Samsung and Roku Smart TVs Vulnerable To Hacking, Consumer Reports Finds

An anonymous reader quotes a report from Consumer Reports: Consumer Reports has found that millions of smart TVs can be controlled by hackers exploiting easy-to-find security flaws. The problems affect Samsung televisions, along with models made by TCL and other brands that use the Roku TV smart-TV platform, as well as streaming devices such as the Roku Ultra. We found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume, which might be deeply unsettling to someone who didn't understand what was happening. This could be done over the web, from thousands of miles away. (These vulnerabilities would not allow a hacker to spy on the user or steal information.) The findings were part of a broad privacy and security evaluation, led by Consumer Reports, of smart TVs from top brands that also included LG, Sony, and Vizio. The testing also found that all these TVs raised privacy concerns by collecting very detailed information on their users. Consumers can limit the data collection. But they have to give up a lot of the TVs' functionality -- and know the right buttons to click and settings to look for.

Pfft. I did this in high school.

It's really simple to program an IR device and people won't even think to look.

Managed to convince the school that sixteen tv's were broken.

What we've been saying

[Gaygirlie]

In fact, one TV requires that you accept a broad privacy policy during setup before you can use the most basic, internet-free functions, such as watching TV using an antenna.

This is exactly the kind of stuff many of us have expected to happen and it'll most likely happen more and more in the future; companies see you as a product and whatever they sell you is still their property in their view, not yours. Don't want to be spied on? Tough shit, it's not your decision!

Re:What we've been saying

Don't want to be spied on? Tough shit, it's not your decision

I'm typing this using a samsung tv. (yes, probably one of the hackable ones)

Is my tv hacked? Almost certainly the answer is no. I only plugged in the ethernet jack once after I bought it to update it, then unplugged it. In short, I never planned to use the smart tv features.

Of course if you update via wifi and keep using the same password, you have zero assurance that your tv isn't still connected.

If your really paranoid, you could assume your tv has a backdoor that will automatically be enabled whenever it sees a certain wifi link. After that point a firmware update could be loaded and your tv could then probably record all sound near it, then upload it every night to the odd car parked two houses down. (I have no idea if this tv even has a microphone.)

I suppose really paranoid people would find all the microphones and physically disable them, though the phone is likely a better target. You can mitigate that if you use a land line I suppose, assuming your cell phone is in a drawer.

Of course if your using something like Ooma, it could be a rogue access node to your network. There has to be some reason they can get by with like $6 dollar bills.

Its amazing how hard it is to be sure of any level of true privacy in an ordinary house these days. I wonder how many internet devices are affected by spectre or meltdown or some other major vulnerability?

Oh well with hackable TV's maybe the Russians will eventually figure out how to directly replace news stories with "alternate facts." If they did it right, say just before an election, maybe with some look alikes and help from neural nets to fake reputable people, well, how would you know in time that you had been conned?

Do a few million voters your data suggests are persuadable, targeting each with one of a set of propaganda pieces that pushes their buttons.

In time the stuff that happened in 2016 will be only the tip of the iceberg... Sure even with that small set, people might eventually figure it out, but by then it is too late...

Re: What we've been saying

Itâ(TM)s called USE A FIREWALL.

FIlter our the traffic. Or as two smart TVs in my house. What network connection.

Re:What we've been saying

All-or-nothing privacy policy. The Sony television was the only one that required you to agree to a privacy policy and terms of service to complete the setup of the TV.

Color me surprised: the company that thought it would be a good idea to install a root kit from audio CDs won't let you use your shiny new TV if you don't agree to let them monitor as much as they can.

I continue to advise anyone who will listen to never buy Sony products.

Re:What we've been saying

[AmiMoJo]

Best thing to do is return the product. Manufacturers keep data on returns, and if they see a significant number coming back because "user rejected EULA" they will do something about it.

Check your local laws too. In the UK you don't have to return the original packaging at all, or you can just wrap it in parcel tape for transport so that it can't be re-used. Make sure that the return costs them as much as possible and they can't just throw it back on the shelf.

Re:What we've been saying

[msauve]

"Best thing to do is return the product."

No, best thing is some people bind together and sue their asses. Software shrinkwrap licenses are at least based on the belief that copyright prevents a user from installing the software without agreement.

Not so much with a phone or IoT device - the user isn't copying anything, and has no need to agree to anything. There is no "consideration" to create a contract. There's nothing which legally prevents a purchaser from using a device without accepting terms. If you're sold a phone or IoT for some function, and they want you to agree to some terms before using it, after you've already bought it, that seems a perfect example of an attempt to create an unconscionable contract of adhesion. Same with, say, GM and OnStar tracking (they never explain how they know if a car has been sold, or what allows them to track the second purchaser).

When one of those things comes up on the screen, cover it with a sticky note saying "This is my device, and I'll use it as I please. By clicking continue, I retain all rights."

Re:What we've been saying

Or just send a wrapped up brick with no postage. That way they have to pay for the postage, then thinking they have something heavy and wonderful they open it up to find a brick. So they just paid £7 and got a brick ha ha ha

Re:What we've been saying

[AmiMoJo]

I remember AMD graphics cards always had a note at the top of the EULA stating that if you didn't agree to it you should return the card to the retailer for a full refund.

That text was in a little text file you could edit. You could make the EULA say anything you wanted, then click "I agree". Be interesting to know what the legal status of editing the EULA in that manner would be, and if the software accepting you "I agree" click counted as AMD accepting your terms.

Re: What we've been saying

The laws need to change to make such practices illegal.

Re:What we've been saying

LG, Sony and Samsung cripple their devices unless you agree to the T&C as part of the setting procedure, and they all report back to base with regular network traffic. They will not operate on your LAN without external net access, if you block the mothership domains at the firewall, you'll be locked out of third party services like, Netflix, Hulu, etc, in addition to denying access to your local NAS media with lying network errors.

Re:What we've been saying

[msauve]

TOSAmend

Re:What we've been saying

My Finlux 65" Smart TV (bought 2017) didn't ask me to agree to anything on first use. Good TV, I don't use the Smart features though. highly recommended if you have cat that likes to scratch at (say) the little footballers and their balls during the match - it seems to be massively scratch resistant.

Re:What we've been saying

This is exactly the kind of stuff many of us have expected to happen and it'll most likely happen more and more in the future; companies see you as a product and whatever they sell you is still their property in their view, not yours. Don't want to be spied on? Tough shit, it's not your decision!

Oh, but it is my decision ... if I buy a TV, and it can't be set up as a dumb monitor without an internet connection, I will return the TV.

The only input to my TV is a single HDMI cable from my amp. The speakers don't even make noise, and it has no influence on what I'm watching and how. It is simply a display.

I have no interest whatsoever in having a 'smart' TV.

The problem with these things is what most of us have been saying all along ... it's going to get rushed out the door, have shit security, get no updates, and is going to upload far too much of your information to the internet as well as leave you open to hacking.

Companies may like to believe it's their product and I'm only licensing it, but they can kiss my lily white ass. I'm not spending my money on a product which I own which is going to demand that I do what some asshole corporation wants ... especially not for something which has no benefit whatsoever to me to be connected to the internet in the first place.

Re:What we've been saying

[Rick+Schumann]

Two or three things:

1. Don't buy a so-called 'smart TV' in the first place. They're still out there.
2. If you must buy a 'smart TV', only connect it to the Internet long enough to get through their shitty 'agreement', then disconnect it.
2a. If it insists on being connected: block it's IP address on your router. 3. Alternately: Call the manufacturer help line. Tell them you have no Internet at home. There has to be a way to 'activate' the TV without the internet.

Everyone: There are some cases where the 'herd' has made decisions for everyone and it makes it almost impossible to take back your privacy and protect your data, but in many cases it's just a matter of whether you're willing to not be lazy about it and find a way around things. Just don't listen to people that claim it's 'impossible' and that you should just 'give up and accept it', they're either fools, cowards, or both.

Re:What we've been saying

That's brilliant! When I moved back to the UK, I didn't wall-mount the TV. The cats could get to the screen as it was on stand stand, and it was WC time. The little sods spend most of the games trying to catch the ball or the players. I'm glad to hear I wasn't alone.

Dont network

[AHuxley]

If in doubt about a device that suggests it needs network, don't connect the network.
Collect media to play back on a secure network.
Use a sneaker net https://en.wikipedia.org/wiki/... to bring data to the smart display. Select the media and play.

Re:Dont network

[uvajed_ekil]

If in doubt about a device that suggests it needs network, don't connect the network.

Wait, do you have one of those new-fangled magic smart TVs that can access DirecTV NOW, Netflix, and Amazon without connecting to a network? Good for you, but I'm more than happy to connect my vulnerable TCL to my home network. I mean, I wouldn't connect my refrigerator or my sewing machine, but there's nothing you can do with my TV that concerns me. And I like what the Roku interface can do.

Re:Dont network

[circletimessquare]

but there's nothing you can do with my TV that concerns me

what if it has a microphone?

Re:Dont network

[packrat0x]

The problem is that a Sumsung smart TV has WiFi. It is reaching out to any Access Point it can find in its desparate attempt to phone home.

Re:Dont network

[AmiMoJo]

I'm surprised no-one has done a Kickstarter for a firewall appliance dedicated to TVs and other IoT devices. It would block all incoming connections and only allow outgoing ones to a whitelist of approved domains. You could have an app that lets you enable specific services like YouTube and Netflix, but nothing else.

As an added bonus it could block ads on services like YouTube.

Re:Dont network

TCL Roku TVs do not (at least not the two popular models)

Re:Dont network

[Gilgaron]

They'll just imbed some 3G radios in there and have it phone home on some low bandwidth connection paid for by the advertising research money without telling you next. You'll probably have to watch from inside a faraday cage.

Re:Dont network

[Khyber]

Roku TVs work with the Roku Enhanced Remote, which comes with a microphone for voice control.

Re:Dont network

[JackieBrown]

You can do that from your router already.

If you are talking about an app you can install on your TV to do this, most smart TVs don't let you sideload apps and would probably never allow such an app in their official app store

Re:Dont network

[Rick+Schumann]

but there's nothing you can do with my TV that concerns me

So you're saying you have a Smart TV, and you don't care if it's got a camera and microphone and is literally allowing undisclosed 3rd parties to watch and listen to you and everything that goes on in your house? Even when it's ostensibly turned off? Are you an exhibitionist, or do you just not understand what's going on here? Do you not understand that by 'not caring' you're helping create a precedent that spying on people in their homes is okay? Does that really not bother you at all? What if it's your kids that are being spied on? Are you okay with that? What if it's a hacker who is leveraging your TV's ability to spy on you, and he's masturbating to your kids? You still okay with all this? Don't even say "Oh, that'll never happen" because stranger things have happened. Seriously, I think some of you really aren't thinking these things through -- then you call people like me 'paranoid'.

Re:Dont network

I wouldn't connect my refrigerator or my sewing machine, but there's nothing you can do with my TV that concerns me.

Ignorance and apathy. The hacker's dream.

Re:Pfft. I sucked BeauHD's boner in high school.

What circuit did you use?

From Roku

https://blog.roku.com/consumer-reports-got-wrong

Gary Ellison - February 7, 2018

Consumer Reports issued a report saying that Roku TVs and players are vulnerable to hacking. This is a mischaracterization of a feature. It is unfortunate that the feature was reported in this way. We want to assure our customers that there is no security risk.

Roku enables third-party developers to create remote control applications that consumers can use to control their Roku products. This is achieved through the use of an open interface that Roku designed and published. There is no security risk to our customers’ accounts or the Roku platform with the use of this API. In addition, consumers can turn off this feature on their Roku player or Roku TV by going to Settings>System>Advanced System Settings>External Control>Disabled.

In addition the article discusses the use of ACR (Automatic Content Recognition). We took a different approach from other companies to ensure consumers have the choice to opt-in. ACR is not enabled by default on Roku TVs. Consumers must activate it. And if they choose to use the feature it can be disabled at any time. To disable consumers have to uncheck Settings > Privacy > Smart TV experience > Use info from TV inputs.

We take the security of our platform and the privacy of our users very seriously.

Happy Streaming!

Re: From Roku

[JackieBrown]

So you want them to close their API and lock down what 3rd part developers can do? This is an opt in as well, not opt out.

Next, more bitching that you can root your android phone and install possibly dangerous 3rd party apps. Followed by google making it hard to root and then people bitching that it is their phone to do what they want

Re: From Roku

[UnknowingFool]

No what the rebuttal misconstrues and gets wrong from Consumer Reports criticism is not that Roku has an API for 3rd party developers but that the API itself is unsecured.

The problem we found involved the application programming interface, or API, the program that lets developers make their own products work with the Roku platform. “Roku devices have a totally unsecured remote control API enabled by default,” says Eason Goodale, Disconnect’s lead engineer. “This means that even extremely unsophisticated hackers can take control of Rokus. It’s less of a locked door and more of a see-through curtain next to a neon ‘We’re open!’ sign.” And, it turned out we weren’t the first to notice this: The unsecured API had been discussed in online programming forums since 2015.

Also the advice given by Roku is already addressed in the article. Disabling External Control will prevent hacking however it also disables Roku's own app.

A Roku spokeswoman said via email, “There is no security risk to our customers’ accounts or the Roku platform with the use of this API,” and pointed out that the External Control feature can be turned off in the settings. However, this will also disable control of the device through Roku’s own app.

you have to be in the same network

[OppMan29]

in order to control the Roku TV....if you are already in my WiFi network I'm sure that turning up the volume on the tv is not what im worry about..

Re:you have to be in the same network

Problem is that those devices load anything from anywhere and execute it. So the TV may very well be some day slow to use as it is running some cryptocurrency miner javascript ad.
Samsung obsoleted my smart TV very same day when next model came out and in practice it is a Linux+browser+mediaplayer combination updated 8 years ago. Any script kiddie would hack that combination.

Bullshit.

[msauve]

They're like lots of IOT devices - wide open on the local network for nefarious things like cranking up the volume. Not so much for the exaggerated claim that it can be done from the Internet. That's not happening unless you went out of your way to specifically configure your NAT gateway to allow incoming connections to your TV, in which case it's your own damn fault.

Sure, Roku and some others (a number of AVRs come to mind) and have no security, but in practical terms, it's only a matter of annoyance.

Reminds me on the time Consumer's Report dinged VW for only having a single turn signal "blinker" indicator on the dashboard, instead of two (showing left/right). Only an idiot CR reviewer wouldn't remember which way they wanted to turn and need a reminder.

Re:Bullshit.

[BitterOak]

They're like lots of IOT devices - wide open on the local network for nefarious things like cranking up the volume. Not so much for the exaggerated claim that it can be done from the Internet. That's not happening unless you went out of your way to specifically configure your NAT gateway to allow incoming connections to your TV, in which case it's your own damn fault.

But then you're just moving the security from one device (the television) to another (the router). So if a vulnerability is found in your router, perhaps a zero-day exploit for which a patch isn't available for several weeks, then your television is vulnerable as well. You might say something like "If your router is hacked, have have bigger problems than the fact that someone can control your TV!" That may be true, but it misses the point. There is NO GOOD REASON why televisions need to be designed in such a way that they are vulnerable to this kind of hacking, especially if people don't really want or need a lot of "smart TV" features, i.e. just watching over the air broadcasts, or DVD/BluRay discs, or playing video games. This is why I don't like smart TVs. A separate TV and streaming box is much safer and more flexible.

Re:Bullshit.

you're forgetting just how capable browsers are getting. The browser represents a (relatively) exploitable intermediary between you and the iot device you want to infect. Take over someone's fridge, then use that to infect the LAN. Even amongst this crowd I think few people would consider their fridge as an attack vector.

Re:Bullshit.

[chispito]

But then you're just moving the security from one device (the television) to another (the router).

It turns out all TVs have are vulnerable to infrared hacking! If your window is open, hackers can control your TV! This just moves the security from the TV to the blinds.

There is NO GOOD REASON why televisions need to be designed in such a way that they are vulnerable to this kind of hacking, especially if people don't really want or need a lot of "smart TV" features, i.e. just watching over the air broadcasts, or DVD/BluRay discs, or playing video games.

Then don't put it on your network. Problem solved.

Re:Bullshit.

[nnull]

Unfortunately, there are so many unsecured devices out there that the router is the only thing keeping things secure. From your stupid $15 IoT WiFi nanny camera to multi-million dollar machines. Fortunately, routers and switches with greater security and greater features are out there for reasonable prices now to deal with it. But you're right, if the router is compromised, all those devices are vulnerable.

Re:Bullshit.

[uvajed_ekil]

The real takeaway here: be afraid, VERY AFRAID! *They* are watching, even if your TV doesn't have a camera - *they* are very clever, and have a whole lot of time to waste spying on super-important people like you.

I get it, tons of IOT things are vulnerable to remote hijacking of various types. But I'm not worried about someone changing my volume - I'm sorry for them if that's how they spend their time. This all reminds me of the PSAs on the Justice Network, which are all just a nice cop smiling and telling you to be deathly afraid every time you do things like walk across a parking lot or use an ATM. Be cautious, of course, but if you're afraid all the time then the hackers/terrorists are winning.

Re:Bullshit.

[aaarrrgggh]

Um... I take advantage of Sonos' same terrible, awful, incorrigible security hole all the time, and I am thankful they have them! How else would you control what is playing, adjust volume, configure zones, etc without needing to use the Sonos app that constantly asks to be updated?

I have a mix of Insteon, Hue, Sonos, and some other crap in my home, glued together (technically much more like duct tape) with a Universal Devices ISY994 (and in true Rube-Goldberg fashion, with a Beagle or Pi adding some specific feedback). It lets me use Insteon remotes and switches to change not only lighting but music based on events. It isn't perfect, but boy is it nicer than needing to use a dedicated app for each system and not being able to have things communicate.

Eventually I will upgrade it so the universal remote can do everything rather than relying on Insteon remotes, and fix the Insteon units in fake wall switches for different functions.

Re:Bullshit.

They are playing the Roku API as some massive security hole... The Roku platform has had this API since inception, it is enabled by default on ALL Roku devices, and is only usable locally. It is no secret that it exists. It is even publicly documented in detail: https://sdkdocs.roku.com/display/sdkdoc/External+Control+API

If someone manages to get inside your network far enough to communicate with this API, well then you have much bigger problems than just some stranger changing your TV volume.

While I think maybe Roku should implement some sort of basic security procedures. CR is still over-exaggerating this "threat". If it is such a huge problem why isn't there a massive Roku botnet already? Or millions of Roku's randomly performing actions without being told?

Re:Bullshit.

[sheramil]

Unfortunately, there are so many unsecured devices out there that the router is the only thing keeping things secure. From your stupid $15 IoT WiFi nanny camera to multi-million dollar machines.

Anyone who spent more than a million dollars on a television set deserves everything that happens to them.

Re:Bullshit.

[WaffleMonster]

You might say something like "If your router is hacked, have have bigger problems than the fact that someone can control your TV!"

I like the CSRFish argument in TFA. Of all the possibilities this seems to be the most credible vector against average user.

People installing smartphone apps that are actually (surprise) malware or exploit some wizbang browser feature enabling your LAN to be owned when you visit the wrong site by actors who would not otherwise have direct access.

There is NO GOOD REASON why televisions need to be designed in such a way that they are vulnerable to this kind of hacking

Personally I have unauthenticated access configured on my libreelec SBC because I want people to broadcast their drivel to our crummy TV without asking permission. There is value in ease of use to allowing people to control and or broadcast content without authentication. More value than risks in my situation yet everyone has different value judgments and everyone may not be ok with it.

This is why I don't like smart TVs

Hard to fathom sheer amount of negative energy that must have gone into engineering malware like ACR into current televisions. Makes me think it's actually reasonable and prudent to spend the time to open up the set and ground out internal WiFi antenna or pull the wlan card altogether. If manufacturers are willing to display such a high level of contempt for their own customers doesn't seem rational to trust them not to exploit unconfigured WiFi.

Re:Bullshit.

The real takeaway here: be afraid, VERY AFRAID! *They* are watching, even if your TV doesn't have a camera - *they* are very clever, and have a whole lot of time to waste spying on super-important people like you.

Sound advice.

Smart TVs when connected to a network record every press of remote AND everything you watch. Provable facts enumerated in the manufacturers own "privacy" statements. Never under any circumstance should a smart TV be connected to the Internet.

I get it, tons of IOT things are vulnerable to remote hijacking of various types.

Smart TV's are hijacked prior to leaving the assembly line.

Be cautious, of course, but if you're afraid all the time then the hackers/terrorists are winning.

They don't want you to be afraid. They want you to take the blue pill with a glass of DHMO and go back to sleep.

Re:Bullshit.

[WaffleMonster]

Um... I take advantage of Sonos' same terrible, awful, incorrigible security hole all the time, and I am thankful they have them! How else would you control what is playing, adjust volume, configure zones, etc without needing to use the Sonos app that constantly asks to be updated?

Sonos is malware.

Re:Bullshit.

[jrumney]

I see these idiots on the road daily. Next time I'll take note of whether they are driving a VW and if so, sue for the disruption caused to my motoring.

Re:Bullshit.

[AmiMoJo]

It turns out all TVs have are vulnerable to infrared hacking! If your window is open, hackers can control your TV! This just moves the security from the TV to the blinds.

Kids do this occasionally around here. Take their Sky satellite TV remote and wonder around changing people's TVs to the porn channels and cranking the volume up.

Re:Bullshit.

You do not understand the trade off between security and usability. You can have one only at the expense of another. Your router is the security device, just like the lock on your house. Or do you have locks on your rooms and cabinets because you do not trust the front door?

Roku did nothing wrong here. This is literally fake news.

Re:Bullshit.

[chispito]

Be cautious, of course, but if you're afraid all the time then the hackers/terrorists are winning.

They don't want you to be afraid. They want you to take the blue pill with a glass of DHMO and go back to sleep.

"They" as in the manufacturers and advertisers would prefer you use their services without a thought toward privacy. "They" as in the news outlets, security vendors, and nanny state, crusading politicians do want you to be scared.

I'm continually disappointed

[bobstreo]

that my (bought for lack of smart features) dumb TV continues to not have any of these issues.

Re:I'm continually disappointed

You misspelt smug in the title.

Re:I'm continually disappointed

It'll break sooner or later, the back-lights fade, the PSU dies, and you've convinced yourself you're happy with ancient tech, no 4K, no HDR, and the need for addition devices to make up for the lack of a $3 SoC.

Re:I'm continually disappointed

[kackle]

It'll break sooner or later,

My money's on "later".

So?

[uvajed_ekil]

I have a TCL Roku TV, and if you have so much time on your hands that you want to track it down change the volume on me, have at it. I have a great TV that was a true bargain, and there's nothing sensitive stored on it, so I'm happy.

Re:So?

Good luck, The problem isn't hackers turning your TV on and off or controlling the channel or volume. It is when one of these exploits lets them use the TV or other IoT device as a jumping off point to the more sensitive points within your network.

Good luck when someone finds a way to inject malware into your network though one of these devices that manages to infect every desktop on the network. Why would someone want to do this you say? Have you ever heard of crypto paid ransomware? Now you know!

Re:So?

[WaffleMonster]

Good luck, The problem isn't hackers turning your TV on and off or controlling the channel or volume. It is when one of these exploits lets them use the TV or other IoT device as a jumping off point to the more sensitive points within your network.

Good luck when someone finds a way to inject malware into your network though one of these devices that manages to infect every desktop on the network. Why would someone want to do this you say? Have you ever heard of crypto paid ransomware? Now you know!

If someone can get to your smart TV behind your LAN what stops them from getting to whatever other shit exists behind same LAN? Why is it necessary to hack TV as a jumping off point?

For example say someone with your home WiFi password installs Mr Clean's malware app on their smart phone. What prevents the app from attacking your systems directly without the smart TV foothold?

What access scenario in TFA is necessarily limited to smart TV?

Please don't misunderstand. I'm not arguing rooting televisions is harmless or that your point isn't worth considering. It's just your point assumes a level of selectivity that does not seem credible.

Re:So?

Is not them directly being able to SSH into said TV. It is what happens when some carefully crafted payload, maybe a youtube video lets the attacker gain access to what was an otherwise secure network.

Re:So?

[silas_moeckel]

If your TV is on a secure network the network is not secure. Media devices like this moved to their own vlan a decade ago. The TLC roku's, in particular, need a little love as they will refuse to connect to wifi that they can not call home from though it's easy to fake and I have a strong preference for wired anyways.

Re:So?

They haven't rooted the thing. The API is just for remote control buttons and a few other things.

Extremely negative publicity

[Futurepower(R)]

From the Slashdot summary: "... all these TVs raised privacy concerns by collecting very detailed information on their users."

It seems to me that the long-term effect will be to do severe damage to the reputation of both Samsung and Roku.

Re:Extremely negative publicity

With Samsung's unaddressed "rebooting" issue on heir "Smart" Tvs, their reputation is already damaged.

Don't let it talk back.

[Templer421]

Hook it to a streaming device like a Amazon Fire.

Disable voice, and tape over the microphones with duct tape.

Put a dedicated NAT router between the streaming device and the main home router.

Disable wireless and run wired.

Got to get 3 levels deep to get to the TV, the most expensive part on that chain of devices.

Re: Don't let it talk back.

[Brockmire]

Or you can go to someone who knows what the fuck they are doing and skip all that. Was waiting for your tin foil step.

Zero Shits Given

[chuckugly]

The attacker has to have a presence on my LAN and then they can adjust the volume of a TV ..... wow. I really think that's low on the list of things to worry about if they are on my subnet. I don't own one of these sets but this isn't a big deal IMO.

Re:Zero Shits Given

Lock up your remotes. They are a security risk. If someone breaks into your house they can use them to change your TV settings!

Re:Zero Shits Given

I don't own one of these sets but this isn't a big deal IMO.

Apathy. The great enabler.

Re:Zero Shits Given

[Rakarra]

Lock up your remotes. They are a security risk. If someone breaks into your house they can use them to change your TV settings!

Yeah, last year some dudes broke into my house and set the TV to the Playboy channel and then left it on that channel for my wife to find! I'm lucky they didn't steal anything, but it took awhile to convince my wife that the neer-do-wells had broken in.

Relying on your Samsung TV to actually WORK

Like so many others, my Samsung "Smart" TV spends a LOT of time just rebooting and rebooting and rebooting...
When it is NOT rebooting, it just keeps dropping off "Smart" Apps, that used to once work OK but now either refuse to work properly or the system has decided to delete.
The wifi seems to no longer work at all, as it can't seem to find the network that everything ELSE is currently running off and the smarttv interface spends so much time "updating" instead of actually working that it's almost pointless to use.
God forbid Samsung either addressed any issues with new firmware updates or revised Apps to actually FUNCTION properly. But, hey, they've already GOT my money, right ?
Their chances of getting any more money for a replacement, however....

Re:Relying on your Samsung TV to actually WORK

I guess that a subsequent failure to find wifi CAN now be classed as a "security feature" by Samsung.

Re:Relying on your Samsung TV to actually WORK

I think the problem is water getting into your TV. You don't have a Samsung refrigerator upstairs by chance? :-)

Re: Pfft. I sucked BeauHD's boner in high school.

[Brockmire]

Universal remote.

Re: Pfft. I sucked BeauHD's boner in high school.

OK, so how exactly did you convince them? I tried this with a universal remote in the late '90s, and they just unplugged the TVs in our student center, knowing that something was up. That was with two wall-mounted CRTs......the faculty knew the student body a little too well.

Re:Pfft. I did this in high school.

Sure you did, fag.

i'm pretty sure EVERY "smart tv" is hackable.

if it's connected to the internet, it's fucked. period. and in the case of televisions: the vendors have already proven, time and again, that they don't give a shit about security.. hell, they program exploitable vulnerabilities right into the damn firmware.. on. fucking. purpose.

Seriously

Fuck you. It is my decision. I can choose not to buy your retarded products. Not to watch your ad infested bullshit television. Seriously go fuck yourself again.

So...

[XSportSeeker]

I dunno about Roku, but you know... water is wet, smart TVs are vulnerable to hacking.

Other issue is support

[WindBourne]

Some time ago, I found that Samsung had stopped updating software on my blueray player( which killed new blueray ), so I started playing with the TV. Sure enough it was obvious that our TV has holes in it.
I never tested Roku, but assumed that staying up was going to be hard because they have lots of capabilities, i.e. lots and lots of code. The only ones I trust are those backed by large software companies, which is apple tv, Android TV, and Chromecast. Out of these, only Chromecast is a minimalist approach, a kind of x-terminal, which should mean small code, small numbers of holes, and easy to back.
As such our next tv is going to be a Vizio E-series. No tuner. Solely based on Chromecast. The only thing wrong with them is complexity of hook-ups. If they were smart, they would skip it all, and just go with 5-7 HDMI and Ethernet. U need rgb/audio hookup? Get a converter. Need a tuner? Get one that has HDMI OR better yet, hd home run combined with Plex. Chromecast too complex? Fine plug-in a Roku stick. Basically, we need a thin tv and ability to add to it. I would even suggest that 1 of HDMI be an audio output.

Re:Other issue is support

[iampiti]

So there are hardware Bluray players that can't play new movies because the manufacturers can't be bothered to update them? Wouldn't that count as not being fit for purpose?
I don't own a Bluray player and had heard something about key revocation and so but never imagined that existed legitimate hardware players that couldn't play original discs. Madness.

Re: Other issue is support

[WindBourne]

And not key revocation, but no more updates. Can not play any BR from Amazon on the Samsung, only the older Sony will play them.

Not surprised this would happen

I would never buy a smart TV because in fact its not really that smart. Placing all your eggs in one basket is not very smart. Anymore then car technology is smart considering how manufactures will abandoned it after model is replaced. Its getting worse as appliances and other devices become internet accessible.

Published?

[jrumney]

So did they publish it so we can take control of our own TVs?

I've seen that Samsung has Android apps available that work only on Samsung phones. And a bunch of other guys have advertising laden apps that ask for far too many permissions just like the Samsung one. What I really want is to control my TV from my Home Automation server in response to other events (since the HDMI-CEC on Samsung TVs is next to useless).

Re:Published?

[ody]

What I really want is to control my TV from my Home Automation server in response to other events (since the HDMI-CEC on Samsung TVs is next to useless).

Agreed. I'd very much to have a means to control my Fire TV from my home automation server (without using the kludgey ADB hack), but they have it locked behind an undocumented, encrypted API that AFAIK is currently only supported by Google and Amazon apps.

I think what CR calls a "security vulnerability" I'd call an "Open API".

Vlan People

Just go ahead and assume all internet connected devices you can't control are security issues. Put them bitches on a vlan and lock them down. At least you'll be segmented when the device gets hacked. Most people put so much fucking blind trust in these companies today..

Better things to do

[sjbe]

Best thing to do is return the product.

A) That will never happen in any meaningful scale.
B) A better thing to do is to simply not connect the device to a network if you don't have a compelling need to do so. Can't be hacked if it can't be reached.
C) Another better thing to do is for some enterprising lawyer(s) to sue them until they get the message. EULA be damned lawsuits will cost them money even if they win so eventually it becomes cheaper to actually provide real security.
D) EULA that you don't agree to prior to purchase are on thin legal ground. There is plenty of precedent for holding such agreements invalid when they cannot be examined prior to handing over money. Expecting someone to bear the cost of returning a large TV is arguably unreasonable when the terms of purchase/use weren't available prior to purchase.

Overconfidence

[sjbe]

Good for you, but I'm more than happy to connect my vulnerable TCL to my home network.

And just how confident are you that your home network is some impregnable fortress? Unless you are an anal retentive network security professional I'm dubious you have it locked down tight.

but there's nothing you can do with my TV that concerns me.

If you honestly believe that then you don't understand the problem or what some clever asshat might do with it.

And I like what the Roku interface can do.

That's nice but not of concern here.

Re:Overconfidence

[flink]

Good for you, but I'm more than happy to connect my vulnerable TCL to my home network.

And just how confident are you that your home network is some impregnable fortress? Unless you are an anal retentive network security professional I'm dubious you have it locked down tight.

If you've owned someones router sufficiently to get onto their LAN, why would you bother with their TV? There are way richer targets on the average home network.

To quote the article:

To become a victim of a real-world attack, a TV user would need to be using a phone or laptop running on the same WiFi network as the television, and then visit a site or download a mobile app with malicious code.

Yeah, if you can get someone to do that, you've already compromised the device they installed the application on and have full access to their LAN. Why bother futzing with their TV volume: start harvesting passwords from network traffic or trying to exploit other PCs on the LAN.

This looks like it is going after the unsecured API that lets you send YouTube videos from your phone to Rokus on the the same LAN segment. Unless you are hanging your streaming devices out on the public internet with routable IPs and no firewall it's not a huge issue.

Re:Overconfidence

[Rakarra]

If you've owned someones router sufficiently to get onto their LAN, why would you bother with their TV? There are way richer targets on the average home network.

The TV is harder for the user to secure, and it's unlikely to change much for years.
If someone owns a PC, chances are the user will notice -- degraded performance, anti-virus or other product sending out warnings, more computer-savvy relative running tests. It's more likely to be wiped or replaced. Almost no one thinks of checking the TV for something it might be doing behind the scenes. It's a tempting target because it's less likely to get fixed unless your rootkit thing is sloppy enough to affect the watching experience.

It's simple really...

[MerlTurkin]

....don't buy a "smart" TV. See how easy that is?!

Re:It's simple really...

Maybe this posting is being sarcastic, but I've been looking for a "dumb" 39" 4K TV to serve as a computer monitor... they are pretty hard to find.
    As for the Roku, when I leave it on, it ends up talking to my wireless router but not admitting the connection when I want to watch streaming TV. Since I have to reboot it anyway when I watch TV, I just remember to pull the low-voltage power plug out of the back when I'm done with it.

Stop it...

I do this all the time to my wife from the ROKU app. She will just tell me to stop it, and won't believe me when I say it isn't me.

1953 Crosley

[The+Grim+Reefer]

This is why my TV is a 1953 Crosley model EU-21COLBe. No one is hacking it from the internet.

I used to be jealous of all of my friends with their fancy solid state color TVs because they would turn on without having to warm up the tubes first. But with modern smart TV's my trusty old EU-21 actually shows a picture faster than their newfangled televisions. And even then, they still have to wait for it to finish booting until they can actually change the channel.

Plus I've never once lost the remote. Granted I'm going to have to get a new remote once my kid goes off to college, but at least my remote never needs batteries. I have noted that the voice command for the remote doens't work as well as it used to though.

I expected nothing less from a convicted CEO

I expected nothing less from a convicted CEO. They just let him out by the way :)

How is this news?

[ewhenn]

How is this news? Any device reachable through the Internet is vulnerable to hacking. Period.

Roku was the worst tech product I every bought

[el_smurfo]

Bad software, out of sync audio, updates that broke more than they fixed and a forum staffed by people that ignored major problems while criticizing users for minor forum etiquette. Returned as defective after only a few weeks of frustration.

Routers and Firewalls

It's not a hard concept:

1. Put ALL devices behind the router firewall

2. Patch router firmware

3. Use good passwords and don't allow remote connectivity to the router

4. Disable incoming connections on any ports you don't need ...UNFORTUNATELY, the typical consumer doesn't know this, and I don't think expecting IoT manufacturers to fix all the problems is going to work. It's really up to router manufacturers to implement stronger default policies and automatic firmware patches.

I use a smart TV as a dumb TV

I have a Samsung smart TV that I never connected to my network. I still stream content to it, but only via external Chromecast hardware. The biggest PITA with the setup is that the Samsung remote has no number buttons, so I have to go to the on-screen virtual buttons to jump to a numerically distant channel.

Finish it!

[beer_maker]

And old Satan Claus, Jimmy, he's out there. And he's just getting stronger.

What a load of scare tactic garbage

What a load of scare tactic headline generating garbage....

"To become a victim of a real-world attack, a TV user would need to be using a phone or laptop running on the same WiFi network as the television, and then visit a site or download a mobile app with malicious code. That could happen, for instance, if they were tricked into clicking on a link in a phishing email or if they visited a site containing an advertisement with the code embedded."

If you are on the same network as someone and on a compromised device, the TV isn't really being hacked as much as it is being controlled through a manner they created on purpose...

So they claim

"These vulnerabilities would not allow a hacker to spy on the user or steal information."

So they claim....