The times when all that our TV sets could do was
show us ‘regular’ TV stations are now over. These days, such ‘old-school’
television sets are increasingly being replaced with their ‘smart’ successors,
which we can use for streaming video and audio, playing games, browsing the
internet, downloading and using apps – all of that thanks to their internet
connectivity. This leads to a key question: Are you safe around your smart TV?
This evolution is part of a wider trend that
involves connecting consumer electronics and everyday objects to the internet,
creating a rapidly growing mass of various Internet-of-Things (IoT) devices in
the process.
However, the internet connectivity of smart TVs and
the perilous state of security in the IoT space in general has opened the
floodgates to a deluge of threats to our privacy and security.
Research has shown that various attacks against
smart TVs are possible and practicable, often requiring no physical access to
the device or interaction from the user. It has also been demonstrated several
times that, once compromised, an Internet-enabled TV can serve as a springboard
for attacks at other devices within the same network, ultimately targeting a
user’s personal information stored on even juicier targets such as PCs or laptops.
Watching you watching me
Now, you probably enjoy watching your smart TV, but
chances are that you don’t want it to watch you, too. But ‘watch its watchers’
is precisely what these TVs can do.
Back in 2013, researchers demonstrated
that, by exploiting security holes in some models of Samsung’s internet-capable
TVs, it was possible to remotely turn on the built-in camera and microphone. In
addition to converting the TVs into all-seeing, all-hearing devices, they were
able to take control of embedded social media apps, posting information on the
users’ behalf and accessing files. Another researcher highlighted an attack that allowed him to insert fake news stories into the
browser of a smart TV.
Malware, too, can find its way into smart TVs that
could convert them into bugging devices. In this attack vector, which has also
been proven practicable, hackers could create a legitimate app before
releasing a malicious update that would then be automatically downloaded onto a
smart TV fitted with a built-in microphone.
In 2014, a loophole in a widely used interactive TV
standard known as Hybrid Broadcast Broadband TV (HbbTV) came to light. It emerged that malicious attack code could be
buried into ‘rogue’ broadcasts and target thousands of smart TVs in one fell
swoop, hijacking these as well as other devices in the network, stealing
logins, displaying bogus adverts, and even sniffing for unprotected Wi-Fi
networks. In addition, the attack was found not to require any special hacking
smarts.
Issues with HbbTV were in the spotlight again in
2017. A security researcher demonstrated a technique for deploying a rogue over-the-air
signal to compromise internet-enabled televisions. Once taken over by the
attacker, the TV could be used for an apparently endless list of malicious
actions, including to spy on the user via the TV’s microphone and camera, and to
burrow deep into the local network. As many as nine in ten smart TVs sold in
recent years were estimated to be prone to this hack. As with the earlier
example, the victim would spot no outward signs of something being amiss.
In February 2018, US non-profit organization
Consumer Reports released the results of hack tests on internet-connected TVs of five
brands, each of which features a different smart TV platform. “Millions of
smart TVs can be controlled by hackers exploiting easy-to-find security flaws”,
said the organization. The devices were found to be susceptible to rather
unsophisticated hacks that would enable an attacker to flip through channels,
crank up the volume to blaring levels, install new apps, and knock the device
off Wi-Fi – all while working remotely, of course.
The review also found that users need to
consent to the collection of very detailed data about their viewing habits –
unless they’re ready to forgo some of the smart features of their new smart TV.
Over the years, several manufacturers have been found to engage in the behind-the-scenes acquisition of, and
trafficking in, data about the viewing habits of consumers.
Having a listen
Concerns about the implications of smart TVs for
privacy were also raised in 2015, when Samsung’s ‘voice recognition’ function
as another layer of convenience that enables you to give voice commands to your
smart TV came to the fore. The company warned its customers who use the voice activation feature on
their smart TVs that their private conversations would be among the data
captured and shared with third parties. In addition, the voice information
picked up in such ‘official snooping’ was not always
encrypted, potentially enabling intruders to listen in on private
conversations.
All told, the security conversation is here to
stay, as a range of private and security concerns persist while more and more
consumers are snapping up smart TVs. According to one projection, over 750 million smart TVs will be in use
worldwide by the end of 2018.
Smart TVs afford us the opportunity to use them for
purposes that are more commonly associated with computers. In fact, that’s what
these TVs have become – internet-connected ‘computers’, much like mobile phones.
It would no doubt help if we thought of them as such and treated them
accordingly.
