Even the Dumbest Ransomware Is Almost Unremovable On Smart TVs

An anonymous reader writes: Apparently even the easiest-to-remove ransomware is painfully hard to uninstall from smart TVs, if they're running on the Android TV platform, and many are. This didn't happen in a real-world scenario (yet), and was only a PoC test by Symantec. The researcher managed to remove the ransomware only because he enabled the Android ADB tool beforehand, knowing he would infect the TV with the ransomware. "Without this option enabled, and if I was less experienced user, I'd probably still be locked out of my smart TV, making it a large and expensive paper weight," said the researcher.

"Reset to factory settings" button

[ZorinLynx]

Why the heck don't these devices have a "Reset to factory settings" button?

Flash memory is cheap. Have a permanent, unmodifiable copy of the firmware the device ships with. If you power it on while holding the button, copy that firmware over as the active firmware, clear out the user data area, and restart. Boom! TV is back to normal.

This sort of thing is ludicrously easy to implement and would save the companies money on warranty repairs.

I have a JBL speaker that I had to ship back to the manufacturer to be replaced because of a bad firmware update. A simple reset button like the one I described would have saved me a ton of pain and saved JBL money on shipping the speaker both ways. WHY isn't this sort of thing universal?

Re:"Reset to factory settings" button

[Irate+Engineer]

I have a JBL speaker that I had to ship back to the manufacturer to be replaced because of a bad firmware update. A simple reset button like the one I described would have saved me a ton of pain and saved JBL money on shipping the speaker both ways. WHY isn't this sort of thing universal?

Because, for every person like you, there are 10 that would just say "Speaker not work. Must buy new speaker." Repair options do not spur new sales.

Re:"Reset to factory settings" button

[ZorinLynx]

This is a $400 speaker. Are you saying people are such sheep that after doing a firmware update that breaks the speaker, they wouldn't bitch to the manufacturer? I find it hard to believe anyone would give up on a $400 speaker that quickly, unless they are rich and $400 is nothing to them.

Re:"Reset to factory settings" button

[gstoddart]

Because companies are lay, cheap, overly optimistic, and not really interested in designing robust products which can be maintained over their lifecycle.

Extra money spent up-front cuts into profitability, adds cost and complexity, and would have to be done by an organization which is cautious and makes long-term plans.

Do you think the marketing guys screeching to get the product out before Christmas give a crap about any of this stuff?

Sure, lots of things can be designed robustly. But increasingly, nobody gives a damn. They just figure you'll just buy another TV.

Consumer electronics aren't exactly being designed to the highest engineering standards known to man. They're being put out the door as cheaply as possible.

Re:"Reset to factory settings" button

[gstoddart]

I find it hard to believe anyone would give up on a $400 speaker that quickly, unless they are rich and $400 is nothing to them.

I find it hard to believe a damned speaker needs firmware upgrades.

Oh, but wait, it's controllable by an app, has Bluetooth and wifi, and connects to the internet, right?

Yeah ... me, I don't want speakers which do that stuff. Precisely because time and time again companies demonstrate they're terrible at it, and you end up with a product with a MUCH shorter lifecycle -- because it's focused on 10 things besides being a good speaker.

My guess, if it needs firmware updates, it's really a $100 speaker with a bunch of extra crap slapped onto it.

These days, digital pretty much means disposable.

Re:"Reset to factory settings" button

[JackieBrown]

Oh, but wait, it's controllable by an app, has Bluetooth and wifi, and connects to the internet, right?

I get that. However, it is nice not to have to string up wires all over the place (or to crawl through the crawlspace above my ceiling to hide wires.)

Re:"Reset to factory settings" button

[Noah+Haders]

i had to upgrade the firmware on my wireless powered speakers, and it was a pain. next time, i'm getting a pair of passive speakers and an integrated amp.

Re:"Reset to factory settings" button

[Noah+Haders]

yes, but which capacitor was it? and how do you fix it? maybe they wanted to get a 4k anyway?

Re:"Reset to factory settings" button

[fuzzyfuzzyfungus]

Even if they were too stingy for the extra flash; something like this TV is going to have at least one USB port; possibly an SD slot or the like. Something as trivial as just looking for a suitably structured flash drive as the first boot device; and booting normally if one isn't present, would make DIY recovery trivial for anyone not afraid of 'download this and write it to a flash drive'; and allow even the technophobe to be mailed a flash drive/SD card; told to plug it in, unplug the TV,and plug the TV back in.

I don't know if they just care that little, if they don't want to make it easier to remove the 'smart' TV spyware that is usually included, or what; but anything small enough to not have easy-to-use external mass storage probably has so little firmware that a backup would be vanishingly cheap; and anything large enough to have some user-friendly option would just need a bootloader that checks for recovery media first in order to be effectively impossible to brick. Doesn't seem that tricky.

Re:"Reset to factory settings" button

[mattventura]

Better question is why does a TV have anything more than basic firmware (or just an ASIC) to begin with. This "Smart TV" crap (which seems to be more and more TVs, it's harder to buy a "Dumb TV") would be much better suited for a cable box or other peripheral.

Re:"Reset to factory settings" button

[fuzzyfuzzyfungus]

If you are using eMMC flash(not universal; but pretty common; since handling the ugly details of raw flash memory is annoying; and you pay a surprisingly tiny premium over raw flash for the controller); you can define multiple 'general purpose partitions', each with its own write protect status(including permanent write protect).

I'd be utterly unsurprised if more than a few eMMC devices have defects of various flavors that make device-specific attacks on what are supposed to be one-time-writeable settings possible; but, barring a sufficiently motivated attacker, with enough privileges to send whatever malformed mmc commands are required to confuse the specifc eMMC part used in your device, it is fairly trivial to carve out a chunk of your eMMC device, write the restore image there, and then write lock it without needing additional packages, one of the intrinsically write-once flavors of silicon storage, or any other fancy measures.

If you are really pinching pennies, and don't want to dedicate that much space on the onboard flash; you also have the option of making one or more user-accessible ports higher on the boot hierarchy than the internal flash(whether it be an SD slot, USB mass storage, or booting to fastboot or similar if connected to a USB host device). In that case you can shove all the storage requirements to some external location; while still making it virtually impossible to render the device unbootable.

Re:"Reset to factory settings" button

[gstoddart]

Define "good speaker".

And there's the rub ... if you ever describe the sound of your speakers as "moist, peaty, and with chocolate overtones" ... well, I have no idea what you consider to be a "good" speaker. I sure as hell can't hear what you claim to be able to.

I currently own four of these, and highly recommend them.

They still use old-fashioned head-phone jacks, can be daisy chained, have hours of battery life and can be charged from USB ... utterly compatible with everything from an original Walkman to an iPhone, because everything still uses that headphone jack. There's no app or custom software, just a little 3.5mm jack. There's also no firmware updates.

Those little suckers have traveled with me for the last 4 years ... they've been in hotels, in tropical resorts, in my backyard, poolside ... all four of them weigh in at less than a pound and take up very little space. Two of them have traveled with me everywhere I have flown since I got them, the other two are much newer but give me a little more flexibility.

Being small little speakers, they have the benefit that in a relatively short distance you can't hear them at all. Which means the wife and I can have music that people 30 feet away can't even hear -- which is a bonus when you're in the back yard or lounging by a pool and don't want to disturb other people.

I have literally hundreds if not thousands of hours on the damned things. I consider them awesome speakers, mostly because of their utility and portability.

I'm with you, for overall utility and convenience, I define "good" as "good enough". But they completely eschew any form of network or wireless technology, because they don't need it.

Re:"Reset to factory settings" button

[crow_t_robot]

Don't forget that it probably has a web browser written in-house by the manufacturing company that absolutely sucks ass and drained a massive amount of development manpower and money away from the speaker as well.

smart tvs are not smart

[The-Ixian]

Is there any "smart" TV that actually works well?

I have owned a few and I always end up hooking up the Roku because it just works.

Seems like this is another reason not to hook up your smart TV to the Internet.

Re:smart tvs are not smart

[TheCastro1689]

I have a LG 3D Smart TV and the apps on it suck. They're slower than my Apple TV or my XboxOne. I had one roommate that liked to push his Netflix from his phone to the TV, but that was the only time it was used like that.

Re:smart tvs are not smart

[wkwilley2]

This is just more evidence of the pace of tech vs. the pace of security.

All of these processes are being put in place and the security of them is an afterthought.

It's literally wide open right now.

Re:smart tvs are not smart

[UnknowingFool]

Well there's also the other problem that the software works fine for a while. But often they get few updates if any. So the features, UI, etc remain stuck for years. Take Netflix, for example, which has changed their interface and added more features. Most likely a smart TV's Netflix app will never see them. Little changes like changing the search alphabet layout, prominently displaying what you were watching last when it opens, etc. make a big difference.

Re:smart tvs are not smart

[edtice1559]

Another poster commented that they hate their LG SMART TV. I particularly love mine and it just got updated to have Google Play Movies and TV App. (Doesn't help me since I am an Amazon Prime customer but still a feature useful to many). The magic remote is fantastic. It's MiraCast compatible (hopefully Chromecast too soon, but for now it works). I have two Rokus sitting in the garage. Having to use only one remote is really nice. I hate switching back and forth between Roku remote and TV remote for volume. I would buy mine again.

Re:smart tvs are not smart

[gstoddart]

First off, if your $1000 smart TV is suddenly rendered useless, that's not exactly a minor inconvenience ... if I stole your TV it would have about the same effect as rendering it inoperable.

Second, why the hell would you assume malware would give a crap about what it's infecting? Do you really think think the writers of ransomware are sitting around thinking "Oh, we better put in checks to make sure we don't fuck up some poor guy's TV"?

I think the real lesson here is these 'smart' devices have such inherently bad security that they can be rendered useless fairly easily, and that fixing them can be damned near impossible.

Re:smart tvs are not smart

[Flavianoep]

That's because the "lay people" some commenter mentioned earlier (#51001373) don't understand that a SmartTV is just a fancy name for an all-in-one computer with a specific purpose.

Re:Smart TVs Are Not Smart

[sudon't]

Right. Here's what I worry about - the next time I need a new TV, (or any other appliance), am I gonna be able to buy a "normal" one? Really, I fear manufacturers and app developers more than I fear actual malware. As it is, my TV is basically a monitor, and that's how I like it.
The less shit connected to the internet, the better, as far as I'm concerned, and I don't use wireless for any device except my phone.

Sideloading

[The+MAZZTer]

Sounds to me like the researcher sideloaded a package, which of course carries the risk of malware, MitM attack or not. I imagine Google Play Store has protections against MitM attacks, at least I hope it would.

+1 headline

[Noah+Haders]

Even the Dumbest Ransomware Is Almost Unremovable On Smart TVs

sometimes they bungle the headline, but you have to admit that this time they nailed it. kudos!

Smart TV

[Fire_Wraith]

Is there really any reason to buy a "Smart" TV, versus a standalone display?

Even things like this aside, it seems like the TV equivalent of having an "all in one" model for your desktop, where you're pretty much stuck with replacing the whole thing if you want to do anything more than swap a hard drive or such. It also seems like buying a separate device, whether you're using a Roku or AppleTV or XBoxOne/PS4, and then hooking it to a giant monitor, is by far the better option.

Re:Wait what?

[gstoddart]

If I had to guess, I'd say the latter ... with the caveat that, like all consumer products, product management, marketing, and the accountants make all the decisions.

So you start off with a vanilla Android.

And then you put in all your proprietary stuff, figure out how to skin and brand it, add in the stuff so you can monetize the user experience, a little telemetry to call home .. next thing you know, you've got yet another horribly insecure piece of consumer electronics which has had a bunch of security holes installed.

Time and time again, we basically see that these kinds of products end up with these problems because of lazy/bad choices made by product managers and the marketing department.

Nobody is designing a TV and thinking they need to design a sure, robust architecture. They're trying to figure out how to keep making money off you after you buy it.

This same stuff happens on pretty much EVERY device which wants to connect to the intertubes these days. Because companies are more concerned about putting in a damned "like" button than they are anything to do with security.

I've reached the point where I assume any consumer electronics which wants to connect to the internet is inherently insecure and not worth owning.

Re:Give me a dumb tv

[NotDrWho]

Yeah, unfortunately, you can hardly find a "dumb" TV anymore with decent features. I had to buy a smart TV the last time I upgraded only because it was the only model I could find with a decent set of inputs and outputs. But I've found that it's a lot less "smart" and intrusive when you don't plug it into the router or give it your wifi password.

don't understand the math

[avandesande]

Wouldn't your rather spend the money used for 'smart' features on better screen or electronics?

Re:don't understand the math

[fluffernutter]

The ushering in of the LCD screen has pretty much made every TV the same. I think manufacturers are partly counting on the 'smart' functions to draw people into the more expensive level.

Re:Android == Windows?

[webmistressrachel]

"Windows CE didn't have that sort of penetration" - this is not actually accurate, companies just didn't Internetwork all of their rubbish embedded systems, leaving them unexposed

I'm still surprised every time I see a new example of a living installation of CE still in use in 2015.

Examples still in use today include:

- POS and cash registers (Fujitsu, others)

- ATMs (newer ones use a variant of 7 called Embedded, the successor to CE)

- devices with a display in a supermarket that can read barcodes, and check stock or prices (so called "guns", ASDA, Wal*Mart, Tesco)

- devices used to take signatures for postal delivery and parcel delivery (Royal Mail, UPS)

- devices to log utility meter readings in the field (G4S, British Gas)

- Police Airwave terminals of various descriptions (the Compaq iPaq with peripheral for fingerprint reader paired with a PCMCIA II Airwave modem, gives Greater Manchester Police an ID for a suspect in less than 30 seconds.)

Again: Big Dumb Co

[ThatsNotPudding]

After I win All The Lotteries, I will form Big Dumb Company, with the principal division being Big Dumb Appliances, such as clothes and dish washers that are so well built, they can be handed down at least two generations, stupidly fixable with decades-long part availability, and that are designed to accomplish one task: WASH THINGS.

Same with TVs - or should I say monitors - with the best display possible, replaceable power supplies, interface ports (sans wireless nor Ethernet) out the kazoo, AND DUMB AS A BAG OF HAMMERS. Tuner? game console? Roku? Fantastic: PLUG THEM IN. What will the TVs do? DISPLAY THINGS, PERIOD.

Now, onto phone / Internet service: BIG DUMB PIPE.