back to article Smart telly, router, app makers have left a security hole open for – drum-roll – three years

A security hole that has been known and patched for the last three years remains vulnerable in over 6.1 million connected devices. This according to Trend Micro, who says its researchers have discovered that a collection of remote code execution vulnerabilities in a software library used by mobile devices, smart TVs, and …

  1. Electron Shepherd

    Experience not the issue

    manufacturers who have not traditionally had experience in application development will be tasked with creating and maintaining secure software stacks

    The lack of experience isn't the issue. Any experienced software engineer will tell you that all the common problems in software have been solved, and it's not a good idea to start re-inventing the wheel (even though it does still happen far too often).

    No-one in their right mind is going to write their own uPNP library if there's an existing one already out there, especially one that has been pounded on by a lot more people than in your testing team, and used in situations that you never thought of. Most of those obscure edge and corner case bugs have been found and fixed, and many of the security holes plugged.

    But not all. So when some more bugs are fixed, you need to update the software that uses the library (if it's statically linked), or update the library file itself (if it's dynamically linked).

    It's a decent updating process that's needed - the IoT equivalent of "Patch Tuesday" for the Windows world. That, of course, has to be fed by updated code from the manufacturers, and that is the biggest challenge of all.

    Hardware manufacturers don't have a great reputation for producing good software in the first place, but they have a truly terrible reputation for updating it afterwards.

    1. waldo kitty
      FAIL

      Re: Experience not the issue

      agreed for the most part... uPnP is its own security hole, though... especially since it allows users to bypass the admins' security settings on what traffic is allowed in or out... it has long been a thorn in the side of security conscience admins every where... at least today's uPnP does offer some additional controls and capabilities to prevent egress but it is still a hole that they didn't punch themselves...

    2. Anonymous Coward
      Anonymous Coward

      Re: Experience not the issue

      "Hardware manufacturers don't have a great reputation for producing good software in the first place, but they have a truly terrible reputation for updating it afterwards."

      An insurmountable problem, meaning IoT isn't a viable concept. Looking forward to the next decade of IoT security failure headlines. *Eats popcorn*

    3. 8Ace

      Cut the software engineer crap

      You might as well say software doctor as both are equally shite descriptions.

      If they were engineers it would be done properly. Que lots of engineering fail examples from frustrated "framework monkeys"

      1. anonymous boring coward Silver badge

        Re: Cut the software engineer crap

        Perhaps it's a former locomotive operator that now does some coding?

        1. Pompous Git Silver badge

          Re: Cut the software engineer crap

          Well if it's the railway engineer who thinks he's a climatologist and writes soft-core porn novels in his spare time, well he's shite at both. I doubt that there's any greater shortage of shiteness among engineers than any other profession.

          1. Moonunit

            Re: Cut the software engineer crap

            Dunno about anyone else, but for me it's more a case of taking issue with the misuse of the term "engineer" ... there's a whole extra back-argument but it's Friday Part Two here, and, well ...

            Good weekend all!

        2. Captain Badmouth
          Devil

          Re: Cut the software engineer crap

          "Perhaps it's a former locomotive operator that now does some coding?"

          Glencannon? The canny Indian outsourced engineer?

      2. Moonunit

        Re: Cut the software engineer crap

        Have to give you a proper thumbs-up there. The whole "software engineer" nonsense is a bit too much. Programmer, yes. Coder, if you must. Designer, ok. Engineer? No, no, and no!

        1. Stoneshop Silver badge
          Boffin

          Re: Cut the software engineer crap

          The whole "software engineer" nonsense is a bit too much

          Oh, there are people that really deserve the title "software engineer". The guy who's now just handing over the Voyager software to his successor is one, IMHO. Stuff that's several tens of AU away by now and still working. There's other engineering feats involved, but the software is one of them.

          1. Roland6 Silver badge

            Re: Cut the software engineer crap

            The problem is with the computing profession. There is nothing to prevent the software developer equivalent to a legal Assistant calling himself a Software Engineer whereas a Legal Assistant is barred from describing himself as a Barrister.

    4. Zog_but_not_the_first Silver badge
      Facepalm

      Re: Experience not the issue

      "But we've sold the TV/toaster/fridge/Barbie/etc., and trousered the profit. Why do we need to do anything else?"

      1. Anonymous Coward
        Anonymous Coward

        Re: Experience not the issue

        The one exception is if there's adverts in the interface. Then you can expect minor software updates to improve the adverts.

      2. Smooth Newt

        Re: Experience not the issue

        It's worse than just trousering the profit. It might be obselete, buggy software to you, but it's a golden marketing opportunity to flog the punters replacement kit to them.

      3. Stoneshop Silver badge
        Big Brother

        Re: Experience not the issue

        But we've sold the TV/toaster/fridge/Barbie/

        Given the ever increasing interconnectedness of household appliances, toys and whatever, it could just as well be read as TVtoasterfridgeBarbie.

  2. stuartnz

    Happy with my sneakernet TV

    This article cheered me up. my viewing is not so much uPnP as "YouPnP" and now the 3 metre walk from PC to TV carrying a USB stick looks like both good exercise and bood security practice.

    1. Anonymous Coward
      Anonymous Coward

      Re: Happy with my sneakernet TV

      Cloud propagandists would prefer you didn't use USB sticks or SD cards.

    2. Fibbles

      Re: Happy with my sneakernet TV

      Unless of course your USB stick contains malware you weren't aware of. Has your libpng been patched? Even dumb TVs aren't dumb any more.

      On a side note I bought a 'dumb' TV recently and whilst flicking through the instruction manual was surprised to find a full copy of the GNU GPL.

      1. gerdesj Silver badge
        Childcatcher

        Re: Happy with my sneakernet TV

        "On a side note I bought a 'dumb' TV recently and whilst flicking through the instruction manual was surprised to find a full copy of the GNU GPL."

        Not sure there is such a thing as a dumb TV anymore. I've even seen a "set top box" for FreeSAT that clearly had MythTV in it (although somewhat torn to bits and re-assembled like a 2 year old with an Airfix kit). Yours probably has bits of FFMPEG or libmpeg in flash somewhere - why reinvent the wheel?

        My Samsung telly even has an AV section in its menu. It lives on a separate VLAN +SSID I keep for IoT stuff. Must get around to looking at the flow logs to see what it gets up to. The Zoneminder server and RPi on the same subnet/VLAN have firewalls, that refuse connectes from their own network. I'm scared of my telly 8)

      2. stuartnz

        Re: Happy with my sneakernet TV

        Yes, as I made my initial comment I did consider the possibility of USB malware, but I figure that since I never share the sticks I use, the risk is as low as it can possibly be. At the very least, the article suggests I have one fewer infection vector to worry about. Which might be about as good as it gets.

  3. a_yank_lurker Silver badge

    Easy Updates

    How easy is it for any user to update the software on these devices? I ask more from ignorance because I do not own any IoT devices so never looked into the issue.

    If they are not easy to update for technically literate user, which would not surprise me, then they would be practically impossible for the unwashed masses.

    1. Sandtitz Silver badge

      Re: Easy Updates

      "How easy is it for any user to update the software on these devices?"

      It could and can be super easy.

      My Sony TV has downloaded updates in the background and installed them when the TV was not in use. A couple times it has also prompted that there is an update waiting - asking whether it should be installed immediately or when the TV is turned off. For consumer stuff like this there should be automatic updates turned on with an option to turn them off, not the other way around.

      1. a_yank_lurker Silver badge

        Re: Easy Updates

        @Sandtitz - Thanks. It appears then the manufacturer can make updates a fairly seamless operation or nightmare. It problem depends on how much experience the manufacturer has with computers.

      2. Barry Rueger Silver badge

        Re: Easy Updates

        Our Sony does that as well.

        Problem is that the Sony software is pure and utter garbage, so the auto-download just gives us freshly updated garbage.

        Sony's software is so deficient in both features and functionality - seriously, for a couple of months Netflix would crash the OS! - that I would never for a moment expect it to be secure.

        1. Sandtitz Silver badge

          Re: Easy Updates @Barry

          Problem is that the Sony software is pure and utter garbage

          I can't really deny or validate that claim since my usage of the Sony "smart" features are a single app for catching up programs YLE (the Finnish Broadcasting Company) has broadcasted - and it works well and hasn't crashed a single time for the 3 or so years I've had the TV. There's a couple dozen other apps for music videos, news and such but I haven't honestly bothered with any of them.

          AFAIK Sony has only made the Youtube app and web browser, and the rest are made by service providers like Netflix. Or YLE in my example. Perhaps the Netflix app is crashing because the it's not very good, but I fully agree that it shouldn't take down the TV OS, whatever it is underneath.

    2. Roland6 Silver badge

      Re: Easy Updates

      >How easy is it for any user to update the software on these devices?

      Well depends on what it is you are updating.

      With a 5 yr old Sony and a 2015 LG TV and neither supported OTA or Over-the-Internet updates, the firmware update process I performed on each was:

      1. Using a PC download new zipped firmware file and extract contents to FAT32 formatted USB stick.

      2. Insert USB stick in TV and follow on-screen instructions.

      Simpler than updating the firmware on my Humax PVR, which requires an Rs232 connection and an updater...

      App's on the other hand, both the Sony and LG supported online download of these.

      However, as neither offered a 'usable' online experience - ie. I'm used to using a full blown PC, neither has been connected to the Internet. Which begs the question, given that many don't connect their TV to the Internet but instead use the facilities of their Tivo or similar box - juts how many of those 6.1 million connected devices that Trend Micro alludes to are actually being used as internet connected devices.

  4. Anonymous Coward
    Pirate

    Lettuce prey...

    "...the flaws potentially allow an attacker to take control over the targeted device."

    I can visualize it...

    "Muahaha! Your pathetic icebox is totally pwned! Alright civilian, pay me $100 in Bitcoin RIGHT NOW, or you'll never see your fresh fruit again!" (evil laughter recedes and acquires an echo...)

    1. DropBear Silver badge
      Devil

      Re: Lettuce prey...

      Strangely, Sam and Fuzzy's fridge - the one allegedly "possessed by Satan" - suddenly starts making a lot more sense...

    2. ee_cc

      Re: Lettuce prey...

      Nah but I wouldn't be surprised if it'll be common occurrence for Auntlizzies to be swatted and wake up at gunpoint for running a proxy used for terrorist comms... from their Smart Teapot

  5. Anonymous Coward
    Anonymous Coward

    IoT Smart crap!!!!

    When I bought my new TV a few months ago, I asked the Salesman about its operation without being connected to the Mothership/Internet.

    He smiled and said

    "I'm being asked that a lot these days".

    He gently directed me away from the Samsung models to a Sony.

    So far it hasn't demanded to be connected so that it can phone home.

    It appears that the world of IoT is much like the majority of mobile phones. i.e. many, many millions sold and a few months later all support and upgrades stop so the users are left with all the security problems until the phone stops working/put in a drawer and forgotten.

    1. regadpellagru

      Re: IoT Smart crap!!!!

      "When I bought my new TV a few months ago, I asked the Salesman about its operation without being connected to the Mothership/Internet.

      He smiled and said

      "I'm being asked that a lot these days"."

      My TV died this summer so I bought a new Sammy screen.

      While fiddling with it, I noticed it had a freaking anti-virus on it ! A frasking AV on my TV ! WTF !

      This is really telling ...

  6. TeeCee Gold badge

    Gosh, really?

    Well, colour me unsurprised.

    Smartphones don't get security upgrade patches, just a full update once in a blue moon if you're lucky and it's not too old, so why would anyone be expecting tellies 'n such to get 'em?

    Heavy hint for the very, very thick: If you expect whatever it is to last more than 18 months[1] and it has an internet connection, don't buy it.

    [1] I.e. longer than it'll be in production.

    1. Anonymous Coward
      Anonymous Coward

      Re: Gosh, really?

      At least with phones I can use CyanogenMod to effectivly extend support for 5 years or more.

      No chance they'll be open source enthusiast builds of IoT firmwares.

    2. werdsmith Silver badge

      Re: Gosh, really?

      So a security hole was left there for 3 years and ........

      nobody died. In fact nobody could be bothered to exploit it even if they knew it was there.

      Because it just didn't matter.

  7. John Geek

    I unplugged the internet to my recent vizio TV after letting it get one full 'latest' update for good luck, and hooked it up via HDMI to a GBox Q, which runs a recent Android release thats un-encumbered so I can manage it myself nicely. All streaming functionality is provided by Kodi from the google 'store', this works quite nicely and seems much less dodgy then the stuff that was built into the Vizio.

  8. DropBear Silver badge

    Someone with some common sense might realize that building their smart TV with the "smart bits" as some sort of pluggable / unpluggable card (that includes the wireless parts too) would widen his market - most people would be just as happy with their shiny new smart thing as they are now and would leave it in, while us the tinfoil hat brigade consumers with some common sense could just unplug the card, replace it with the also-supplied dummy plastic cover and keep using the telly in "you connect an input signal, switch to that input, and I'll display it" mode. I can hardly think it would raise the overall costs with more than a few cents, and there's way more variation in price between seemingly similar models even now...

    1. Anonymous Coward
      Anonymous Coward

      Not even close.

      That system in no way generates the revenue in the manner they have the control and confidence in.

      One, they would need to give the control to the customer, instead of pretending the customer has control.

      Two, they would looks a lot of control over the DRM that they now support.

      Besides, many many tvs have extension ports for decades that are hardly used except for a few satellite cards.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not even close.

        Yeah, TV Makers like most everyone else today are trying to create captive markets. Once you have them, you can fleece them 'til Doomsday since abandoning them by that point means "walking on the sun".

        And they're already most of the way there. They'll find ways to make old dumb TVs stop working first (such as with digital changeover), then make sure there's nothing else on the market but TVs protected by patents, trade secrets, and whatever. 4K is showing the next step by locking down the media chain from start to finish and (I think) bonding all device makers to ensure secrets are kept. The days of actually buying anything durable and usable will soon be a faded memory...

    2. Down not across Silver badge

      pluggable "smart bits"

      Someone with some common sense might realize that building their smart TV with the "smart bits" as some sort of pluggable / unpluggable card (that includes the wireless parts too) would widen his market - most people would be just as happy with their shiny new smart thing as they are now and would leave it in, while us the tinfoil hat brigade consumers with some common sense could just unplug the card, replace it with the also-supplied dummy plastic cover and keep using the telly in "you connect an input signal, switch to that input, and I'll display it" mode. I can hardly think it would raise the overall costs with more than a few cents, and there's way more variation in price between seemingly similar models even now...

      Samsung has (or had... not sure if they still do those) models with "smart bits" in a module hence enabling end user to upgrade their telly to quad-core (iirc last I looked) jiggerypokery.

      Of course that option was in limited range of models. Also not sure if the telly would work at all without the module plugged in.

      As for cost I suspect adding some extra moulding, connectors would be bit more costly than allocating bit of space on the board for a SoC.

      Currently seems like if you want want than 2 HDMI ports, you pay through the nose without any other real benefits.

      As I've said many times before, all I want is decent screen with lots (no, 4 is not lots...) of ports and I'll do the "smart bits2 myself thank you very much.

      1. Anonymous Coward
        Anonymous Coward

        Re: pluggable "smart bits"

        "As I've said many times before, all I want is decent screen with lots (no, 4 is not lots...) of ports and I'll do the "smart bits2 myself thank you very much."

        Well, you ain't getting it, pal. You get what WE (and the rest of the TV cartel) decide you get on it or you go without TV, have a nice day. PBBBT!

        PS. Remember, they're trying for captive markets, so they're going to limit you as much as possible, and all the other makers are in the same race.

      2. Roland6 Silver badge

        Re: pluggable "smart bits"

        As I've said many times before, all I want is decent screen with lots (no, 4 is not lots...) of ports

        Don't see the need for lots of ports, it's a screen - I only need a selection of ports so that I can readily connect equipment to it (eg. HDMI, VGA, DVI, SCART & Composite) Everything else I'll connect to my 'entertainment' centre box - which for many people is their Tivo/PVR box. thus avoiding having loads of cables and dongles hanging off the back and side of the TV

        But then that goes back to all the old and well-rehearsed arguments about Hi-Fi separates and music centres...

  9. chivo243 Silver badge

    Humor me here, it's been going on for decades

    My grandfather was a freelance radio and tv repairman way back in the 60's. He was called to check into a TV that was changing channels, muting and changing volume levels randomly. Everything checked out. No cause found. About a week later he received another call with the same complaints. It was the neighbor of the guy he first visited, he was shocked when he found the exact same tv in the neighbor's house. His initial thought was it was the TV's, being the same model. He check everything out, no issues. In the end, it was found to be the houses were very close together. Joe and Bob's remotes could control each other's tv's...

    1. MonkeyCee Silver badge

      Re: Humor me here, it's been going on for decades

      According to some of the young scoundrels at uni all Sky remotes work on all Sky boxes.

      So for laffs they would take one and walk along maxing volume, changing channels etc.

      Modern equivalent of ringing the bell and running off

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019