Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samsung Smart TV: Basically a Linux Box Running Vulnerable Web Apps

Posted by Soulskill on from the for-sufficiently-dumb-values-of-smart dept.

chicksdaddy writes "Two researchers at the Black Hat Briefings security conference Thursday said Smart TVs from electronics giant Samsung are rife with vulnerabilities in the underlying operating system and Java-based applications. Those vulnerabilities could be used to steal sensitive information on the device owner, or even spy on the television's surroundings using an integrated webcam. Speaking in Las Vegas, Aaron Grattafiori and Josh Yavor, both security engineers at the firm ISEC Partners, described Smart TVs as Linux boxes outfitted with a Webkit-based browser. They demonstrated how vulnerabilities in SmartHub, the Java-based application that is responsible for many of the Smart TV's interactive features, could be exploited by a local or remote attacker to surreptitiously activate and control an embedded webcam on the SmartTV, launch drive-by download attacks and steal local user credentials and those of connected devices, browser history, cache and cookies as well as credentials for the local wireless network. Samsung has issued patches for many of the affected devices and promises more changes in its next version of the Smart TV. This isn't the first time Smart TVs have been shown to be vulnerable. In December, researchers at the firm ReVuln also disclosed a vulnerability in the Smart TV's firmware that could be used to launch remote attacks."

23 of 166 comments (clear)

  1. Smart is as smart does by djupedal · · Score: 4, Insightful

    Samsung isn't stupid....either worry about seminar hack-trolls or patent trolls. In the end, what counts is staying in the public's mind. Mission accomplished, I'd say. Wash, rinse, repeat.

    1. Re:Smart is as smart does by Hsien-Ko · · Score: 2

      Yeah, not much different than a Windows 98-powered Media Center running WebTV.

    2. Re:Smart is as smart does by jedidiah · · Score: 2, Insightful

      Much like modern Windows, the problem isn't so much the kernel but the really retarded user land stuff. It doesn't matter if you are running VMS or Unix if you insist on engaging on Microsoft style stupidity with your apps.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    3. Re:Smart is as smart does by icebike · · Score: 4, Insightful

      Retarded is buying a camera in your TV and only THEN worrying about privacy.

      --
      Sig Battery depleted. Reverting to safe mode.
    4. Re:Smart is as smart does by AmiMoJo · · Score: 3, Interesting

      I worry that it will become hard to buy one without a camera in a few years. Look at laptops, most have a built in webcam now. Years ago when I worked in a computer shop I saw a lot with tape over the camera, and sometimes offered to disconnect the camera and microphone internally while doing other work. Most are just USB cameras and two wire button mics that can be unplugged.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:Smart is as smart does by mcgrew · · Score: 2

      I'd say that anyone buying a TV with a microphone is the stupid one. Lets hope people are smart enough to kill this stupid NSA wet dream.

      --
      Free Martian Whores!
  2. 1984 has finally arrived ... by cascadingstylesheet · · Score: 5, Insightful

    ... the telescreen watches you.

  3. Yep. by Anonymous Coward · · Score: 5, Informative

    I have two Sam'sDung SmartTVs. Yes, all these TVs are glorified Linux boxes running a badly collected series of apps. There is little to integration. Some won't accept keyboard input while other do. You either watch TV or run an App. Most apps are poor. The browser won't run most web pages and crashes. Yes, crashes. In this day in age it is hard to believe in your browser crashing nearly every time you try to use it.

    As for security, I no longer use any of the apps as none are worth anything. Netflix is okay but not great but since I've gone back to DVDs from streaming I am blocking the ports (6000 mainly and I forget if another is in use) to stop the TV from phoning home every time it is turned on.

    I blocked the ports because my firewall was showing connections to my LAN from very strange locations; Brazil, Japan, Russia. The problem is that Samsung's 'partners' are unknown to me and I'm sure it is these apps that doing the calling out. Who knows who wrote them, what is in them, and what they can really do.

    The TV isn't bad when hooked up to my modified version of the PS3 media server project.

    1. Re: Yep. by OverlordQ · · Score: 4, Insightful

      Real nerds wouldn't buy a smart tv since all those apps are outdated as soon as you buy it, rarely get updated, and have limited functionality. Real nerds would build a HTPC.

      --
      Your hair look like poop, Bob! - Wanker.
    2. Re: Yep. by EmperorArthur · · Score: 2

      The TV isn't bad when hooked up to my modified version of the PS3 media server project.

      That's why. I'd love to hack one of these just for the hell of it. It might not have much internal storage, but other than that It would probably make a neat HTPC.

      Remember kids, there is no difference between a jailbreak and a security vulnerability.

      --
      So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
    3. Re: Yep. by fuzzyfuzzyfungus · · Score: 3, Informative

      Why does connecting the PS3 to the network require the TV to be connected to the network too? Can't the PS3's TV output be connected to the TV's signal input?

      "The PS3 media server project" is a UPnP/DLNA media server originally designed to stream media to PS3s (hence the name). In this case, somebody apparently has the TV directly connecting to the media server software running on their computer, skipping the need for some sort of streamer box.

    4. Re:Yep. by vux984 · · Score: 2

      Can these Samsung Smart TVs be made to ignore all the convergence stuff and just be a monitor?

      Yep, mine doesn't have a network cable or wifi connections. In fact all it has is one HDMI cable running up from my receiver. That's it.

      The Wii/WiiU/HTPC/BRAYDVD/DVR etc are plugged into the receiver. The receiver isn't internet connected either.

      When I want to do something online, the HTPC has internet access, and the Wii's can go online if necessary, but its not usually necessary.

      As you can imagine the salesmen's pitch of the TVs long list of capabilities was shutdown pretty quick. All I cared about was brightness, black levels, and other characteristics of the LCD panel, along with physical dimensions and aesthetics (diagonal size, bevel thickness, screen thickness, etc.

      I wish I could just get a great big monitor without having crammed full of smart garbage, 3d garbage, and "surround sound"... but that doesn't exist.

    5. Re: Yep. by gman003 · · Score: 2

      Many "real nerds" would build an HTPC rather than run a cable from one of their current PCs, since that gives them an excuse to buy new hardware to play with.

    6. Re:Yep. by symbolset · · Score: 2

      I love my two Samsung LED SmartTV HDTVs. I have a 50" and a 55". The picture is glorious. I love how slim they are. The smart TV feature though? That's an implement of torture. Certainly they never intended it be used - it's just one more logo that has to be on the box. It's a big monitor. The audio is okish, for audio that's integrated into a TV, but that's not saying much. I don't use the speakers either. Frankly I almost never use the tuner either.

      I don't think anybody in their right mind lets their TV connect to the network. There's just no value-add to be had there. If you want Smart TV get an Android HDMI stick, or the new Chromecast, or Roku, or one of the many other third party solutions.

      On the upside, I was in a store yesterday and apparently you can get a 1080p display for under $400 now in about 47". Prices have come down a lot.

      I know people are worrying about turning on the TV's webcam, to which I would ask who in their right mind would buy a TV with a webcam in it in the first place? Do you people not read Orwell? That's almost as bad as buying a games console with a webcam you can't turn off.

      --
      Help stamp out iliturcy.
  4. You all missed the point by aaronb1138 · · Score: 5, Insightful

    Thanks to bad headline choices you all missed the point. Samsung provided a ripe platform for hacking and development by making root easy (just like with their smart phones).

    Shut up and get to work porting XBMC to it already.

    1. Re:You all missed the point by phantomfive · · Score: 2, Funny

      Shut up and get to work porting XBMC to it already.

      Well that motivated me to do it for you.

      --
      "First they came for the slanderers and i said nothing."
  5. Re:To bad cable card failed and there has been lit by spire3661 · · Score: 3, Interesting

    My Win7, 6 tuner CableCARD setup says LOL

    --
    Good-bye
  6. Incredibly stupid is as stupid does by dbIII · · Score: 5, Insightful

    Samsung isn't stupid

    Since they have a range of voip phones that crash if you do a simple portscan and they still sell phone switchboard systems that by default can be accessed by telnet with no password I disagree.

    There are enough people in that place that do not care about computer security that it comes as no surprise that another wide open box has come out of there. Don't get me wrong, they do have some good stuff, but there's a lack of oversight and if the guys at the bottom of the tree don't care about something there's nobody giving them orders to care.

    1. Re:Incredibly stupid is as stupid does by Anonymous Coward · · Score: 2, Insightful

      Freemarket is perfect! /sarc

      We need some regulations about not following basic industry standards. Telnet access with no password? That's a fine and people can sue you if they get exploited from the issue.

    2. Re:Incredibly stupid is as stupid does by i.r.id10t · · Score: 3, Interesting

      they still sell phone switchboard systems that by default can be accessed by telnet with no password I disagree.

      Not sure how I feel about this. Is no password better than "admin" or "password" or "1234" for the default password? Lets face it, each device that ships is going to have a default way of accessing it for configuration.... The problem really lies with the people that *leave* it at that configuration.

      --
      Don't blame me, I voted for Kodos
    3. Re:Incredibly stupid is as stupid does by serviscope_minor · · Score: 2

      Lets face it, each device that ships is going to have a default way of accessing it for configuration.... The problem really lies with the people that *leave* it at that configuration.

      No and no in that order.

      In the UK all wireless routers built into ADSL modems shipped by the major ISPs come with a unique random default wifi password. The password is printed on a card or sticker on the modem. A hard reset resets it back to this unique random default. Most people never change it from the default and the default is more than secure enough so that's entirely fine.

      The problem is with lazy manufacturers having insecure defaults.

      --
      SJW n. One who posts facts.
  7. Samsung is still the king by petermp · · Score: 2

    I own both LG(2013) and Samsung(2012) Tvs. I bought it on purpose w/o camera ;-) However Samsung is still the king, apps are much more polished,DLNA works MUCH better. However you realize that after you buy something different from Samsung. If you use DLNA a lot, Samsung is the only way to go.

  8. Re:"Smart" is nice by JustOK · · Score: 2

    Nice.

    --
    rewriting history since 2109