Smart telly, router, app makers have left a security hole open for – drum-roll – three years A security hole that has been known and patched for the last three years remains vulnerable in over 6.1 million connected devices. This according to Trend Micro, who says its researchers have discovered that a collection of remote code execution vulnerabilities in a software library used by mobile devices, smart TVs, and …
manufacturers who have not traditionally had experience in application development will be tasked with creating and maintaining secure software stacks
The lack of experience isn't the issue. Any experienced software engineer will tell you that all the common problems in software have been solved, and it's not a good idea to start re-inventing the wheel (even though it does still happen far too often).
No-one in their right mind is going to write their own uPNP library if there's an existing one already out there, especially one that has been pounded on by a lot more people than in your testing team, and used in situations that you never thought of. Most of those obscure edge and corner case bugs have been found and fixed, and many of the security holes plugged.
But not all. So when some more bugs are fixed, you need to update the software that uses the library (if it's statically linked), or update the library file itself (if it's dynamically linked).
It's a decent updating process that's needed - the IoT equivalent of "Patch Tuesday" for the Windows world. That, of course, has to be fed by updated code from the manufacturers, and that is the biggest challenge of all.
Hardware manufacturers don't have a great reputation for producing good software in the first place, but they have a truly terrible reputation for updating it afterwards.
agreed for the most part... uPnP is its own security hole, though... especially since it allows users to bypass the admins' security settings on what traffic is allowed in or out... it has long been a thorn in the side of security conscience admins every where... at least today's uPnP does offer some additional controls and capabilities to prevent egress but it is still a hole that they didn't punch themselves...
"Hardware manufacturers don't have a great reputation for producing good software in the first place, but they have a truly terrible reputation for updating it afterwards."
An insurmountable problem, meaning IoT isn't a viable concept. Looking forward to the next decade of IoT security failure headlines. *Eats popcorn*
The whole "software engineer" nonsense is a bit too much
Oh, there are people that really deserve the title "software engineer". The guy who's now just handing over the Voyager software to his successor is one, IMHO. Stuff that's several tens of AU away by now and still working. There's other engineering feats involved, but the software is one of them.
Unless of course your USB stick contains malware you weren't aware of. Has your libpng been patched? Even dumb TVs aren't dumb any more.
On a side note I bought a 'dumb' TV recently and whilst flicking through the instruction manual was surprised to find a full copy of the GNU GPL.
"On a side note I bought a 'dumb' TV recently and whilst flicking through the instruction manual was surprised to find a full copy of the GNU GPL."
Not sure there is such a thing as a dumb TV anymore. I've even seen a "set top box" for FreeSAT that clearly had MythTV in it (although somewhat torn to bits and re-assembled like a 2 year old with an Airfix kit). Yours probably has bits of FFMPEG or libmpeg in flash somewhere - why reinvent the wheel?
My Samsung telly even has an AV section in its menu. It lives on a separate VLAN +SSID I keep for IoT stuff. Must get around to looking at the flow logs to see what it gets up to. The Zoneminder server and RPi on the same subnet/VLAN have firewalls, that refuse connectes from their own network. I'm scared of my telly 8)
Yes, as I made my initial comment I did consider the possibility of USB malware, but I figure that since I never share the sticks I use, the risk is as low as it can possibly be. At the very least, the article suggests I have one fewer infection vector to worry about. Which might be about as good as it gets.
How easy is it for any user to update the software on these devices? I ask more from ignorance because I do not own any IoT devices so never looked into the issue.
If they are not easy to update for technically literate user, which would not surprise me, then they would be practically impossible for the unwashed masses.
"How easy is it for any user to update the software on these devices?"
It could and can be super easy.
My Sony TV has downloaded updates in the background and installed them when the TV was not in use. A couple times it has also prompted that there is an update waiting - asking whether it should be installed immediately or when the TV is turned off. For consumer stuff like this there should be automatic updates turned on with an option to turn them off, not the other way around.
Our Sony does that as well.
Problem is that the Sony software is pure and utter garbage, so the auto-download just gives us freshly updated garbage.
Sony's software is so deficient in both features and functionality - seriously, for a couple of months Netflix would crash the OS! - that I would never for a moment expect it to be secure.
Problem is that the Sony software is pure and utter garbage
I can't really deny or validate that claim since my usage of the Sony "smart" features are a single app for catching up programs YLE (the Finnish Broadcasting Company) has broadcasted - and it works well and hasn't crashed a single time for the 3 or so years I've had the TV. There's a couple dozen other apps for music videos, news and such but I haven't honestly bothered with any of them.
AFAIK Sony has only made the Youtube app and web browser, and the rest are made by service providers like Netflix. Or YLE in my example. Perhaps the Netflix app is crashing because the it's not very good, but I fully agree that it shouldn't take down the TV OS, whatever it is underneath.
>How easy is it for any user to update the software on these devices?
Well depends on what it is you are updating.
With a 5 yr old Sony and a 2015 LG TV and neither supported OTA or Over-the-Internet updates, the firmware update process I performed on each was:
1. Using a PC download new zipped firmware file and extract contents to FAT32 formatted USB stick.
2. Insert USB stick in TV and follow on-screen instructions.
Simpler than updating the firmware on my Humax PVR, which requires an Rs232 connection and an updater...
App's on the other hand, both the Sony and LG supported online download of these.
However, as neither offered a 'usable' online experience - ie. I'm used to using a full blown PC, neither has been connected to the Internet. Which begs the question, given that many don't connect their TV to the Internet but instead use the facilities of their Tivo or similar box - juts how many of those 6.1 million connected devices that Trend Micro alludes to are actually being used as internet connected devices.
"...the flaws potentially allow an attacker to take control over the targeted device."
I can visualize it...
"Muahaha! Your pathetic icebox is totally pwned! Alright civilian, pay me $100 in Bitcoin RIGHT NOW, or you'll never see your fresh fruit again!" (evil laughter recedes and acquires an echo...)
Strangely, Sam and Fuzzy's fridge - the one allegedly "possessed by Satan" - suddenly starts making a lot more sense...
When I bought my new TV a few months ago, I asked the Salesman about its operation without being connected to the Mothership/Internet.
He smiled and said
"I'm being asked that a lot these days".
He gently directed me away from the Samsung models to a Sony.
So far it hasn't demanded to be connected so that it can phone home.
It appears that the world of IoT is much like the majority of mobile phones. i.e. many, many millions sold and a few months later all support and upgrades stop so the users are left with all the security problems until the phone stops working/put in a drawer and forgotten.
"When I bought my new TV a few months ago, I asked the Salesman about its operation without being connected to the Mothership/Internet.
He smiled and said
"I'm being asked that a lot these days"."
My TV died this summer so I bought a new Sammy screen.
While fiddling with it, I noticed it had a freaking anti-virus on it ! A frasking AV on my TV ! WTF !
This is really telling ...
Well, colour me unsurprised.
Smartphones don't get security upgrade patches, just a full update once in a blue moon if you're lucky and it's not too old, so why would anyone be expecting tellies 'n such to get 'em?
Heavy hint for the very, very thick: If you expect whatever it is to last more than 18 months[1] and it has an internet connection, don't buy it.
[1] I.e. longer than it'll be in production.
I unplugged the internet to my recent vizio TV after letting it get one full 'latest' update for good luck, and hooked it up via HDMI to a GBox Q, which runs a recent Android release thats un-encumbered so I can manage it myself nicely. All streaming functionality is provided by Kodi from the google 'store', this works quite nicely and seems much less dodgy then the stuff that was built into the Vizio.
Someone with some common sense might realize that building their smart TV with the "smart bits" as some sort of pluggable / unpluggable card (that includes the wireless parts too) would widen his market - most people would be just as happy with their shiny new smart thing as they are now and would leave it in, while us the tinfoil hat brigade consumers with some common sense could just unplug the card, replace it with the also-supplied dummy plastic cover and keep using the telly in "you connect an input signal, switch to that input, and I'll display it" mode. I can hardly think it would raise the overall costs with more than a few cents, and there's way more variation in price between seemingly similar models even now...
That system in no way generates the revenue in the manner they have the control and confidence in.
One, they would need to give the control to the customer, instead of pretending the customer has control.
Two, they would looks a lot of control over the DRM that they now support.
Besides, many many tvs have extension ports for decades that are hardly used except for a few satellite cards.
Yeah, TV Makers like most everyone else today are trying to create captive markets. Once you have them, you can fleece them 'til Doomsday since abandoning them by that point means "walking on the sun".
And they're already most of the way there. They'll find ways to make old dumb TVs stop working first (such as with digital changeover), then make sure there's nothing else on the market but TVs protected by patents, trade secrets, and whatever. 4K is showing the next step by locking down the media chain from start to finish and (I think) bonding all device makers to ensure secrets are kept. The days of actually buying anything durable and usable will soon be a faded memory...
Someone with some common sense might realize that building their smart TV with the "smart bits" as some sort of pluggable / unpluggable card (that includes the wireless parts too) would widen his market - most people would be just as happy with their shiny new smart thing as they are now and would leave it in, while us the tinfoil hat brigade consumers with some common sense could just unplug the card, replace it with the also-supplied dummy plastic cover and keep using the telly in "you connect an input signal, switch to that input, and I'll display it" mode. I can hardly think it would raise the overall costs with more than a few cents, and there's way more variation in price between seemingly similar models even now...
Samsung has (or had... not sure if they still do those) models with "smart bits" in a module hence enabling end user to upgrade their telly to quad-core (iirc last I looked) jiggerypokery.
Of course that option was in limited range of models. Also not sure if the telly would work at all without the module plugged in.
As for cost I suspect adding some extra moulding, connectors would be bit more costly than allocating bit of space on the board for a SoC.
Currently seems like if you want want than 2 HDMI ports, you pay through the nose without any other real benefits.
As I've said many times before, all I want is decent screen with lots (no, 4 is not lots...) of ports and I'll do the "smart bits2 myself thank you very much.
"As I've said many times before, all I want is decent screen with lots (no, 4 is not lots...) of ports and I'll do the "smart bits2 myself thank you very much."
Well, you ain't getting it, pal. You get what WE (and the rest of the TV cartel) decide you get on it or you go without TV, have a nice day. PBBBT!
PS. Remember, they're trying for captive markets, so they're going to limit you as much as possible, and all the other makers are in the same race.
As I've said many times before, all I want is decent screen with lots (no, 4 is not lots...) of ports
Don't see the need for lots of ports, it's a screen - I only need a selection of ports so that I can readily connect equipment to it (eg. HDMI, VGA, DVI, SCART & Composite) Everything else I'll connect to my 'entertainment' centre box - which for many people is their Tivo/PVR box. thus avoiding having loads of cables and dongles hanging off the back and side of the TV
But then that goes back to all the old and well-rehearsed arguments about Hi-Fi separates and music centres...
My grandfather was a freelance radio and tv repairman way back in the 60's. He was called to check into a TV that was changing channels, muting and changing volume levels randomly. Everything checked out. No cause found. About a week later he received another call with the same complaints. It was the neighbor of the guy he first visited, he was shocked when he found the exact same tv in the neighbor's house. His initial thought was it was the TV's, being the same model. He check everything out, no issues. In the end, it was found to be the houses were very close together. Joe and Bob's remotes could control each other's tv's...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
