back to article Samsung's smart TVs 'wide open' to exploits

Samsung's Smart TV has a vulnerability which allows remote attackers to swipe data, according to security researchers. Malta-based security start-up ReVuln claims to have discovered a zero-day vulnerability affecting Smart TV, in particularly a Samsung TV LED 3D. Smart TV can be used to browse the internet, use social …

COMMENTS

This topic is closed for new posts.

Page:

  1. Nick Ryan Silver badge

    Luckily the number of such "smart" TVs in use is quite low compared to any other target. Also lucky is that the browsing experience is so awful that most users wouldn't intentionally use them to browse the web.

    Unfortunately this leaves those that will typically have no clue about security, updates or online common sense...

    Doesn't explain piss poor security. Or piss poor UIs though. When "smart" TVs actually start to produce a usable UI then this will become a much more serious problem.

    1. Ian Yates
      Thumb Down

      I'll stick to my home-built HTPC.

      True, it isn't quite as sleek as an all-in-one, but it is considerably more future-proof hardware-wise, and the I trust the FOSS community far more than Samsung in releasing security and feature updates for it. Plus, I have or can use any media streaming provider of my choice, rather than whichever ones are asked to and can be bothered to release a half-arsed "app" for my particular TV.

      Perfectly highlighted by the fact that Linux has only just dropped 386 support, but how long will Sammy (and the others) continue to release updates for the current batch of "smart" TVs?

    2. miknik
      Facepalm

      I can't be the only person...

      ...who actually just wants a dumb tv?

      Spend the money on a good panel and making the hardware performance top notch. I don't want it to overlay my twitter feed on to what I am watching or any of that nonsense. I certainly don't want that coupled with countless gaping vulnerabilities.

      While I'm on the subject I don't even want speakers. Audio and smart features are better handled by connected devices so I would rather not pay for duplicated functionality which is not only inferior but that I will also never use.

      1. Dave 150

        Re: I can't be the only person...

        100% agree, I just want a beautiful (but dumb) display

        oh and fewer cables!!

  2. Christian Berger Silver badge

    Rootable? You'd hope so!

    If I bought the device I have the right to be root on it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Rootable? You'd hope so!

      *Yawn* Made up moral rights FTW.

      1. Bumpy Cat

        Re: Rootable? You'd hope so!

        "Made-up moral rights"? If you bought a device to do X, and the manufacturer later shut down that ability, the moral right would feel pretty damn real.

        1. DJ Smiley

          Re: Rootable? You'd hope so!

          So you should be given access to things you shouldn't be tinkering with just in case they turn it off?

          1. David Hicks
            WTF?

            Re: Rootable? You'd hope so!

            What exactly should I not be tinkering with in a device that I bought?

          2. Bumpy Cat
            WTF?

            Re: Rootable? You'd hope so!

            If I buy something, it's mine. I can use it as bought, or I can mod it, or I can plant tomatoes in it. It's none of your or anyone elses' goddamn business.

            1. Benchops

              Re: Rootable? You'd hope so!

              > I can use it as bought

              "as bought" might well involve a licence agreement. Not sure how that covers the tomatoes scenario though.

              1. Bumpy Cat

                Re: Rootable? You'd hope so!

                If there's a license agreement, then I'm not really buying it, am I? It's a grey area for software, which unfortunately bled across to things like e-books, MP3s and digital movies, and is now even reaching into the world of physical products.

                "By purchasing and opening this TV, you have agreed to abide by the enclosed EULA, including that you must make me some pancakes."

            2. GitMeMyShootinIrons

              Re: Rootable? You'd hope so!

              "If I buy something, it's mine. I can use it as bought, or I can mod it, or I can plant tomatoes in it. It's none of your or anyone elses' goddamn business."

              True, but then there's the tinkering that leads the manufacturer opens to legal action when the idiot user tries watering his tomatoes. Not to mention the warranty claim when the TV won't show Eastenders any more because the tomato plant has cracked the panel.

              Manufacturers design a product to do a job. It's their choice to design and implement it how they wish in the same way it is your choice not to buy it. If they lock it down to prevent uses for which it wasn't designed, that could lead them to be open to legal action for *not* preventing misuse, I can't blame them.

      2. A J Stiles
        FAIL

        Re: Rootable? You'd hope so!

        Um, it's not a made-up right -- it's the very definition of ownership.

        If I paid for it with my own money, I am privy to every secret it embodies, and I have the right to do anything I like with it in the privacy of my own home.

  3. Pen-y-gors Silver badge

    ReVuln seem like nice people

    Similar scenario: I walk past my neighbour's house and notice they've left the door open, even though I know they're out for the evening. What should I do?

    1) Phone them to let them know

    2) Let the police know

    3) Find a bunch of local scumbags hanging around in the park and offer the address to the highest bidder.

    I hope no-one from ReVuln moves in next door to me.

    1. TechnicalBen Silver badge
      Angel

      Re: ReVuln seem like nice people

      I think it's closer to "Large hole in the road". Do you:

      1) Phone the council and hope they get it fixed in the next 3 months

      2) Let the police know

      3) Tell the local drivers and the council, because you know it will be at least a week before they get it fixed and you don't want anyone driving into the hole by mistake in the mean time.

      I think they chose option 3 this time. It just so happens though that sadly highwaymen also frequent the roads and look for those crashed in pot holes to hijack. That's not your fault though. Likewise, with "holes" in security. :P

      1. Justicesays

        Re: ReVuln seem like nice people

        No, you appear to be thinking of security researchers who publish vulns in their entirety without seeking payment (with or without privately informing the vendor).

        These are people publishing the fact that they know there are vulnerabilities in a device , and will sell the knowledge of that to the highest bidder, be it crims, governments or the (now pressured) device owner.

        In your analogy they announce there are crash causing potholes somewhere on the A127 and offer to sell a map to the highest bidder, be that highwaymen bent on robbing crashed or stopped cars or the highways agency - they don't really care.

        1. Anonymous Coward
          Anonymous Coward

          Re: ReVuln seem like nice people

          "In your analogy they announce there are crash causing potholes somewhere on the A127 and offer to sell a map to the highest bidder, be that highwaymen bent on robbing crashed or stopped cars or the highways agency - they don't really care".

          At least you can avoid the A127 for the time being.

          1. Justicesays

            Re: ReVuln seem like nice people

            You can also turn off your telly or other device.

            Neither might be convenient however (you might live along the A127 for instance)

            I wonder what they do if they find a critical vuln. in say, airplane flight systems,air traffic control or life support?

            Does the CAA/whoever have to bid against Al Qaeda ?

            1. Mike Flugennock

              Re: ReVuln seem like nice people

              I wonder what they do if they find a critical vuln. in say, airplane flight systems,air traffic control or life support?

              Does the CAA/whoever have to bid against Al Qaeda?

              So, look, gang... I'd like to propose that "Al Qaeda" replace "Hitler" as the Godwin Trigger.

              1. A J Stiles

                Re: ReVuln seem like nice people

                Seconded.

      2. Kevin 43

        Re: ReVuln seem like nice people

        "start-up ReVuln claims to have discovered"

        The clue to their motivations may be found in the phrase "start-up". Great story for PR for a firm no one has heard of and needs some investors.

    2. Steven Roper
      Thumb Up

      Re: ReVuln seem like nice people

      Agreed. It would be a nice case of poetic justice if someone from ReVuln fell victim to an exploit that some other profiteer decided to sell to the lads from Lagos, and had their identity stolen, their credit cards maxed and their life ruined.

      I've seen what identity theft does to someone's life, and I can only say that anyone who discovers such a vulnerability and fails to report it should be charged as an accessory, in the same way that (in Australia at least) someone who becomes aware that a child is being abused and fails to report it is charged as an accessory.

      I'm also adamantly against the death penalty, but I must say that identity theft sorely tempts me to make an exception to that principle.

      1. Anonymous Coward
        Anonymous Coward

        Re: ReVuln seem like nice people

        "I'm also adamantly against the death penalty"

        or

        "I'm also adamantly stand for letting murderers murder, rapists rape and fuckwits buy iPhones!"

        fixed

        1. M Gale

          Re: ReVuln seem like nice people

          Yes, because not wanting to kill people means you want people to kill people.

          Really, the mentality of some people amazes me.

  4. The BigYin

    I don't want a smart TV.

    I want a big monitor. That way I can connect any PC/device of my choosing and it will do want I want, not be locked into the maker's walled-garden.

    1. Anonymous Coward
      Anonymous Coward

      Re: I don't want a smart TV.

      I love all this moronic "lock in" and "walled garden" whinging crap.

      A TV is not a computer, therefore the way it works is going to be different to a computer. People want to turn on a TV and maybe install a few apps, using a *remote control*, not a keyboard, mouse or messing with SSH, VNC or Samba.

      Nobody forces you to buy a Smart TV.

      1. David Hicks
        Linux

        Re: I don't want a smart TV.

        @AC - "A TV is not a computer,"

        When it's running linux on its multi-core ~GHz processor, has installable applications, a web browser, can stream media all over the place etc etc.... yeah, it is a computer.

        Essentially a Smart TV is like an iMac with slightly more emphasis on the screen and less on the computer power, but they're much the same sort of deal.

        1. Mike Flugennock

          Re: I don't want a smart TV.

          Essentially a Smart TV is like an iMac with slightly more emphasis on the screen and less on the computer power, but they're much the same sort of deal.

          Well stated! Actually, an iMac can become even more like a TV if you hang an Elgato EyeTV dongle or HD DVR off of it.

      2. Anonymous Coward
        Thumb Down

        Re: I don't want a smart TV. @AC

        "A TV is not a computer"

        Oh yes it can be, down vote for ignorance.

      3. Anonymous Coward
        Anonymous Coward

        Re: I don't want a smart TV.

        "A TV is not a computer, therefore the way it works is going to be different to a computer".

        This is a perfect example of the logical fallacy known as "begging the question". You start by asserting, without evidence, that "A TV is not a computer". (Why not? Could it be a computer? Might that have some advantages?)

        Then, having begun by asserting that a TV is not a computer, you deduce that it must work in a different way. This step, too, is far from safe. A car, an aircraft, a fridge, a stereo system... none of those are computers, but nowadays they often contain computers... which allow them to do more and better things for us.

      4. Anonymous Coward
        Anonymous Coward

        Re: I don't want a smart TV.

        You can stick Raspbmc on a raspberry pi and control XMBC with a remote via CEC but still have SMB and SSH.

        Best of both worlds for about 30 quid. Worth it IMO, especially now I have transmission set up with a web interface so I can use my PC upstairs to decide what movie the missus and I will be watching that evening downstairs.

      5. JEDIDIAH
        Linux

        Re: I don't want a smart TV.

        > Nobody forces you to buy a Smart TV.

        Therefore all ethics and morality and LAW should be ignored?

        Will you still feel the same way when you are arrested because your technology is running amok and engaging in highly illegal acts on your behalf?

      6. A J Stiles
        FAIL

        Re: I don't want a smart TV.

        Nobody forces you to buy a Smart TV
        Except, possibly, TV manufacturers stopping making any other sort .....

        You seriously overestimate the power of a minority knowledgeable individuals against (the corporations plus a bunch of dumb people who just buy whatever they are told).

      7. Henry Wertz 1 Gold badge
        Facepalm

        A TV *is* a computer

        "A TV is not a computer":

        A modern TV *is* a computer. The LG my prents got (NOT a smart TV) has pages of GPL notices, Linux kernel, ffmpeg, libavcodec, busybox. I think it uses the Linux framebuffer driver. (The one my grandparents got listed NanoX as well so apparently it didn't.) SmartTVs *are* a computer, with more storage space and additional software installed.

        "therefore the way it works is going to be different to a computer. People want to turn on a TV and maybe install a few apps, using a *remote control*, not a keyboard, mouse or messing with SSH, VNC or Samba."

        But, VNC, SSH, and Samba would install and run fine on it, so long as it's not artificially locked down.

        Would I install vnc, SSH, and samba on my TV*? Hell no. But it's the TV owner's right to do this if they want (possibly voiding the warranty. Although it should be possible to flash it back to "factory default".)

        *(If I owned a TV... I use MythTV and just watch stuff on the computer.)

    2. Anonymous Coward
      FAIL

      Re: I don't want a smart TV.

      You'll have a big monitor for sure but a low res one at that

    3. Bobthe2nd
      FAIL

      Re: I don't want a smart TV.

      Not heard of a HDMI cable???

      I thought smart TVs were a waste of space, but then I bought one for the lounge connected with a wireless dongle. Its ability to link into my LAN to stream movies from my NAS and built in Apps to stream movies from LoveFilm etc. with zero hassle and just one controller! Suddenly makes the dumb TV in the front room which is connected to a PS3 to achieve the same thing, look very old skool and over complicated.

      How exciting that someone could tap into the USB which only holds recorded TV programs.. and who actually uses a web browser on a TV?... sure that will cause sleepless nights...

      1. Alan_Peery
        Facepalm

        Re: I don't want a smart TV.

        Are you sure that your USB drive only holds media? Perhaps there's a backup from one of your PCs there. Or the online photo library. Or a more important drive that you've attached to the same TV temporarily to move downloaded movies from your PC.

        You've also assumed that the compromise was limited to reading the USB. If the perp can get into the unSmartTV, then it might be with sufficient flexbility that they could read *any* Windows file shares visible on the network to which the unSmartTV is connected.

    4. mr_jrt
      Coat

      Re: I don't want a smart TV.

      Amen.

      Why on earth they don't have a similar arrangement to the CAM sockets whereby you can just plug a "computer" into the TV to generate the image I don't know. ...and I'm talking a simple recessed area on the back, maybe with a cover or some such.

      All a TV needs is the screen, a pretty housing, and the 'PC' bay. Your choice of TV would thus be the size, quality, and tech of the screen and the design of the housing...as for the connection, HDMI does control signals (and Displayport can carry USB), so some standardised control information from the TV's remote should be possible, or even better, have the remote controls using bluetooth, and then all you need is a receiver in the 'PC'.

      The array of inputs you would want is a bit more tricky...but an arrangement similar to the ATX back panel could probably be found, depending on the design of the PC module, and would enable you to update the inputs (via a new computer module, perhaps, to keep things simple) as technology evolves. Of course, the TV housing could offer side or front breakout connections that simply plug into the ones on the back, but that would be a manufacturer option...

      It's essentially how these things are manufactured anyway...it's the same screen in Bravias and Samsung TVs, it's just the electronics generating the picture (i.e. the "Bravia engine") that differs.

      1. Anonymous Coward
        Anonymous Coward

        Re: I don't want a smart TV.

        "Why on earth they don't have a similar arrangement to the CAM sockets whereby you can just plug a "computer" into the TV to generate the image I don't know. ...and I'm talking a simple recessed area on the back, maybe with a cover or some such."

        Because there's no chance of such standardisation amongst the PC makers. But any decent TV will have a fistful of SCART, HDMI and D Sub inputs. Get a docking station for your laptop, link to the TV and you're done. Somebody earlier commented on the low res of TV's as monitors, but at normal viewing distances this doesn't really apply, and even using the D Sub output from a six year old laptop I got a very clear display on a 40 inch screen, so that you could read small text sitting ten feet away on the sofa.

      2. Joseph Lord

        Re: I don't want a smart TV.

        > Why on earth they don't have a similar arrangement to the CAM sockets ...

        0) Physical space.

        1) More expensive (connectors, additional casings).

        2) (Most) People don't care.

        3) The 'sales' people at Currys are the primary channel for communicating product information (don't make your product the one that is hard to explain)...

        4) If you have different platforms that confuses the picture for content partners you are bringing on board and you want to maximise the number of viewers that can be reached.

        5) Stock control. We have 1500 more processor modules left than TVs to put them in (or vice versa).

        6) Internally the product changes every year to bring the costs down.

        7) Additional failure point (especially the connection)

        I believe some high end Samsungs offered an upgradeable module but I didn't follow it closely. It really isn't a cost effective approach.

        Depending on what you want to do you can do it yourself with a Rasberry Pi powered by the USB and plugged into the HDMI or a real computer powered by the mains and plugged into the HDMI. Use HDMI CEC for the control and you can use the original remote. Most people will stick to the built in services (and DLNA) if they connect to the network at all.

        > It's essentially how these things are manufactured anyway...it's the same screen in Bravias and Samsung TVs, it's just the electronics generating the picture (i.e. the "Bravia engine") that differs.

        Not entirely. Yes the main board is the same or nearly the same +- satellite tuner and at the top end extra picture processing hardware but the panel also varies (particularly high frame rate support + 3D and possibly backlight technology or bit depth).

    5. Mark .

      Smart TVs do exactly what you want.

      I think you're confusing it with that hypothetical Apple TV :)

      Smart TVs do exactly what you want. Well, of course, any TV these days can act as a big monitor, in that you can connect to a PC or other device via HDMI. But smart TVs can also stream wirelessly, which saves loads of cables, or is useful if the device is on your lap or in another room. They can also "pull" rather than just "push" (i.e., you can use the TV remote to browse things to watch on a device, rather than having to use the PC with the TV acting as a monitor, although you can still do that too).

      Online services come from anywhere you want - iplayer, netflix, youtube, or even just a random webpage. In fact I don't think LG even have their own services, let alone a walled garden.

      I can easily see one manufacturer producing a TV that only works with their online site, with their devices, with their custom cables, connectors and wireless protocols... but that's not any smart TV around today.

  5. Anonymous Coward
    Alert

    If it looks like a computer....

    Smells like a computer, acts like a computer and connects to the Internet then it always has the potential to be hacked.

    If you want a smart TV get an android usb stick computer or similar then if that gets bricked by a hacker at least it's not £1000 down the drain.

    As Scotty said "The more the plumbing the easier it is to stop up the drain"

    1. Anonymous Coward
      Anonymous Coward

      Re: If it looks like a computer....

      So your average retired grandmother is going to get a Linux computer up and running on a TV is she?

      You people really need to look outside of your parents bedroom and interact with real "non geek" people once in a while. They buy this Smart TV stuff because they don't know computers very well.

      Good luck trying to explain on the phone how to edit conf files in /etc using VI to a family member.

      1. TechnicalBen Silver badge
        Headmaster

        Re: If it looks like a computer.... AC

        Yes, the average grandmother could get a little linux box. Some are sold for £200, run very well. It's just the more profitable products are marketed, not the more useable ones.

      2. Anonymous Coward
        Megaphone

        Re: If it looks like a computer.... @AC

        Do you know what and an Android stick or media box is ? Obviously not. It's no more difficult than using a smart phone. By the way idiot most smart TVs already are using linux so yes a granny is already using Linux without help from you, anonymous troll.

        1. Andy Watt
          Mushroom

          "do you know what and (sic) an Android stick or media box is?"

          Get a grip - you actually manage to infer here that a granny would know what an android stick is. Grab a mirror before you throw troll insults around. Or read his original post again and then take a deep breath.

          1. M Gale

            Re: "do you know what and (sic) an Android stick or media box is?"

            you actually manage to infer here that a granny would know what an android stick is.

            I'm sure she'd know how to use one after a little playing with it. Oh, you do know that using Android has nothing to do with Vim, Emacs or editing /etc files by hand?

            Really, have you used Android?

      3. Andy Watt

        Re: If it looks like a computer....

        Beautifully put. The Reg is full of people who think everybody thinks like a security-conscious followed of all tech trends, and have fingers specially adapted for command-line work.

      4. Horridbloke
        WTF?

        Re: If it looks like a computer....

        "So your average retired grandmother..."

        Your average retired grandmother can't work out a smart TV either. Actually the same goes for plenty of younger people. I've helped out a couple of non-geeks get their giant tellies web-enabled over the last year. One was a thirty-something nurse, the other was a fifty-something martial arts instructor who'd been duped into buying an unnecessary £70 wifi dongle and didn't believe me when I said he didn't need it because his router was sitting proudly at the back of his telly stand. In both cases they were massively disappointed by the rubbish network functionality on offer and the bad ergonomics (an issue that has haunted consumer kit for decades) and I don't believe they bother with those smart features.

        Smart TV features will remain "geek" features until the ergonomics get sorted out. The manufacturers don't seem to be up to it, therefore the Linux media box path has a realistic prospect of success.

Page:

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019