Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samsung and Roku Smart TVs Vulnerable To Hacking, Consumer Reports Finds (consumerreports.org)

Posted by BeauHD on from the heads-up dept.

An anonymous reader quotes a report from Consumer Reports: Consumer Reports has found that millions of smart TVs can be controlled by hackers exploiting easy-to-find security flaws. The problems affect Samsung televisions, along with models made by TCL and other brands that use the Roku TV smart-TV platform, as well as streaming devices such as the Roku Ultra. We found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume, which might be deeply unsettling to someone who didn't understand what was happening. This could be done over the web, from thousands of miles away. (These vulnerabilities would not allow a hacker to spy on the user or steal information.) The findings were part of a broad privacy and security evaluation, led by Consumer Reports, of smart TVs from top brands that also included LG, Sony, and Vizio. The testing also found that all these TVs raised privacy concerns by collecting very detailed information on their users. Consumers can limit the data collection. But they have to give up a lot of the TVs' functionality -- and know the right buttons to click and settings to look for.

22 of 102 comments (clear)

  1. What we've been saying by Gaygirlie · · Score: 5, Insightful

    In fact, one TV requires that you accept a broad privacy policy during setup before you can use the most basic, internet-free functions, such as watching TV using an antenna.

    This is exactly the kind of stuff many of us have expected to happen and it'll most likely happen more and more in the future; companies see you as a product and whatever they sell you is still their property in their view, not yours. Don't want to be spied on? Tough shit, it's not your decision!

    1. Re:What we've been saying by msauve · · Score: 3, Interesting

      "Best thing to do is return the product."

      No, best thing is some people bind together and sue their asses. Software shrinkwrap licenses are at least based on the belief that copyright prevents a user from installing the software without agreement.

      Not so much with a phone or IoT device - the user isn't copying anything, and has no need to agree to anything. There is no "consideration" to create a contract. There's nothing which legally prevents a purchaser from using a device without accepting terms. If you're sold a phone or IoT for some function, and they want you to agree to some terms before using it, after you've already bought it, that seems a perfect example of an attempt to create an unconscionable contract of adhesion. Same with, say, GM and OnStar tracking (they never explain how they know if a car has been sold, or what allows them to track the second purchaser).

      When one of those things comes up on the screen, cover it with a sticky note saying "This is my device, and I'll use it as I please. By clicking continue, I retain all rights."

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    2. Re:What we've been saying by Rick+Schumann · · Score: 2

      Two or three things:

      1. Don't buy a so-called 'smart TV' in the first place. They're still out there.
      2. If you must buy a 'smart TV', only connect it to the Internet long enough to get through their shitty 'agreement', then disconnect it.
      2a. If it insists on being connected: block it's IP address on your router. 3. Alternately: Call the manufacturer help line. Tell them you have no Internet at home. There has to be a way to 'activate' the TV without the internet.

      Everyone: There are some cases where the 'herd' has made decisions for everyone and it makes it almost impossible to take back your privacy and protect your data, but in many cases it's just a matter of whether you're willing to not be lazy about it and find a way around things. Just don't listen to people that claim it's 'impossible' and that you should just 'give up and accept it', they're either fools, cowards, or both.

  2. From Roku by Anonymous Coward · · Score: 5, Informative

    https://blog.roku.com/consumer-reports-got-wrong

    Gary Ellison - February 7, 2018

    Consumer Reports issued a report saying that Roku TVs and players are vulnerable to hacking. This is a mischaracterization of a feature. It is unfortunate that the feature was reported in this way. We want to assure our customers that there is no security risk.

    Roku enables third-party developers to create remote control applications that consumers can use to control their Roku products. This is achieved through the use of an open interface that Roku designed and published. There is no security risk to our customers’ accounts or the Roku platform with the use of this API. In addition, consumers can turn off this feature on their Roku player or Roku TV by going to Settings>System>Advanced System Settings>External Control>Disabled.

    In addition the article discusses the use of ACR (Automatic Content Recognition). We took a different approach from other companies to ensure consumers have the choice to opt-in. ACR is not enabled by default on Roku TVs. Consumers must activate it. And if they choose to use the feature it can be disabled at any time. To disable consumers have to uncheck Settings > Privacy > Smart TV experience > Use info from TV inputs.

    We take the security of our platform and the privacy of our users very seriously.

    Happy Streaming!

    1. Re: From Roku by JackieBrown · · Score: 3, Informative

      So you want them to close their API and lock down what 3rd part developers can do? This is an opt in as well, not opt out.

      Next, more bitching that you can root your android phone and install possibly dangerous 3rd party apps. Followed by google making it hard to root and then people bitching that it is their phone to do what they want

    2. Re: From Roku by UnknowingFool · · Score: 3, Informative

      No what the rebuttal misconstrues and gets wrong from Consumer Reports criticism is not that Roku has an API for 3rd party developers but that the API itself is unsecured.

      The problem we found involved the application programming interface, or API, the program that lets developers make their own products work with the Roku platform. “Roku devices have a totally unsecured remote control API enabled by default,” says Eason Goodale, Disconnect’s lead engineer. “This means that even extremely unsophisticated hackers can take control of Rokus. It’s less of a locked door and more of a see-through curtain next to a neon ‘We’re open!’ sign.” And, it turned out we weren’t the first to notice this: The unsecured API had been discussed in online programming forums since 2015.

      Also the advice given by Roku is already addressed in the article. Disabling External Control will prevent hacking however it also disables Roku's own app.

      A Roku spokeswoman said via email, “There is no security risk to our customers’ accounts or the Roku platform with the use of this API,” and pointed out that the External Control feature can be turned off in the settings. However, this will also disable control of the device through Roku’s own app.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
  3. you have to be in the same network by OppMan29 · · Score: 4, Informative

    in order to control the Roku TV....if you are already in my WiFi network I'm sure that turning up the volume on the tv is not what im worry about..

  4. Bullshit. by msauve · · Score: 4, Informative

    They're like lots of IOT devices - wide open on the local network for nefarious things like cranking up the volume. Not so much for the exaggerated claim that it can be done from the Internet. That's not happening unless you went out of your way to specifically configure your NAT gateway to allow incoming connections to your TV, in which case it's your own damn fault.

    Sure, Roku and some others (a number of AVRs come to mind) and have no security, but in practical terms, it's only a matter of annoyance.

    Reminds me on the time Consumer's Report dinged VW for only having a single turn signal "blinker" indicator on the dashboard, instead of two (showing left/right). Only an idiot CR reviewer wouldn't remember which way they wanted to turn and need a reminder.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:Bullshit. by BitterOak · · Score: 2

      They're like lots of IOT devices - wide open on the local network for nefarious things like cranking up the volume. Not so much for the exaggerated claim that it can be done from the Internet. That's not happening unless you went out of your way to specifically configure your NAT gateway to allow incoming connections to your TV, in which case it's your own damn fault.

      But then you're just moving the security from one device (the television) to another (the router). So if a vulnerability is found in your router, perhaps a zero-day exploit for which a patch isn't available for several weeks, then your television is vulnerable as well. You might say something like "If your router is hacked, have have bigger problems than the fact that someone can control your TV!" That may be true, but it misses the point. There is NO GOOD REASON why televisions need to be designed in such a way that they are vulnerable to this kind of hacking, especially if people don't really want or need a lot of "smart TV" features, i.e. just watching over the air broadcasts, or DVD/BluRay discs, or playing video games. This is why I don't like smart TVs. A separate TV and streaming box is much safer and more flexible.

      --
      If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    2. Re:Bullshit. by chispito · · Score: 4, Insightful

      But then you're just moving the security from one device (the television) to another (the router).

      It turns out all TVs have are vulnerable to infrared hacking! If your window is open, hackers can control your TV! This just moves the security from the TV to the blinds.

      There is NO GOOD REASON why televisions need to be designed in such a way that they are vulnerable to this kind of hacking, especially if people don't really want or need a lot of "smart TV" features, i.e. just watching over the air broadcasts, or DVD/BluRay discs, or playing video games.

      Then don't put it on your network. Problem solved.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    3. Re:Bullshit. by uvajed_ekil · · Score: 2

      The real takeaway here: be afraid, VERY AFRAID! *They* are watching, even if your TV doesn't have a camera - *they* are very clever, and have a whole lot of time to waste spying on super-important people like you.

      I get it, tons of IOT things are vulnerable to remote hijacking of various types. But I'm not worried about someone changing my volume - I'm sorry for them if that's how they spend their time. This all reminds me of the PSAs on the Justice Network, which are all just a nice cop smiling and telling you to be deathly afraid every time you do things like walk across a parking lot or use an ATM. Be cautious, of course, but if you're afraid all the time then the hackers/terrorists are winning.

      --
      This is a hacked account, for which the owner can not be held responsible.
    4. Re:Bullshit. by AmiMoJo · · Score: 2

      It turns out all TVs have are vulnerable to infrared hacking! If your window is open, hackers can control your TV! This just moves the security from the TV to the blinds.

      Kids do this occasionally around here. Take their Sky satellite TV remote and wonder around changing people's TVs to the porn channels and cranking the volume up.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  5. I'm continually disappointed by bobstreo · · Score: 2

    that my (bought for lack of smart features) dumb TV continues to not have any of these issues.

  6. Re:Dont network by uvajed_ekil · · Score: 3, Insightful

    If in doubt about a device that suggests it needs network, don't connect the network.

    Wait, do you have one of those new-fangled magic smart TVs that can access DirecTV NOW, Netflix, and Amazon without connecting to a network? Good for you, but I'm more than happy to connect my vulnerable TCL to my home network. I mean, I wouldn't connect my refrigerator or my sewing machine, but there's nothing you can do with my TV that concerns me. And I like what the Roku interface can do.

    --
    This is a hacked account, for which the owner can not be held responsible.
  7. Re: Don't let it talk back. by Brockmire · · Score: 2

    Or you can go to someone who knows what the fuck they are doing and skip all that. Was waiting for your tin foil step.

  8. Re:So? by WaffleMonster · · Score: 2

    Good luck, The problem isn't hackers turning your TV on and off or controlling the channel or volume. It is when one of these exploits lets them use the TV or other IoT device as a jumping off point to the more sensitive points within your network.

    Good luck when someone finds a way to inject malware into your network though one of these devices that manages to infect every desktop on the network. Why would someone want to do this you say? Have you ever heard of crypto paid ransomware? Now you know!

    If someone can get to your smart TV behind your LAN what stops them from getting to whatever other shit exists behind same LAN? Why is it necessary to hack TV as a jumping off point?

    For example say someone with your home WiFi password installs Mr Clean's malware app on their smart phone. What prevents the app from attacking your systems directly without the smart TV foothold?

    What access scenario in TFA is necessarily limited to smart TV?

    Please don't misunderstand. I'm not arguing rooting televisions is harmless or that your point isn't worth considering. It's just your point assumes a level of selectivity that does not seem credible.

  9. Published? by jrumney · · Score: 2

    So did they publish it so we can take control of our own TVs?

    I've seen that Samsung has Android apps available that work only on Samsung phones. And a bunch of other guys have advertising laden apps that ask for far too many permissions just like the Samsung one. What I really want is to control my TV from my Home Automation server in response to other events (since the HDMI-CEC on Samsung TVs is next to useless).

    1. Re:Published? by ody · · Score: 2

      What I really want is to control my TV from my Home Automation server in response to other events (since the HDMI-CEC on Samsung TVs is next to useless).

      Agreed. I'd very much to have a means to control my Fire TV from my home automation server (without using the kludgey ADB hack), but they have it locked behind an undocumented, encrypted API that AFAIK is currently only supported by Google and Amazon apps.

      I think what CR calls a "security vulnerability" I'd call an "Open API".

  10. Re:Dont network by packrat0x · · Score: 2

    The problem is that a Sumsung smart TV has WiFi. It is reaching out to any Access Point it can find in its desparate attempt to phone home.

    --
    227-3517
  11. Re:Dont network by AmiMoJo · · Score: 2

    I'm surprised no-one has done a Kickstarter for a firewall appliance dedicated to TVs and other IoT devices. It would block all incoming connections and only allow outgoing ones to a whitelist of approved domains. You could have an app that lets you enable specific services like YouTube and Netflix, but nothing else.

    As an added bonus it could block ads on services like YouTube.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  12. Better things to do by sjbe · · Score: 2

    Best thing to do is return the product.

    A) That will never happen in any meaningful scale.
    B) A better thing to do is to simply not connect the device to a network if you don't have a compelling need to do so. Can't be hacked if it can't be reached.
    C) Another better thing to do is for some enterprising lawyer(s) to sue them until they get the message. EULA be damned lawsuits will cost them money even if they win so eventually it becomes cheaper to actually provide real security.
    D) EULA that you don't agree to prior to purchase are on thin legal ground. There is plenty of precedent for holding such agreements invalid when they cannot be examined prior to handing over money. Expecting someone to bear the cost of returning a large TV is arguably unreasonable when the terms of purchase/use weren't available prior to purchase.

  13. Re:Overconfidence by flink · · Score: 2

    Good for you, but I'm more than happy to connect my vulnerable TCL to my home network.

    And just how confident are you that your home network is some impregnable fortress? Unless you are an anal retentive network security professional I'm dubious you have it locked down tight.

    If you've owned someones router sufficiently to get onto their LAN, why would you bother with their TV? There are way richer targets on the average home network.

    To quote the article:

    To become a victim of a real-world attack, a TV user would need to be using a phone or laptop running on the same WiFi network as the television, and then visit a site or download a mobile app with malicious code.

    Yeah, if you can get someone to do that, you've already compromised the device they installed the application on and have full access to their LAN. Why bother futzing with their TV volume: start harvesting passwords from network traffic or trying to exploit other PCs on the LAN.

    This looks like it is going after the unsecured API that lets you send YouTube videos from your phone to Rokus on the the same LAN segment. Unless you are hanging your streaming devices out on the public internet with routable IPs and no firewall it's not a huge issue.