Slashdot Mirror
Spoiler Alert: Your TV Will Be Hacked
snydeq writes "With rising popularity of Internet-enabled TVs, the usual array of attacks and exploits will soon be coming to a screen near you. 'Will Internet TVs will be hacked as successfully as previous generations of digital devices? Of course they will. Nothing in a computer built into a TV makes it less attackable than a PC. ... Can we make Internet TVs more secure than regular computers? Yes. Will we? Probably not. We never do the right things proactively. Instead, we as a global society appear inclined to accept half-baked security solutions that are more like Band-Aids than real protection.'"
No longer will I need a universal remote to screw with the neighbors television.
will be H4X0R3D
"But cracking your main target while pirating porn with your buddies and taking over the whole company? Priceless."
I just got an internet enabled TV and now you tell me!
As long as the h4ckZ0rs only switch my channel from NatGeo to CNN I do not really care much, but I bet they will be after things like credentials of people buying stuff on shopping channels.
...an axe then as I don't have IP on my telly...
blindly antisocialist = antisocial
These are often forgotten by engineers. Usually they are formulated as thing you do not want your TV to do:
- not damage your furniture
- not start a fire
- not weight a ton
- not hack your network
You would think these are simple and logical expectations. The problem is, they are hardly good marketing, so they may not receive the necessary priority. But they can be very bad marketing if a story hits...
One day, our TVs shall be hacked, and they shall show nothing but that damned purple Dinosaur.
Or even NetBSD?
Sent from my ASR33 using ASCII
I'm wondering why my tv hasn't been hacked with air waves : one morning, I switched it on and it told me a firmware update had been uploaded over the air during the night.
What can stop hackers to send rogue fw updates over the air ?
Also, is it possible to exploit mpeg2 video decoder bugs to takecontrol of tv ?
Any info of previously discovered hacks of this kind ?
"...Instead, we as a global society appear inclined to accept half-baked security solutions that are more like Band-Aids than real protection.'"
The same could be said of the medical field where all we find are (long-term profitable) treatments, and hardly ever a (short-term, one-time fee) cure. There's hardly an opportunity where fixing something permanently is more profitable that prolonging a problem and treating it instead.
Is it half-baked or acceptable design? Tough to pimp products these days where security gets in the way of having fun. Screw that security bullshit, gimme my fun....and thus the results we have today.
Isn't that the branding they use for monitors larger than 24 inches?
Bonus points for the first ones to rickroll on every channel at once.
And... go
I prefer my TV's to be dumb displays
They should be limited to take video in, modify resolution/contrast/etc as per settings and display it on the screen, and provide a control interface
IF I want to play media on it, I will use a device for that
Modularity is better
but then again how does one hack an imaginary television
Hack my TV, and remove all those pesky advertisements.
I should charge all those companies a billboard fee for posting advertising inside my apartment without permission.
Because all I'm getting are repeats
I got to the chocolate box before you, that's why the hard ones have teeth marks.
The ultimate TV hack, one that will make you the most infamous hacker in the US. Make it so that during the last quarter of the superbowl, the entire country gets rickrolled and are unable to return to the game. If it's a close game, wait til the very end (last year doing it on Brady's last drive would be perfect).
I still have more fans than freaks. WTF is wrong with you people?
I never thought I'd have to create a new DMZ just for my TV :-)
An internet enabled TV is going to be irresistible to TV companies. Perfectly legally they will get together with the manufacturers to personalise you TV experience. Given half a chance they will monitor your viewing, suggest programs, personalise adverts, maybe even personalise the news. Not so bad you might think: I never have to see Sarah Palin on the TV again. More likely, if they think you are an independent voter in a swing state, it is back to back political adverts for you for the next six months. Don't be surprised if your remote dont seem to work half way through a PAC spot. Remember If You're Not Paying for It; You're the Product
Oh, the times ahead! There is so much fun to come! That will give a whole new meaning to the word 'entertainment' !
The three laws of thermodynamics:(1) You can't win. (2) You can't break even. (3) You can't even quit.
Today you don't even need to hack your computer to turn it into a TV.
What is this article about? Science-Past?
Think once,
Think twice,
Think don't watch television. It was never beneficial. It soaks up valuable internet/gaming time. Pay t.v. is never worth the cost.
Just another screen to clean.It encourages relatives/loafers to hang around your place eating your food for longer than normal.
Whatever is on will just piss you off / bore you. It's just re-runs anyway. Just take it to Salvation Army and get a donation receipt for tax purposes.
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
I dont care what any of this hype says, if your TV is gonna get hacked then why are we not seeing all the BluRay players from all these same companies that are running Linux and the interactive services getting hacked?
Every single BLuRay player sold runs linux and most have ethernet on them for interactive services on the disc or built into the player. Panasonic has one that has hulu, netflix, and an app store + video skype. These are not getting hacked.
And I WISH they would get hacked, cracked, and smacked. I want to blow out the useless OS and install XBMC.
Do not look at laser with remaining good eye.
I gotta ask, do you have the same beard as the guy in the article?
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
I wonder how they intend to hack my TV when it's not plugged into either Ethernet or wireless networks. Because even if I did have an "Internet TV", it wouldn't be plugged in.
If it was, it would be behind my firewall/router. If they were relying on me to visit a malicious website to "infect" my TV, they'd be sadly disappointed - I can't imagine that many people use their TV like that given that every year or so the requirements change. If you can see a modern Internet site (e.g. Flash, Silverlight, etc.), then chances are that your software is pretty up-to-date and no worse than a PC that was similarly updated.
Of those that don't handle interactive content directly, it's either not a risk (it's pretty hard to crash AND compromise an embedded browser with just a badly formed HTML page or similar), or it goes through some sort of remote proxy (e.g. Opera Mini) that will probably be working to stamp out the problem for you.
Above all that, beyond playing tricks and crashing my browser, I'd be interested to know what incentive they would have to do that? I don't plug credit card numbers into my TV. I watch TV on it. If you're silly enough to plug in things like Facebook, Twitter, etc. passwords into your TV, then maybe they could cause a little havoc ("Guess what John watched last night on the Adult Channel?") but that's about it.
Or is this just a ruse to sell "Antivirus for your TV"?
These devices are pretty passive, unless you make them do something. You're pretty safe while your internal network is clean (and if it isn't, your TV is the least of your worries). To infect would require some kind of active participation (same as any well-managed PC) that, maybe, possibly, it wouldn't be able to handle safely. But, chances are, the havoc it could wreak would be nothing compared to that same user on their laptop.
Of course it's something to think about but I don't think such a big fuss should be made. Hell, people still haven't worked out that a smartphone is yet-another-computer that they have to manage properly, with bad consequences if they don't (run up enormous bills, etc.). But even they aren't that much of a problem. I've never had anyone come to me about fixing their smartphone because of things like this, but I get 2-3 a week about their laptops etc. I've certainly never had anyone ask about their TV unless it was a dumb TV or literally how to wire it to their Internet connection / Wii / whatever.
I think infinitely more dangerous than a TV would be:
- smartphones
- gaming consoles with internet access / wireless
- smart meters with internet access / wireless
- Skype phones
- Internet connected printers
- etc.
And a lot of those have been running around people's houses (some targetted at non-techy users) for years. Yes, it's almost certainly possible to "attack" my printer / TV / Skype phone. But it's almost certainly not worth the effort to a) discover what model I use, b) link that to an IP address, c) somehow enter my network and intercept communications to it, d) figure out how to do something clever on that device when actions that are much easier to do and hide mean you can compromise similar people anyway.
Worst case scenario is that your TV web browsing is an "insecure" as your laptop web browsing. But with much less potential impact.
There seem to be plenty of efforts to ensure security when other peoples' money is at stake. Last time I checked, HDMI is the new cable standard and that has absolutely NOTHING to do with signal quality, it's a hardware-enforced "copy prevention" scheme.
I was going to say "other peoples' money (particularly not the customer's)" but then I remembered - in the free TV equation I'm NOT the customer. I'm the product (well, my eyes). In that sense, I concede their need to 'protect' their baited hook...they NEED me to not-skip the ads, to pay for the programming. But the failure is of course to realize that I AM the customer (and thus no need to protect the baited hook) in pretty much every other transaction - watching rented DVDs, cable, etc in which I *pay* for the programming. In those cases the stream should be (but isn't) mine because I am paying for it, but of course that's the baby that's thrown out with the commercial-tv-justification bathwater.
Further, when I hear 'security people' say things like: "...we as a global society appear inclined to accept half-baked security solutions that are more like Band-Aids than real protection" I brace myself for the following solution. These are the sorts of things that come from people who insist on 36-bit random hash codes that are changed every other week and can never repeat even partially (which in the real world are then just written down on sticky notes under the desk pad).
-Styopa
Speak for yourself, bitch!
Instead, we as a global society appear inclined to accept half-baked security solutions that are more like Band-Aids than real protection.
Most consumers are told that the hackers are just that nefarious and evil, they don't know that security can and should be better.
Because I won't put it on the Internet. That's what I have an HTPC for. And I know how to secure that. It's looking likely I will still have an HTPC in 10 years time, and nothing except standalone computers and perhaps a smartphone connected to the Internet.
Short-sighted you say? No, I've merely learned my lessons.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Why is this news? Being reactive has ALWAYS been cheaper than being proactive, in any field, not just technology.
Companies/government/etc. will go proactive to avoid accidents/hacks/RRODs/etc. if you're willing to pay more. Are you?
Improving security cost more and does more than a BS laws, but Bad Security (BS) laws only cost a few politicians and will exempt TV makers and Cable/Sat providers from all liability. Corporate-Welfare is best for the Plutocrat Republic, never good for US.
Hack2Secure
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
They're making Windows TVs now?!? ;-)
Having just finished reading this reminder gives me an even worse feeling that science will die to profit seekers. Especially with the ad potential.
To upgrade the firmware enabling a Just Scan mode that the (lazy / incompetent / brain-damaged - take your pick) engineers at Samsung neglected to include in the default set of aspect ratios. It beggared belief that an aspect ratio that just displays the picture without adjustment wasn't included in the first place. Especially considering the damn thing has a VGA port and it was obviously meant to support input from a PC. A massive pain in the arse it was too - it needed a custom serial cable I had to put together myself from iffy specs I found online, with the (actually official) firmware update from another hobbyist site as Samsung didn't host it. Then there was the 30s or so sweating bullets as I thought I'd bricked my telly before the new firmware started running. I don't recommend it.
"Nothing in a computer built into a TV makes it less attackable than a PC"..
I dispute that claim. If the TV is treated as an embedded system with a fixed set of functionality and is not supposed to be user-customizable, then it is much easier to keep it secure.
PC's cannot be secure because they're intended to allow the user to install what he or she wants. I know this is also true for smart phones, but really - if it's a traditional embedded system that serves a dedicated purpose - it should at least be possible to keep relatively secure.
In this day and age, there is significant pressure to bring a product to market before your competitor and to recoup your research costs. This is probably why device security is an afterthought. The internet has made controlling the flow of information very difficult, adding to that pressure to bring the innovative product to the market and establishing that product as the leader - it is all about beating your competitor to the punch. I do think it is a conscious decision to take a reactive approach to it or maybe denying it for a while until the press heats up and forces the company to deal with it. That, in of itself, is a mistake which all major electronics and software makers have made at one time or another.
Why would you want a display connected to the internet? It makes no sense. Just don't connect it the internet and you're done.
Hell, do you actually *need* it connected to your private network at all? Will it make movies look better, or have *any* advantage?
It's just crap that people want because of good marketing, not anything that they really need anyway.
They will make sure you only see the news that they want you to see. Even more so than now.
MSM will own you.
1. No unencrypted incoming connections. The only incoming connection possibly allowed is a limited function remote control (turn off, if it has DVR capabilities, allow changes to the recording schedule). Why does a device for viewing content need incoming connections or a web server?
2. No OTA updates. Firmware updates must be cryptographically signed, and the update must be initiated by the device itself, not "pushed". Signed updates can also be installed from a USB flash drive, no network required.
3. Built-in firewall. If it's based on Linux/BSD, set up IP tables, use Shorewall, etc.
4. If it supports Wi-Fi, Require WPA/WPA2 connections. Do not allow use of WEP or no encryption.
Obviously, that's not an exhaustive list, but if they follow those, the chances of a successful penetration decrease significantly.
make imaginary.friends COUNT=100 VISIBLE=false
This article is not about internet hacking - that's what you firewall is for...
Think about it. It's about provider haching. Basically, they have a back-door (through the "analogue")
cable to your network (assuming you're dumb enough to put your local network into the back of
one of these TVs) which bypasses any firewall you may have...
a serious of questions and answers to themselves? Yes, yes I do.
"With rising popularity of Internet-enabled TVs, "
Wait, what was that now? Rising popularity? Maybe I'm living under a rock, but I haven't seen anybody looking for or wanting an internet TV.
All they'd have to do is make a static memory system where every time you reboot, it's reset to default with nothing saved. Then store the config file in a dynamic location and limit what goes there and there goes 99% of their problems. If they simply model if after the software Deep Freeze or just a live linux CD type environment where everything goes bye bye when the power is lost, that would work just fine. Of course rogue firmware flashes would be a problem but those aren't terribly hard to secure pretty well either.
just from the summary I could tell this was an infoworld fluffer piece that tries to masquerade opinion as fact with a short article spread across ad toxic pages just to throw more ads
There are also banks that are making FB apps for account access.
Dear god.
I have seen the futar and we are all Anonymous. Mainly because we've all had our identities stolen.
Lindsey(sic) Lohan
I see what you did there.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
My TV's IP address is 192.168.0.3. Come at me bro.
Seems like all I really want is a 50-60 inch monitor I can plug stuff into. Don't need 3D. Don't need gesture recognition. Don't need wireless internet on my monitor. Just a bunch of inputs and a way to select them. Everything else can be done off-display by a more upgradable device.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I gave up watching commercial tv 2 decades ago as there wasn't anything worthwhile/inteligent on. Got tired of Giligan's Island, the damn 2 Hr Slow Speed chase of O.J. Simpson down the freeway and other shit like that. Of course it helped that I had access to the local library and was able to read damn near everything in the system that I was interested in.
Mod me up/Mod me down: I wont frown as I've no crown
There is nothing wrong with your television set. Do not attempt to adjust the picture. We are controlling transmission. If we wish to make it louder, we will bring up the volume. If we wish to make it softer, we will tune it to a whisper. We will control the horizontal. We will control the vertical. We can roll the image, make it flutter. We can change the focus to a soft blur or sharpen it to crystal clarity. For the next hour, sit quietly and we will control all that you see and hear. We repeat: there is nothing wrong with your television set. You are about to participate in a great adventure. You are about to experience the awe and mystery which reaches from the inner mind to — The Outer Limits.
Why does a device for viewing content need incoming connections or a web server?
Because it's acting as a NAS to which the authorized user can upload video to a connected USB hard drive.
Firmware updates must be cryptographically signed
With what certificate? All Android apps are cryptographically signed, but almost all devices allow use of applications signed with a self-signed certificate because much of Android security relies on key continuity management. And what's the key difference between a "firmware update" and an "app" anyway?
If it supports Wi-Fi, Require WPA/WPA2 connections. Do not allow use of WEP
In other words, do not allow use of a Nintendo DS on the same AP. It's a very popular device that supports only WEP. Even the DSi and 3DS, which support WPA, drop back to WEP when playing DS games.
or no encryption
Which would hurt the use of portable smart TVs such as Amazon's Kindle Fire, ASUS's Transformer, Apple's iPad, or any other tablet that can connect to complimentary open Wi-Fi in hotels and restaurants.
I recently finished a basement that has a LED TV, wall-mountable blue ray player, and wall-mounted sound bar on the wall. The electrical outlets are directly behind the TV above the wall mount. The Blu Ray player has Wifi as does the TV, which means all 3 are grouped together with no visible wires, and no cables to run. I admit I wired the basement with HDMI, RJ-11. Composite, and Component jacks behind the TV, but I prefer how it is now. No cables, no other devices to keep updated/running/etc.. The TV and BluRay provide online content, and the BluRay can stream from my NAS via DLNA over the wifi. Not everyone wants a dumb display wired to a whole series of devices that require an entertainment center or similar cabinet to put them in.
So on what device do you run applications that are made exclusively for smartphones? For example, before Angry Birds was ported to Chrome, it didn't run on anything popular other than iOS and Android. Chase Bank's check deposit application still doesn't run on a PC with a flatbed scanner, instead requiring a smartphone with a camera. Would people really rather switch banks (Ally Bank's deposit application works with PC scanners) than get a smartphone?
You can't do gaming on a TV? Which universe is this again?
The universe where PC game developers don't take into account a home theater PC. The universe where publishers prefer selling two to four copies of a game over one copy that can be played by two to four players holding gamepads. The universe where very few people even own a home theater PC, at least according to FunkSoulBrother, CronoCloud, Endo13, and hawguy. The universe where PCs are for desks, not living rooms.
Nothing in a computer built into a TV makes it less attackable than a PC
Completely untrue. Its lack of generality makes it less attackable. There are fewer attack surfaces because it has a more narrowly focused purpose.
It will be far easier to properly secure a TV than a PC or even a mobile phone.
While Sony was obviously hacked into some time ago, I've made it about 5 years without my PS3 being hacked (as far as I know). I will admit that there is a risk that Internet TVs may be hacked but I actually have a little bit of faith that the such devices could be made right. Of course, that may just be me being naive.
On the other hand, if you just drop windows on the TV and make it into a glorified laptop then we have a problem. Of course, there is always the option of using software that resets the default settings after each use, e.g., ghost & deepfreeze.
Our society indeed has a problem with accepting half-assed work. In my experience, employees and managers alike just want to be able to say something is done regardless of whether or not it really is. Few seem to show concern for doing a good job, and those who do are ridiculed for it.
I get rick-rolled by my TV
Two very different classes of devices with completely different markets and expectations.
A smart TV is a monitor with a built-in computer that lets someone get on Facebook and watch Netflix. An iMac is a computer with a built-in monitor that lets someone get on Facebook and watch Netflix. If there are "completely different markets and expectations", as you put it, between "a monitor with a built-in computer" and "a computer with a built-in monitor", where do these "completely different markets and expectations" ultimately come from?
[A smart TV needs to go on a WLAN with WPA or tighter security, even if you have WPA-incompatible hardware in your home. If none of your routers support a guest network on which to put this legacy hardware,] Then you're using the wrong routers.
Then why do so many people end up buying wrong routers? Apparently not enough people see the advantage of having a separate guest network before they walk into Staples or Best Buy.
Well, eventually everything will be hosted and the TV, probably like the phone and the computer, will just be a device to stream moving pictures across the internet, with the apps and browsing happening at a data centre. Eventually.
Sure, you CAN type on [an iPad], but it's used almost entirely for consumption.
Apart from "consumption" being misleading and the name of a disease, you make a good point about the difference between a device designed to support the creation of works and one designed mostly for read-only use. But with the iPad going PC-free starting with iOS 5, won't a lot of people end up choosing not to have any sort of creative device in their home? The worst case that some people are envisioning is that people will end up with an iPad, an iPhone, a smart TV (or a dumb TV plus a Blu-ray player, game console, or other streaming video player), and no creative device. In such a case, people would be less likely to create because they would be less likely to pay the up-front cost of a creative device.
Gee willikers you mean that consumer device that I plug into a wild and open global network with zero configuration can be hacked? Its a good thing my car only uses gee three then, cause I would hate to see what happens if it ever got close to the internet.
Just to clarify that if you put another OS on your TV to transform it into your own NAS server, that's a hack.
If someone from outside intrudes himself on your network by using your TV, that's an attack.
Uhhh...because Android phones are cheap?
Android phones cheap enough for the prepaid MVNOs didn't exist either for the first two years that the iPod touch was out, at least until Virgin Mobile introduced the Samsung Intercept in the fourth quarter of 2010. I will grant you that this two-year gap is shorter than the three-year gap that I originally mentioned, but what explains this two-year gap of Google just handing the market to Apple by requiring cellular phone functionality in the Android CDD?
And at $45 a month for unlimited everything most folks i know are using it as their PMP, GPS, netbook, etc.
Until you discover that it's still cheaper to have one land line and two $7 per month pay-per-minute dumbphones (source: Virgin Mobile's description of its payLo plan, at $20 per 90 days) for urgent calls on the road than two unlimited-everything smartphones.
And again you didn't point out why I would want to pay $220 for the Galaxy player when i could just but the Precedent for $130 and then just use it instead as a PMP?
For one thing, it has less than half a gigabyte of internal memory. The features page mentions microSD but says nothing about support for microSDHC (that is, microSD cards larger than 2 GB, which use a different wire protocol). For another, I didn't see anything on the features page about HDMI support either, which is important for people who want to dock a PMP to a 32" monitor. And finally, I seem to remember reading about one model of Android phone that wouldn't allow access to the home screen without an active cellular subscription (be it a SIM card or whatever they use on CDMA2000). It would go straight to the dialer in emergency call mode and not let the user start any other app. Is this not the case for the Precedent?
I even know a few that even gave up their internet connection for the $45 unlimited as they found what they used the net for worked just fine on the Precedent
Does this $45 include tethering? Does it include enough GB per month to use, say, Netflix? Does it work for more than one person in a household, or do "a few" live alone?