Feeds

back to article Samsung's smart TVs 'wide open' to exploits

Samsung's Smart TV has a vulnerability which allows remote attackers to swipe data, according to security researchers. Malta-based security start-up ReVuln claims to have discovered a zero-day vulnerability affecting Smart TV, in particularly a Samsung TV LED 3D. Smart TV can be used to browse the internet, use social networks …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

Luckily the number of such "smart" TVs in use is quite low compared to any other target. Also lucky is that the browsing experience is so awful that most users wouldn't intentionally use them to browse the web.

Unfortunately this leaves those that will typically have no clue about security, updates or online common sense...

Doesn't explain piss poor security. Or piss poor UIs though. When "smart" TVs actually start to produce a usable UI then this will become a much more serious problem.

7
0
Thumb Down

I'll stick to my home-built HTPC.

True, it isn't quite as sleek as an all-in-one, but it is considerably more future-proof hardware-wise, and the I trust the FOSS community far more than Samsung in releasing security and feature updates for it. Plus, I have or can use any media streaming provider of my choice, rather than whichever ones are asked to and can be bothered to release a half-arsed "app" for my particular TV.

Perfectly highlighted by the fact that Linux has only just dropped 386 support, but how long will Sammy (and the others) continue to release updates for the current batch of "smart" TVs?

3
0
Facepalm

I can't be the only person...

...who actually just wants a dumb tv?

Spend the money on a good panel and making the hardware performance top notch. I don't want it to overlay my twitter feed on to what I am watching or any of that nonsense. I certainly don't want that coupled with countless gaping vulnerabilities.

While I'm on the subject I don't even want speakers. Audio and smart features are better handled by connected devices so I would rather not pay for duplicated functionality which is not only inferior but that I will also never use.

3
0

Re: I can't be the only person...

100% agree, I just want a beautiful (but dumb) display

oh and fewer cables!!

1
0
Silver badge

Rootable? You'd hope so!

If I bought the device I have the right to be root on it.

13
3
Anonymous Coward

Re: Rootable? You'd hope so!

*Yawn* Made up moral rights FTW.

6
15

Re: Rootable? You'd hope so!

"Made-up moral rights"? If you bought a device to do X, and the manufacturer later shut down that ability, the moral right would feel pretty damn real.

10
4

Re: Rootable? You'd hope so!

So you should be given access to things you shouldn't be tinkering with just in case they turn it off?

2
14
WTF?

Re: Rootable? You'd hope so!

What exactly should I not be tinkering with in a device that I bought?

14
1
WTF?

Re: Rootable? You'd hope so!

If I buy something, it's mine. I can use it as bought, or I can mod it, or I can plant tomatoes in it. It's none of your or anyone elses' goddamn business.

13
1
Bronze badge

Re: Rootable? You'd hope so!

> I can use it as bought

"as bought" might well involve a licence agreement. Not sure how that covers the tomatoes scenario though.

1
1

Re: Rootable? You'd hope so!

If there's a license agreement, then I'm not really buying it, am I? It's a grey area for software, which unfortunately bled across to things like e-books, MP3s and digital movies, and is now even reaching into the world of physical products.

"By purchasing and opening this TV, you have agreed to abide by the enclosed EULA, including that you must make me some pancakes."

4
0
Bronze badge

Re: Rootable? You'd hope so!

"If I buy something, it's mine. I can use it as bought, or I can mod it, or I can plant tomatoes in it. It's none of your or anyone elses' goddamn business."

True, but then there's the tinkering that leads the manufacturer opens to legal action when the idiot user tries watering his tomatoes. Not to mention the warranty claim when the TV won't show Eastenders any more because the tomato plant has cracked the panel.

Manufacturers design a product to do a job. It's their choice to design and implement it how they wish in the same way it is your choice not to buy it. If they lock it down to prevent uses for which it wasn't designed, that could lead them to be open to legal action for *not* preventing misuse, I can't blame them.

1
3
Silver badge
FAIL

Re: Rootable? You'd hope so!

Um, it's not a made-up right -- it's the very definition of ownership.

If I paid for it with my own money, I am privy to every secret it embodies, and I have the right to do anything I like with it in the privacy of my own home.

2
0
Silver badge

ReVuln seem like nice people

Similar scenario: I walk past my neighbour's house and notice they've left the door open, even though I know they're out for the evening. What should I do?

1) Phone them to let them know

2) Let the police know

3) Find a bunch of local scumbags hanging around in the park and offer the address to the highest bidder.

I hope no-one from ReVuln moves in next door to me.

20
1
Bronze badge
Angel

Re: ReVuln seem like nice people

I think it's closer to "Large hole in the road". Do you:

1) Phone the council and hope they get it fixed in the next 3 months

2) Let the police know

3) Tell the local drivers and the council, because you know it will be at least a week before they get it fixed and you don't want anyone driving into the hole by mistake in the mean time.

I think they chose option 3 this time. It just so happens though that sadly highwaymen also frequent the roads and look for those crashed in pot holes to hijack. That's not your fault though. Likewise, with "holes" in security. :P

3
5
Silver badge
Thumb Up

Re: ReVuln seem like nice people

Agreed. It would be a nice case of poetic justice if someone from ReVuln fell victim to an exploit that some other profiteer decided to sell to the lads from Lagos, and had their identity stolen, their credit cards maxed and their life ruined.

I've seen what identity theft does to someone's life, and I can only say that anyone who discovers such a vulnerability and fails to report it should be charged as an accessory, in the same way that (in Australia at least) someone who becomes aware that a child is being abused and fails to report it is charged as an accessory.

I'm also adamantly against the death penalty, but I must say that identity theft sorely tempts me to make an exception to that principle.

4
0

Re: ReVuln seem like nice people

No, you appear to be thinking of security researchers who publish vulns in their entirety without seeking payment (with or without privately informing the vendor).

These are people publishing the fact that they know there are vulnerabilities in a device , and will sell the knowledge of that to the highest bidder, be it crims, governments or the (now pressured) device owner.

In your analogy they announce there are crash causing potholes somewhere on the A127 and offer to sell a map to the highest bidder, be that highwaymen bent on robbing crashed or stopped cars or the highways agency - they don't really care.

3
0
Silver badge

Re: ReVuln seem like nice people

"In your analogy they announce there are crash causing potholes somewhere on the A127 and offer to sell a map to the highest bidder, be that highwaymen bent on robbing crashed or stopped cars or the highways agency - they don't really care".

At least you can avoid the A127 for the time being.

0
1

Re: ReVuln seem like nice people

You can also turn off your telly or other device.

Neither might be convenient however (you might live along the A127 for instance)

I wonder what they do if they find a critical vuln. in say, airplane flight systems,air traffic control or life support?

Does the CAA/whoever have to bid against Al Qaeda ?

1
0

Re: ReVuln seem like nice people

"start-up ReVuln claims to have discovered"

The clue to their motivations may be found in the phrase "start-up". Great story for PR for a firm no one has heard of and needs some investors.

3
0
Anonymous Coward

Re: ReVuln seem like nice people

"I'm also adamantly against the death penalty"

or

"I'm also adamantly stand for letting murderers murder, rapists rape and fuckwits buy iPhones!"

fixed

0
5
Silver badge

Re: ReVuln seem like nice people

Yes, because not wanting to kill people means you want people to kill people.

Really, the mentality of some people amazes me.

2
0
Bronze badge

Re: ReVuln seem like nice people

I wonder what they do if they find a critical vuln. in say, airplane flight systems,air traffic control or life support?

Does the CAA/whoever have to bid against Al Qaeda?

So, look, gang... I'd like to propose that "Al Qaeda" replace "Hitler" as the Godwin Trigger.

3
0
Silver badge

Re: ReVuln seem like nice people

Seconded.

0
0
Silver badge

I don't want a smart TV.

I want a big monitor. That way I can connect any PC/device of my choosing and it will do want I want, not be locked into the maker's walled-garden.

8
4
Anonymous Coward

Re: I don't want a smart TV.

I love all this moronic "lock in" and "walled garden" whinging crap.

A TV is not a computer, therefore the way it works is going to be different to a computer. People want to turn on a TV and maybe install a few apps, using a *remote control*, not a keyboard, mouse or messing with SSH, VNC or Samba.

Nobody forces you to buy a Smart TV.

5
13
FAIL

Re: I don't want a smart TV.

You'll have a big monitor for sure but a low res one at that

0
1
FAIL

Re: I don't want a smart TV.

Not heard of a HDMI cable???

I thought smart TVs were a waste of space, but then I bought one for the lounge connected with a wireless dongle. Its ability to link into my LAN to stream movies from my NAS and built in Apps to stream movies from LoveFilm etc. with zero hassle and just one controller! Suddenly makes the dumb TV in the front room which is connected to a PS3 to achieve the same thing, look very old skool and over complicated.

How exciting that someone could tap into the USB which only holds recorded TV programs.. and who actually uses a web browser on a TV?... sure that will cause sleepless nights...

3
1
Coat

Re: I don't want a smart TV.

Amen.

Why on earth they don't have a similar arrangement to the CAM sockets whereby you can just plug a "computer" into the TV to generate the image I don't know. ...and I'm talking a simple recessed area on the back, maybe with a cover or some such.

All a TV needs is the screen, a pretty housing, and the 'PC' bay. Your choice of TV would thus be the size, quality, and tech of the screen and the design of the housing...as for the connection, HDMI does control signals (and Displayport can carry USB), so some standardised control information from the TV's remote should be possible, or even better, have the remote controls using bluetooth, and then all you need is a receiver in the 'PC'.

The array of inputs you would want is a bit more tricky...but an arrangement similar to the ATX back panel could probably be found, depending on the design of the PC module, and would enable you to update the inputs (via a new computer module, perhaps, to keep things simple) as technology evolves. Of course, the TV housing could offer side or front breakout connections that simply plug into the ones on the back, but that would be a manufacturer option...

It's essentially how these things are manufactured anyway...it's the same screen in Bravias and Samsung TVs, it's just the electronics generating the picture (i.e. the "Bravia engine") that differs.

4
1
Facepalm

Re: I don't want a smart TV.

Are you sure that your USB drive only holds media? Perhaps there's a backup from one of your PCs there. Or the online photo library. Or a more important drive that you've attached to the same TV temporarily to move downloaded movies from your PC.

You've also assumed that the compromise was limited to reading the USB. If the perp can get into the unSmartTV, then it might be with sufficient flexbility that they could read *any* Windows file shares visible on the network to which the unSmartTV is connected.

1
0
Linux

Re: I don't want a smart TV.

@AC - "A TV is not a computer,"

When it's running linux on its multi-core ~GHz processor, has installable applications, a web browser, can stream media all over the place etc etc.... yeah, it is a computer.

Essentially a Smart TV is like an iMac with slightly more emphasis on the screen and less on the computer power, but they're much the same sort of deal.

8
1
Thumb Down

Re: I don't want a smart TV. @AC

"A TV is not a computer"

Oh yes it can be, down vote for ignorance.

5
1
Silver badge

Re: I don't want a smart TV.

"A TV is not a computer, therefore the way it works is going to be different to a computer".

This is a perfect example of the logical fallacy known as "begging the question". You start by asserting, without evidence, that "A TV is not a computer". (Why not? Could it be a computer? Might that have some advantages?)

Then, having begun by asserting that a TV is not a computer, you deduce that it must work in a different way. This step, too, is far from safe. A car, an aircraft, a fridge, a stereo system... none of those are computers, but nowadays they often contain computers... which allow them to do more and better things for us.

6
0
Silver badge

Re: I don't want a smart TV.

"Why on earth they don't have a similar arrangement to the CAM sockets whereby you can just plug a "computer" into the TV to generate the image I don't know. ...and I'm talking a simple recessed area on the back, maybe with a cover or some such."

Because there's no chance of such standardisation amongst the PC makers. But any decent TV will have a fistful of SCART, HDMI and D Sub inputs. Get a docking station for your laptop, link to the TV and you're done. Somebody earlier commented on the low res of TV's as monitors, but at normal viewing distances this doesn't really apply, and even using the D Sub output from a six year old laptop I got a very clear display on a 40 inch screen, so that you could read small text sitting ten feet away on the sofa.

0
0
Silver badge

Smart TVs do exactly what you want.

I think you're confusing it with that hypothetical Apple TV :)

Smart TVs do exactly what you want. Well, of course, any TV these days can act as a big monitor, in that you can connect to a PC or other device via HDMI. But smart TVs can also stream wirelessly, which saves loads of cables, or is useful if the device is on your lap or in another room. They can also "pull" rather than just "push" (i.e., you can use the TV remote to browse things to watch on a device, rather than having to use the PC with the TV acting as a monitor, although you can still do that too).

Online services come from anywhere you want - iplayer, netflix, youtube, or even just a random webpage. In fact I don't think LG even have their own services, let alone a walled garden.

I can easily see one manufacturer producing a TV that only works with their online site, with their devices, with their custom cables, connectors and wireless protocols... but that's not any smart TV around today.

1
0
Anonymous Coward

Re: I don't want a smart TV.

You can stick Raspbmc on a raspberry pi and control XMBC with a remote via CEC but still have SMB and SSH.

Best of both worlds for about 30 quid. Worth it IMO, especially now I have transmission set up with a web interface so I can use my PC upstairs to decide what movie the missus and I will be watching that evening downstairs.

4
1
Silver badge
Linux

Re: I don't want a smart TV.

> Nobody forces you to buy a Smart TV.

Therefore all ethics and morality and LAW should be ignored?

Will you still feel the same way when you are arrested because your technology is running amok and engaging in highly illegal acts on your behalf?

0
2
Bronze badge

Re: I don't want a smart TV.

Essentially a Smart TV is like an iMac with slightly more emphasis on the screen and less on the computer power, but they're much the same sort of deal.

Well stated! Actually, an iMac can become even more like a TV if you hang an Elgato EyeTV dongle or HD DVR off of it.

0
0

Re: I don't want a smart TV.

> Why on earth they don't have a similar arrangement to the CAM sockets ...

0) Physical space.

1) More expensive (connectors, additional casings).

2) (Most) People don't care.

3) The 'sales' people at Currys are the primary channel for communicating product information (don't make your product the one that is hard to explain)...

4) If you have different platforms that confuses the picture for content partners you are bringing on board and you want to maximise the number of viewers that can be reached.

5) Stock control. We have 1500 more processor modules left than TVs to put them in (or vice versa).

6) Internally the product changes every year to bring the costs down.

7) Additional failure point (especially the connection)

I believe some high end Samsungs offered an upgradeable module but I didn't follow it closely. It really isn't a cost effective approach.

Depending on what you want to do you can do it yourself with a Rasberry Pi powered by the USB and plugged into the HDMI or a real computer powered by the mains and plugged into the HDMI. Use HDMI CEC for the control and you can use the original remote. Most people will stick to the built in services (and DLNA) if they connect to the network at all.

> It's essentially how these things are manufactured anyway...it's the same screen in Bravias and Samsung TVs, it's just the electronics generating the picture (i.e. the "Bravia engine") that differs.

Not entirely. Yes the main board is the same or nearly the same +- satellite tuner and at the top end extra picture processing hardware but the panel also varies (particularly high frame rate support + 3D and possibly backlight technology or bit depth).

0
0
Silver badge
FAIL

Re: I don't want a smart TV.

Nobody forces you to buy a Smart TV
Except, possibly, TV manufacturers stopping making any other sort .....

You seriously overestimate the power of a minority knowledgeable individuals against (the corporations plus a bunch of dumb people who just buy whatever they are told).

0
0
Gold badge
Facepalm

A TV *is* a computer

"A TV is not a computer":

A modern TV *is* a computer. The LG my prents got (NOT a smart TV) has pages of GPL notices, Linux kernel, ffmpeg, libavcodec, busybox. I think it uses the Linux framebuffer driver. (The one my grandparents got listed NanoX as well so apparently it didn't.) SmartTVs *are* a computer, with more storage space and additional software installed.

"therefore the way it works is going to be different to a computer. People want to turn on a TV and maybe install a few apps, using a *remote control*, not a keyboard, mouse or messing with SSH, VNC or Samba."

But, VNC, SSH, and Samba would install and run fine on it, so long as it's not artificially locked down.

Would I install vnc, SSH, and samba on my TV*? Hell no. But it's the TV owner's right to do this if they want (possibly voiding the warranty. Although it should be possible to flash it back to "factory default".)

*(If I owned a TV... I use MythTV and just watch stuff on the computer.)

0
0
Alert

If it looks like a computer....

Smells like a computer, acts like a computer and connects to the Internet then it always has the potential to be hacked.

If you want a smart TV get an android usb stick computer or similar then if that gets bricked by a hacker at least it's not £1000 down the drain.

As Scotty said "The more the plumbing the easier it is to stop up the drain"

9
2
Anonymous Coward

Re: If it looks like a computer....

So your average retired grandmother is going to get a Linux computer up and running on a TV is she?

You people really need to look outside of your parents bedroom and interact with real "non geek" people once in a while. They buy this Smart TV stuff because they don't know computers very well.

Good luck trying to explain on the phone how to edit conf files in /etc using VI to a family member.

6
9
Bronze badge
Headmaster

Re: If it looks like a computer.... AC

Yes, the average grandmother could get a little linux box. Some are sold for £200, run very well. It's just the more profitable products are marketed, not the more useable ones.

4
2
Megaphone

Re: If it looks like a computer.... @AC

Do you know what and an Android stick or media box is ? Obviously not. It's no more difficult than using a smart phone. By the way idiot most smart TVs already are using linux so yes a granny is already using Linux without help from you, anonymous troll.

6
2

Re: If it looks like a computer....

Beautifully put. The Reg is full of people who think everybody thinks like a security-conscious followed of all tech trends, and have fingers specially adapted for command-line work.

2
0
Mushroom

"do you know what and (sic) an Android stick or media box is?"

Get a grip - you actually manage to infer here that a granny would know what an android stick is. Grab a mirror before you throw troll insults around. Or read his original post again and then take a deep breath.

0
4
WTF?

Re: If it looks like a computer....

"So your average retired grandmother..."

Your average retired grandmother can't work out a smart TV either. Actually the same goes for plenty of younger people. I've helped out a couple of non-geeks get their giant tellies web-enabled over the last year. One was a thirty-something nurse, the other was a fifty-something martial arts instructor who'd been duped into buying an unnecessary £70 wifi dongle and didn't believe me when I said he didn't need it because his router was sitting proudly at the back of his telly stand. In both cases they were massively disappointed by the rubbish network functionality on offer and the bad ergonomics (an issue that has haunted consumer kit for decades) and I don't believe they bother with those smart features.

Smart TV features will remain "geek" features until the ergonomics get sorted out. The manufacturers don't seem to be up to it, therefore the Linux media box path has a realistic prospect of success.

4
0
Thumb Up

Re: If it looks like a computer....

Smells like a computer, acts like a computer, crashes like a computer and connects to the Internet then it always has the potential to be hacked.

Fixed it for you

1
0

Page:

This topic is closed for new posts.