Slashdot Mirror
Millions of Smart TVs, Phones and Routers At Risk From Old Vulnerability (trendmicro.com)
itwbennett writes: Adding fuel to the growing concern over how manufacturers of devices such as routers and smart TVs deal with security vulnerabilities that emerge in their products, Trend Micro found that a 3-year-old vulnerability in a software component used in millions of smart TVs, routers and phones still hasn't been patched by many vendors. Although a patch was issued for the component in December 2012, Trend Micro found 547 apps that use an older unpatched version of it, wrote Veo Zhang, a mobile threats analyst on the Trend Micro blog. 'These are very popular apps that put millions of users in danger; aside from mobile devices, routers, and smart TVs are all at risk as well,' he wrote.
It must be in one of those open source components, since Slashdot is not listing the actual component name.
Too busy trying to get a first post to bother reading the first line in the first link?
The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Summary doesn't mention this, but the vulnerability is in libupnp that is used by most of these mobile apps.
Yawn, wake us up when something new happens.
That millions and millions of consumer devices have been rushed to market are riddled with security holes should be common knowledge by now.
They have no standards, no penalty, and just want to get products out the door. And then they probably spend zero time maintaining the OS on those products or fixing security holes.
The same as we've heard at least twice a week for a while.
Honestly, if companies aren't going to change, and consumers are still going to keep buying insecure crap because it's got Netflix in it ... well, this will keep happening.
Me, I'll keep refusing to buy this stuff knowing full well it's likely to have huge security and privacy issues.
But let's stop acting surprised. People having been warning of this stuff since these things became available. The security defects were almost inevitable.
Lost at C:>. Found at C.
Well ... let's see ... first you could have a vulnerable cable modem your ISP gave you ... and a lot of people might not have a firewall behind that and connect directly to it. Hell, you could even have a modem from your ISP which does the wifi you use in your house.
The level of network security in most households probably means that the number of people who could easily have devices exploitable by this is likely not small.
The problem is that consumer adoption of the "internet of stuff" is growing FAR faster than the quality of security they have. Many people simply won't even know they're at risk, because they just took it out of the box and did the easiest bit of configuration.
Lost at C:>. Found at C.
This is one reason I don't use smart TV at all
There, fixed that for you, friend.
In this day and age of mass surveillance and the corporate practice of scraping people's lives for data to sell to other corporations, just like so many scammers and malware authors do, I wouldn't at all be surprised if they haven't 'fixed' the 'bug' because it's not a bug, it's a feature, intended to allow them them 'send carefully crafted packets' to allow 'execution of arbitrary code' (read as: 'run code that allows enhanced snooping on what you're doing with your TV, and to turn on the camera and microphone to spy outright on you) so they can collect their otherwise illegal data and still maintain a plausible deniability.
In my opinion you're asking for trouble if you connect a so-called 'smart TV' to any network in the first place. Do yourself a favor and reject the entire idea and buy a non-smart TV instead. You want 'smarts'? Connect it to a media center PC or a DVR or something else. Or maybe just, I dunno, watch TV instead of making it a lifestyle? FFS TVs are turning into just gigantic versions of people's phones. Enough already..
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
This one also goes for other connected things: automobiles, routers, mobile phones...
Good lord this is such a non issue even Windows XP's Firewall blocks this vulnerability from occurring naturally. You have to implicitly allow port 1900 to go OUT your firewall which is nonsense into and of itself. Furthermore, if you ALLOW your WAN port to be open on port 1900 you may be screwed.
Since most (I'm assuming) firewalls sold in this day and age Deny everything and only Allow when queried an attacker would have to be on your local LAN in order to sniff out an affected device and then hopefully hack through the compromised device to get into your system.
I'm more concerned with the vulnerable Android apps having the flaws than my TV being 'hacked'.
Wheel of Time: Book by Book and Sumview (summary review) Bigdady92 style: http://bigdady92.blogspot.com/
uPNP is on by default on consumer routers, so yes. Most people buying routers can barely plug the thing in without someone telling your how (not an exaggeration). The last thing they can do is set up the necessary port forwarding for their kids' game consoles on their own. Something that makes it "just hook it up and it works" will be used by them regardless of safety concerns.
My 2009-era "Smart" TV (read: TV with UPnP, DLNA, and wired ethernet, no apps) got exactly one software update. That software update did the following:
1) Disabled the "maintenance" menu
2) Disabled further updates
3) Blew the soft-fuse to prevent anyone from hard-hacking the two disabled features back.
Any vulnerabilities it had in early 2010 when that update was rolled out are baked in and are not ever going to change.
Since it can't be patched, and since the DLNA rendering client is downright fecal in its uselessness, I don't allow it to connect to my network anymore.
(For reference, it's a Samsung LN52B700, which is a North American, 2009-model, 52", LCD with CCFL backlight, Series 7 TV. Mine came from Newegg and has a white LED power indicator, as opposed to the Best Buy exclusive red LED version, which had a model number ending in 710. Because price-match guarantees are universally bullshit.)
I hereby facetiously give permission to all of the black hats out there to push malware to these televisions. The more damage you can do, the better.
I've been trying to shop around for a 4K 'television' that is really just a monitor, and the only available options at any reasonable price are "Smart" TVs. The fact that manufacturers are coupling the content playback engine with the display is just stupid. This article is the main reason why: It is very hard to create a Smart TV that is always up to date and has the latest capabilities for content. So manufacturers are left trying to create a revenue stream post sale by spying or selling content, or just not updating the OS with latest security and features.
Instead of Smart TVs, I wish they would make 4k displays with DisplayPort inputs that can drive 4K at higher than 30FPS. A TV is a product that should last 15-20 years. The devices that I hook up to the TV (PC, Tivo, cable box, xBox, whatever) are all components that have shorter life expectancies at this time because a ton of changes are happening in that area of the market. TVs just need to be dumb and simply display the content.
I agree with your sentiment, but an old saying comes to mind. Something about not having to outrun a bear if you can outrun your buddy. You don't have to have perfect security. Just better security than the guy one IP address over.