Slashdot Mirror
Major Security Flaws Discovered In Internet HDTVs
wiredmikey writes "Security researchers have discovered several security flaws in one of the best-selling brands of Internet-connected HDTVs, and believe it's likely that similar security flaws exist in other Internet TVs. The security researchers were able to demonstrate how an attacker could intercept transmissions from the television to the network using common 'rogue DNS,' 'rogue DHCP server,' or TCP session hijacking techniques. Mocana was able to demonstrate that JavaScript could then be injected into the normal datastream, allowing attackers to obtain total control over the device's Internet functionality."
Now I got an excuse... No Honey, I wasn't watching porn, the TV just switched and it won't let me change the channel!
"We control the horizontal."
"We control the vertical...."
I hate how all these "smart" ones can be tricked into doing nefarious deeds.
To the first hacker that figures out how to Rick Roll an entire family watching a gripping TV series finale: One Internet Dollar!
There's a spot in User Info for World of Warcraft account names? Really?
I live in Japan. We just bought a new Sony Bravia TV, and unlike the ones in the states, it contains, a hard drive, and the ability to serve as a DVR. Someone hacks into it, and can now use it to store what ever they want, even use it as part of the botnet. Think it's not a security risk now? There is a reason my Television is not connected to the internet, even though it could be connected to it.
Of course, the language per se is innocent. But embedding programmability in everything (Web pages, PDF what not) is becoming the biggest security nightmare all around. And the Web Masters want to entice us to be part of the fray. Quoth slashdot:
There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.
Thanks, but no, thanks. I might not want anything (Classic needs cookies, bad Fido, no cookies for you today). Quoth again Slashdot:
Why does "This Function Require JavaScript?"
Welcome to the now, man!
[...]
Well, thanks again, but no, thanks. I'm getting pretty well along without my browser executing random stuff from out there (in most cases in ain't even malicious, but wickedly bad programming, just DOSing my computer).
Meh.
Don't most of the newer TVs run Linux? My father's LG does. So it's entirely possible that the first real viruses for Linux will run on TVs rather than normal computers.
-- Cheers!
The one that I just got supports external HDD's, USB Cameras, wired, wireless, HTTP (via vieracast). Granted, the TV's OS is very limited, but it supports enough that it could be very damaging if compromised.
For instance, my TV currently has stored in it passwords for my Skype/Netflix/Pandora accounts as well as my WPA2 creds.
The very limited VieraCast interface simply uses HTTP to generate it's menus and people have already started to use squid/DNS redirecting to do things like stream from Myth etc etc.
This guy so far seems to have made the most progress.
http://customvieracast.blogspot.com/
"Would a TV have your personal information on it? Probably not."
How about the kiddie/personal porn on the USB HD attached directly to the TV?
Q: What happens when you combine a TV with a computer?
A: You get a computer.
I'm a good cook. I'm a fantastic eater. - Steven Brust
Well that's just great! You're telling me it's not safe to lug my HDTV into Starbucks anymore?
http://xkcd.com/351/
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
1) Set up ssh and dynamic dns on compromised TV, or perhaps a cron job to do a reverse SSH tunnel every so often (to bypass firewall). Now you know where this connection is, at all times, and have full control, at any time.
2) Set up BIND DNS, set to forward to whatever malicious DNS server you want.
3) Either set up a phony DHCP server, and/or do some arp poisoning so that all traffic to the internet is routed thru the TV.
4) Control the entire household's internet connection -- rewriting HTTP pages, sending whatever DNS responses you want (Google? SURE, its this IP here in china!), capturing passwords (redirecting HTTPS to HTTP so that cert errors dont occur, or inserting non HTTPS javascript to capture the password), etc.
ANY smart device on a home network has the potential to wreak massive havok on that network.
Surely that should read, "without the user's permission".
I would be more concerned with entertainment companies "hacking in to it" to remove programs you might be storing. The Kindle experience has shown us that devices that can be remotely accessed by the vendor can not be trusted.
I'll stick with dumb devices that simply do what I tell them.
I don't care why you're posting AC
I don't really see a TV as being useful in pumping out spam...
Approximately 16 minutes of every hour is devoted to spam... formerly known as "bathroom breaks"
For justice, we must go to Don Corleone
> This is one of the reasons I say we need NAT on IPV6.
No. You need a firewall.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Having my TV join a botnet still doesn't sound like that much of a crisis.
Right up until it is used as a proxy to download child porn, and all of a sudden you are having to explain why your IP has accessed CP to law enforcement, family, friends, the media.....
Yeah, I know CP is one of those bogey men used to persuade people to see danger from unlikely events, but an accusation of CP can be enough to ruin lives. If you can avoid it, it's probably for the best.
Also, if your TV is in a botnet then it might be inside your firewall, if you use a straight forward NAT router. The TV could be used to attack other computers on your LAN which may contain more important data.
Car analogies break down.