Over the past few years we have seen everyday items such as refrigerators, lighting and heating systems and even kettles all of a sudden becoming “smart”. In fact there are now more smart items on the planet than smart humans, or in fact any type of humans, with an estimated 13.4 billion devices currently connected to the Internet. This is not necessarily a problem – until of course hackers start exploiting these devices to gain access to your home or work networks.
Most people would never even suspect that their television set could be hacked yet this is happening, in research labs at least, with greater frequency. In one recent example, security company Avast demonstrated a hack of a Vizio Smart TV enabling root access to the TV’s underlying Linux operating system. Last year I also found that this flaw involving a maliciously crafted SSID value could be exploited with a USB device. After exploiting this flaw, the attacker has access to everything connected to the home network of their ‘victim’. Avast also demonstrated what a Man-in-the-Middle (MITM) attacker (such as an intrusive government or ISP) could learn by monitoring network traffic from the TV set.
The somewhat sinister end results showed that the smart TVs were broadcasting fingerprints of their user’s activities. Consumers need to be aware that flaws within these smart devices could serve as a potential pivot point for a hacker, providing them with access to their home network. Once an attacker gains a foothold on an IoT device, they generally gain access to launch attacks against anything hooked up to the same Internet connection such as tablets, phones and computers. Some of these devices may also subsequently connect to corporate networks thereby extending the risk of attack into the enterprise.
The risk of smart TVs cannot be understated. These are devices with access to the network and often times contain a variety of out of date software libraries with known vulnerabilities. This is compounded by the fact that television sets are designed to presume anyone on the local network has legitimate access for the sake of ease of use. This ease of use of course translates into an ease of exploitation from a relatively wide range of sources. These televisions are also finding their way into enterprise environments with greater frequency as businesses seek to upgrade their conference and board rooms.
Businesses using these television sets would be strongly advised to keep them off the network and ensure that the USB ports are not exposed. As with a traditional computer, simple network requests or the insertion of a USB stick can sometimes be enough to give an attacker full control over the computing resources within a TV. If this TV is attached to a network with valuable data, it becomes a pivot point for the attacker. It is also worth noting that many of these TVs come equipped with remote controls for voice commands and cameras for video conferencing making them the perfect tool for corporate espionage. It is recommended that at this time enterprises do not make use of teleconference software bundled with consumer TVs but rather that they stick with more traditional teleconference solutions using the TV as a screen.
For consumers on the other hand, removing the TV from the network can greatly diminish its value, but in many cases the TV can be put on an isolated guest network to avoid the possibility of it becoming a pivot point to attack other systems on the network. Many consumers will also likely defer installing updates on the home TV but this is of course a mistake as these updates may contain critical security fixes. Smartphone applications, browser plugins, and even malicious web sites are all potential sources of threats for devices in a home network including the TV. By keeping the TV on an isolated network, these infection sources will not be able to locate and attack the set.
Vizio has successfully resolved these issues and applied an automatic update to their TVs however this should be a wake-up call to other manufacturers of “smart” products, not just TVs. Consumers and businesses must also realise that anything connected to the Internet should be treated with the same caution as a computer in terms of its potential to be exploited.
Craig Young, Security Researcher at Tripwire
Image Credit: bergserg/ Shutterstock