Slashdot Mirror
Major Security Flaws Discovered In Internet HDTVs
wiredmikey writes "Security researchers have discovered several security flaws in one of the best-selling brands of Internet-connected HDTVs, and believe it's likely that similar security flaws exist in other Internet TVs. The security researchers were able to demonstrate how an attacker could intercept transmissions from the television to the network using common 'rogue DNS,' 'rogue DHCP server,' or TCP session hijacking techniques. Mocana was able to demonstrate that JavaScript could then be injected into the normal datastream, allowing attackers to obtain total control over the device's Internet functionality."
That could be hilarious. Oh won't someone think of the children at risk!
Hoist Number One and Number Six.
"We control the horizontal."
"We control the vertical...."
and get to the main page. now, observe the title & summary of this article. then, gaze towards the article & summary below, while keeping this one in mind.
....
great timing to make a point
Read radical news here
but the same trick works even for unsuspicious human beings using your wireless/wired connection (you can hijack their web browser sessions, steal their credentials, etc). It's been known probably since the conception of the Internet that HTTP isn't a secure protocol - probably TV manufactures never thought of their devices to be used on [public|untrusted|malicious] networks.
I have a hard time seeing a compromised TV being as much of a security risk as a compromised PC. Would a TV have your personal information on it? Probably not. Would it be able to access a computer on your home network enough to get at personal information? Seems unlikely. Sure, I suppose it may be possible for an internet TV to become a botnet agent helping in a DDoS attack or something, but even that seems like it would be of minimal utility. I don't really see a TV as being useful in pumping out spam, either, unless the manufacturers were putting mail agents in there to report problems back to the manufacturer.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
I hate how all these "smart" ones can be tricked into doing nefarious deeds.
Now why can't the hackers go for the cable box and hack us some free HBO
If you have control over the network infrastructure, you can give a host DHCP/DNS info which might not be right and make it go where you want.
Major automotive security alert!!11!!! If someone steals your car, they get the stuff inside, too.
"National Security is the chief cause of national insecurity." - Celine's First Law
If someone gets into your home network, maybe they can mess with your TV... I think maybe you would have bigger problems if someone was actually able to get on your network, since they could do many worse things.
Of course, the language per se is innocent. But embedding programmability in everything (Web pages, PDF what not) is becoming the biggest security nightmare all around. And the Web Masters want to entice us to be part of the fray. Quoth slashdot:
There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.
Thanks, but no, thanks. I might not want anything (Classic needs cookies, bad Fido, no cookies for you today). Quoth again Slashdot:
Why does "This Function Require JavaScript?"
Welcome to the now, man!
[...]
Well, thanks again, but no, thanks. I'm getting pretty well along without my browser executing random stuff from out there (in most cases in ain't even malicious, but wickedly bad programming, just DOSing my computer).
Meh.
Forget the security flaws, the ability to stream content to a HDTV is so variable, that you don't know if a set will actually cope with steaming until you buy it. So much for standards. Now THAT is a flaw! So that's why I've not bought a HDTV, and stick to a PC with a HD monitor - at least the computer can play anything I throw at it - and without wasting more electricity transcoding the content into something the TV might like.
Take Nobody's Word For It.
Don't most of the newer TVs run Linux? My father's LG does. So it's entirely possible that the first real viruses for Linux will run on TVs rather than normal computers.
-- Cheers!
Q: What happens when you combine a TV with a computer?
A: You get a computer.
I'm a good cook. I'm a fantastic eater. - Steven Brust
Well that's just great! You're telling me it's not safe to lug my HDTV into Starbucks anymore?
digging around the pdf, it seems that http://www.xxxxxxxx.tv/data/home-screen.js is mentioned. Other places on the internet mention that path in conjunction with bd.vieracast.tv and bd.vieracast.eu, and Panasonic tv's
Surely that should read, "without the user's permission".
"...using common 'rogue DNS,' 'rogue DHCP server,' or TCP session hijacking techniques..."
Any given device on an average home network can be "hacked" in the same way. This is not news.
Solution! ipTVtables and ip6TVtables squidTVguard,
alternatively NETBSDTV ;o)
People are selling personal computers that come preloaded with insecure software? I'm shocked!
Oh, the personal computer is called something else, "internet TV," so that makes this news.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
1. Make antivirus and antispyware software for smart TV's.
2. Pwn teh markets....
3. Profitzzzzzzzz
When you can plug your computer into the back of the tv and use it as a screen, why give the tv functionality of a computer
where can you install the AV or firewall or malware programs on your tv, you cant, yet even M$ says you need those if you want to surf the web, the guy who thought of adding the browser to the tv was an idiot....sorry for saying...especially when i can just hook mine up and do the exact same thing by using the tv as my screen......!
and get free uncapped unlimtied internet
If you are worried that someone can change what's on your TV you are missing the point. The real concern is that by rooting your TV (which might have a linux shell for example) this can then be used as a vector to access anything on your home network that would otherwise be protected by NAT/FW. More sophisticated users would be well advised to set up a separate guest LAN that can only get straight out to the net.
How is this news? Isn't broadcast TV already controlled by deviant malicious people? (eg: Rupert Murdock, Ted Turner)
The worst we're going to have is more porn (now available in various flavors on channels 100-500 on cable), infantile crap passing as comedy (currently on all major networks), and "info-tainment" passing as news (now available on about 500,000,000 blogs). The horror....
I fail to see how breaking fundamentally insecure communications protocols counts as news. Not only are the protocols insecure, but the original engineers knew it at the time. They never intended the "pilot program" of IPv4 to be used the way it is.
Ther person would have to goto your house and setup a DHCP server. They might as well pick up your TV remote and download the software into it at that point. Dumb article for dummies.
Perhaps that's just as well then, maybe I should stop complaining even though it's a feature I paid for and never got.
If my call is important, why am I talking to a recording?
Running a wide variety of apps on a TV has tremendous potential, but just as with PCs, game consoles and smartphones, the tech is changing so fast that the user will need to overhaul it every few years, so this tech should be implemented as set top boxes. Nobody wants to throw out their whole TV just because one small part of it is obsolete.
Anyone who didn't see this coming should be sentenced to working on a PCjr and 300 baud modem for the next 5 years.
Doesn't Samsung manufacture the only internet capable HDTVs that rely on Javascript? And hasn't Samsung been hacked twelve ways from Sunday already?
So Sony provides source code to fulfill its obligations under GNU GPL version 2. But can an end user modify the code, recompile it, and load it back onto the TV, or is it tivoized?
As devices become "smarter" and more connected, these kinds of flaws and vulnerabilities will only increase in number and severity. It's highly unlikely that there will ever be enough economic incentive for manufacturers to keep the embedded software in their consumer devices secure and up-to-date, not to mention the lack of software update mechanisms.
This is why we need Free Software. Standard platforms running Free Software can be patched and updated simply and easily, and maintained by community efforts. Once the build system is in place for a device or a platform of devices, simple patches can be pushed out with little effort, regardless of a manufacturer's continued interest.
No consumer should be forced to choose between having a device that he can't trust or buying a newer device which has fixed software. That's not a valid reason to buy a new device. But, of course, the manufacturers and vendors would love for folks to buy new TVs every few years, even if the old ones are fine. "Security bugs? It's obsolete, friend. You need to buy a new set." To them it may be like another form of planned obsolescence.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Let me be a "Devil's Advocate" here". If it's not hurting me, it's not really a security risk, right?
Participating in a botnet is hurting you. It runs up your GB per month, for which some ISPs charge overage fees. It can get your Internet access shut down, or it can even get you prosecuted for participating in the distribution of illegal pornography, as internewt pointed out.
Setting up rogue DNS, DHCP, etc is a lot of hard work for little benefits. Most of the time the attacker would have physical access to the tv. In my case I would just steal the bugger. OH WAIT... I already own it.
The attacker they really mean here, is the user who purchased the Internet-connected HDTV.
Indeed, it is possible for him to trick the TV that is connected to his network infrastructure into doing things the manufacturer had been trying to prevent the user from doing.
This is not very different from jailbreaking your own phone or video game console, except it's much more trivial.
Hal: I cant let you do that Dave.
I don't think anyone has their "Internet TV" directly connected to the internet. They are *ALL* behind the firewall. Thus the only way to launch these attacks are from your own internal network.