Slashdot Mirror
Millions of Smart TVs, Phones and Routers At Risk From Old Vulnerability (trendmicro.com)
itwbennett writes: Adding fuel to the growing concern over how manufacturers of devices such as routers and smart TVs deal with security vulnerabilities that emerge in their products, Trend Micro found that a 3-year-old vulnerability in a software component used in millions of smart TVs, routers and phones still hasn't been patched by many vendors. Although a patch was issued for the component in December 2012, Trend Micro found 547 apps that use an older unpatched version of it, wrote Veo Zhang, a mobile threats analyst on the Trend Micro blog. 'These are very popular apps that put millions of users in danger; aside from mobile devices, routers, and smart TVs are all at risk as well,' he wrote.
It must be in one of those open source components, since Slashdot is not listing the actual component name.
Too busy trying to get a first post to bother reading the first line in the first link?
The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Summary doesn't mention this, but the vulnerability is in libupnp that is used by most of these mobile apps.
This is a problem with electronic devices having software. I think my TV and Bluray player probably have this vulnerability because the software hasn't been updated in ages. I don't know if my router does, but I disabled UPnP long ago on the router. At least routers are upgraded more often but your mileage may vary.
Well, there's spam egg sausage and spam, that's not got much spam in it.
So, if I'm actually firewalling-off my LAN from the Internet then I'm probably going to be fine?
ie, I'm using the standard features of my consumer-grade broadband router to deny incoming connections from routing into my LAN?
I've just assumed that all of the OSes on my network are vulnerable to something and I've taken steps to mitigate that. To do anything else would be asking for trouble. That same sort of consideration would apply to the "Internet of Things" and to appliances that are more special-purpose in nature too.
Do not look into laser with remaining eye.
Yawn, wake us up when something new happens.
That millions and millions of consumer devices have been rushed to market are riddled with security holes should be common knowledge by now.
They have no standards, no penalty, and just want to get products out the door. And then they probably spend zero time maintaining the OS on those products or fixing security holes.
The same as we've heard at least twice a week for a while.
Honestly, if companies aren't going to change, and consumers are still going to keep buying insecure crap because it's got Netflix in it ... well, this will keep happening.
Me, I'll keep refusing to buy this stuff knowing full well it's likely to have huge security and privacy issues.
But let's stop acting surprised. People having been warning of this stuff since these things became available. The security defects were almost inevitable.
Lost at C:>. Found at C.
Apps!
Has slashdot come to this? Link bait about some "vulnerability"?
Well ... let's see ... first you could have a vulnerable cable modem your ISP gave you ... and a lot of people might not have a firewall behind that and connect directly to it. Hell, you could even have a modem from your ISP which does the wifi you use in your house.
The level of network security in most households probably means that the number of people who could easily have devices exploitable by this is likely not small.
The problem is that consumer adoption of the "internet of stuff" is growing FAR faster than the quality of security they have. Many people simply won't even know they're at risk, because they just took it out of the box and did the easiest bit of configuration.
Lost at C:>. Found at C.
This one also goes for other connected things: automobiles, routers, mobile phones...
Good lord this is such a non issue even Windows XP's Firewall blocks this vulnerability from occurring naturally. You have to implicitly allow port 1900 to go OUT your firewall which is nonsense into and of itself. Furthermore, if you ALLOW your WAN port to be open on port 1900 you may be screwed.
Since most (I'm assuming) firewalls sold in this day and age Deny everything and only Allow when queried an attacker would have to be on your local LAN in order to sniff out an affected device and then hopefully hack through the compromised device to get into your system.
I'm more concerned with the vulnerable Android apps having the flaws than my TV being 'hacked'.
Wheel of Time: Book by Book and Sumview (summary review) Bigdady92 style: http://bigdady92.blogspot.com/
What's the risk to me? I turn off UPnP as a matter of course on all routers. Devices opening inbound ports at will was an asinine idea from the start. I know that it remains enabled on my home automation system, PlayStation and perhaps my TV.
The PlayStation should have been updated by now. The Home Automation controller probably has not been updated because they never cared about stuff like that. If the TV has UPnP, I'm sure it's vulnerable too. But what's the risk?
How would my TV or home automation system get owned, behind the firewall, and what if it does get owned? I can't see the TV as a problem even if it were used for a reflection attack or jumping off point to the rest of the network, it would be so weak and slow as to be useless. The home automation controller could be used to turn lights on and off and even unlock a door, but the attacker would need to know my address and be local for it to be a risk. What am I missing?
What if Microsoft put Windows 10 on everything? Wouldn't that solve the problem of unpatched systems?
So, if I'm actually firewalling-off my LAN from the Internet then I'm probably going to be fine? ie, I'm using the standard features of my consumer-grade broadband router to deny incoming connections from routing into my LAN? I've just assumed that all of the OSes on my network are vulnerable to something and I've taken steps to mitigate that. To do anything else would be asking for trouble. That same sort of consideration would apply to the "Internet of Things" and to appliances that are more special-purpose in nature too.
Add to that there's a risk taking updates on consumer devices because they frequently alter, reduce or break functionality. Think "Other O/S" or Cinavia on the PS3. Right now, my LG TV works great with my PS3 media player and wants an update. I've blocked it. Release notes don't tell all and Google's not very good at negative verification. SInce there's really no back out plan for most of these devices, I only update if I know it's needed for something I want.
I like having Netflix and Amazon Prime as apps in my TV. If I can make it secure, why should I waste money on a streaming device when the feature is built in to my TV?
My Internet provider is Comcast, and I use my own cable modem and router. The router has a 63-character WiFi password, a 32-character LastPass-generated admin password, and remote management is disabled.
Is my setup secure, even if my TV has the vulnerability mentioned in TFA?
I hereby facetiously give permission to all of the black hats out there to push malware to these televisions. The more damage you can do, the better.
I've been trying to shop around for a 4K 'television' that is really just a monitor, and the only available options at any reasonable price are "Smart" TVs. The fact that manufacturers are coupling the content playback engine with the display is just stupid. This article is the main reason why: It is very hard to create a Smart TV that is always up to date and has the latest capabilities for content. So manufacturers are left trying to create a revenue stream post sale by spying or selling content, or just not updating the OS with latest security and features.
Instead of Smart TVs, I wish they would make 4k displays with DisplayPort inputs that can drive 4K at higher than 30FPS. A TV is a product that should last 15-20 years. The devices that I hook up to the TV (PC, Tivo, cable box, xBox, whatever) are all components that have shorter life expectancies at this time because a ton of changes are happening in that area of the market. TVs just need to be dumb and simply display the content.
I agree with your sentiment, but an old saying comes to mind. Something about not having to outrun a bear if you can outrun your buddy. You don't have to have perfect security. Just better security than the guy one IP address over.
You do realize that you can have your 4K TV(display monitor) connected via an HDMI cable and nothing else, right? If you don't plug in the ethernet cable, or manually connect your TV to the WiFi network, you have a dumb display, just as you desire. The evil kax0rs can't touch your TV if it isn't IP connected.
"Trend Micro found that a 3-year-old vulnerability in a software component used in millions of smart TVs"
What vulnerability tests did the makers of the Smart TVs do with the libupnp library, before releasing to market.
If there is a problem with the smart features (vulnerabilities, spying on the part of manufacturer, etc.) of my Roku or other set top box, I replace it. $50 to $100. If I want to upgrade, more processing power, memory, etc., I replace it.
But the smart features on the TV are fixed. To fix a problem or upgrade, you replace the TV. If it's a software issue, sure, that can be upgraded, but not hardware.
Some people upgrade their TVs every few years, in which case this might not matter, but I expect a TV to last me 10 or 15 years.
Ignorance killed the cat. Curiosity was framed.
If in 5 or 10 years the TV is still working fine but none of the services hard wired to them are around, then what do you do?
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
If you buy a "spyware" TV, but disable any problematic feature, you are sending the message to the manufacturer that they can get away with more of this crap in the future. Only by hitting them where they notice - their profit - will they change their behavior.
The same goes for any other product. Technically capable people that disable malicious features but still buy the product are a big part of the problem. People look to the techies when they consider new technologies. When they see "spyware" TVs being used, they get the idea that it's safe to buy one for themselves, except they are not going to be able to disable the malicious features.
As long as you value TV more than your security, privacy, and future freedom, businesses will continue to make their product more malicious. Fighting back against power often requires sacrifice; I strongly suggest fighting this now while it only require sacrificing a new TV for a while. If you wait, this fight will only become harder.
Ce n'est pas une signature automatique.
A script doesn't care if the if the IP next to yours responds or not. It will gladly infect your network and 400 other devices at the exact same time. You must remember these attacks are automated processes, and not hands on hacking, so safety in numbers is no protection.
Your crazy passwords are irrelevant. Do you have UPnP running on your router? Is it listening on WAN interface?
Another friggin' AC troll.
@crackspackle is right, device updates often break shit. I recently had a firmware update for an HP printer break the damn thing so that it would no longer use refilled ink cartridges. My $180 OfficeJet was made almost useless because of a damn firmware update. I even reported HP to the BBB. HP responded by sending me 2 free ink cartridges, and the BBB responded by closing the case. I responded by donating the printer to the Salvation Army, and I've never bought another HP product since then.
Why would people update their TV firmware to agree to further invasion of privacy. I mean when the soap has a bottle of lube attached, I'm not bending to pick it up.
Only by hitting them where they notice - their profit - will they change their behavior
Not buying a particular device is not always a practical choice. Often, the choice is between having to compromise to get the product or service or not get anything, because "all" vendors have incorporated the same unwanted feature(s). This notion that consumers have ultimate control in the market is a falacy. First, the consumer can only choose from what companies choose to bring to market, and this rarely is what he or she deems to be most ideal. Second, many to most purchases made by the middle and lower classes happen in response to actual need, practically speaking, and aren't really optional. Those of us here at Slashdot and running in similar circles tend to be more looped in on features of concern and options that exist or might exist to address said concerns. It is everyone else that blindly fall victim.
.
Landfill Mining Co.
Managing the (Un)natural Resources of Tomorrow
And this people is just one of the many reasons why smart TV's are a dumb idea!
Manufacturers only provide limited support.
Yes. That's the sacrifice I talked about. There was a time many years ago when these problems could be fought without needing a sacrifice. Now, fighting against these trends requires a sacrifice. You might not get to watch TV. That might even impact other areas of your life. It might even be a significant loss of wage or opportunity. Why would you think fighting against a well-funded opponent would be free or easy?
My point was that these costs are increasing. You can pay this cost now, which requires some sacrifice, or you can signal your acceptance of these policies making any future attempt to fight back even harder. Do you want to sacrifice "merely" some luxuries like TV? Or do you want to wait until it requires sacrificing a lot more? Going without TV is easy. Try fighting this when the only refrigerator you can buy is "smart".
Ce n'est pas une signature automatique.