 1984
**For some people.
Not really. It's more like putting on a blindfold and trying to walk down the road using dead-reckoning. One step too many/few, and you're in front of a car.
I don't know of any site called www.vieracast.tv, I get a not-found when I key it in on my PC.
IPTV is an interesting alternative to Cable-TV. It is not rare for people to be paying $165/mo for Cable/Phone/Internet. For a lot of people, there is some hope that IPTV is part of a way to do that stuff cheaper.
You really don't know a lot about DNS and the web and stuff do you?
Just because an A record doesn't exist for www doesn't mean that the domain doesn't exist...
There are lots of other sub-domains on that domain.
Potentially perfect zombies...
How many people ever turn off their TVs? You switch off your PC, and many people switch off games consoles, but how often do you actually physically remove power from your telly?
You don't. You point a box at it and press a red button. So you're relying on software to switch it off. And if the software is hacked, then it can keep DDoSing websites, cracking captchas or whatever it is that the cool botnets are doing this year.
Every night almost all gadgets get powered off and unplugged. Even the router. The only thing that gets left n stand-by is one PC, and it's job is to record TV, so it often wakes up, does it's thing and then goes back to sleep.
If I am ever daft enough to connect a TV to a network (and why would I? The DRM-crippled usage wouldn't be worth it), then I'll have to make sure I am running a router and a firewall that can pick-up crap like this on the network. One simply cannot rely on the OEM to do it correctly.
This probably means my fridge *doesn't* need resupplying with P3niz P1llZ, and I've just wasted 50 quid.
If only this warning had arrived yesterday.
*When* will The Register begin to deliver timely warnings to its subscribers?
Suit yourself, don't get 'em then. Just don't come crying to us when your fridge collapses into a post-tumescent heap on the floor.......
My Panasonic TC-P50V10 listens on a port open while it's turned on. Panasonic won't say what it does and it doesn't respond to random codes sent to it.
How can this work with a normal Broadband + Router + firewall setup?
User has Browser on TV goes to web site with evil stuff that does???
New tv feature.....
Anonymous releases new embedded version of LOIC, it's the Low Orbit (42") Plasma Cannon ;-)
Unless of course you are refering to the screen technology in play...
One might almost think they wanted people to get hacked.
You know what this means?
Hackers could make your TV home on Britain's Got Talent broadcasts and prevent you switching away or turning down the volume! RUN FOR THE HILLS - IT'S THE PIERSMORGAGEDDON!
I have never, nor ever will, connect my refrigerator to the Internet.
"I have never, nor ever will, connect my refrigerator to the Internet."
Then the government will just have to inspect the contents of your fridge the old fashioned way. By kicking in your front door and beating you to death.
Surely this is just the natural conclusion of steps begun many years ago by the venerated Noel "Neddy" Edmonds on his House Party programme, where they jumped live to some unsuspecting fat bloke in his living room on a Saturday evening on the awesomely funny NTV slot. Probably.
@The Indomitable Gall
"but how often do you actually physically remove power from your telly?
You don't. "
Speak for yourself. We always switch ours off at the plug mainly because we don't use it much and it saves a little bit of electricity. Not everyone is so lazy that they can't make it over to the wall socket.
So you only get hacked whilst you're watching the telly?!? Wow. Big deal.
"So you only get hacked whilst you're watching the telly?!? Wow. Big deal."
One is a 10 year old CRT analogue set and the other doesn't have networking. Hacking them would be pretty impressive. Wanna try?
The point is simply...
...who controls the boxes. For example I have a networked "satellite receiver" which is essentially a Linux PC. I can record and store everything I want for as long as I want to. I can get both Freesat and normal FTA satellite reception. All recordings are normal files I can easily re-encode to just about anything I want. I could build an ITV to Youtube gateway, if I really wanted.
Massive HDTV BotNET
How often do you run AV on your HDTV? Root Kit Scanner? Hijack This?.
Once a Botnet gets into those HDTV's, it will never get cleaned out.
And it won't be interfering with your TV watching pleasure -- it will be silently disrupting everyone else.
...do not connect the TV to the local network. Why are people obsessed with doing this anyway? The experience is usually marred by DRM and proprietary interfaces with are a total pain in the balls. Use the TV as a dumb-monitor, nothing else. Drive it from some kind of media centre front-end (i.e. a PC). That can be easily upgraded/reconfigured/firewalled/etc and you neatly insulate yourself from the TV manufacturer deciding that your 2 year-old TV is now "obsolete".
It's just a shame that when you get a big TV, you end up paying from USB, Ethernet, DLNA and other crap that you simply do not need.
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Product round-up Trousers down for six of the best affordable Androids
- Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...