ReVuln, a Malta-based security consulting firm, has discovered a technique by which a hacker can take total control of a Samsung Smart TV. The attacker can literally take control of your television, changing channels, installing custom firmware, remote viewing by Webcam, or transfer files on and off of USB sticks, according to a story at Ars Technica.
At this point the attacker has complete control over the device,” he wrote in an e-mail to Ars. “So we are talking about applying custom firmwares, spying on the victim if camera and microphone are available, stealing any credential and account stored… on the device, using his own certificates when accessing https websites, and tracking any activity of the victim (movies, photos, music, and websites seen) and so on. You become the TV.”
This isn’t the first time ReVuln agent Luis Auriemma has gone after Samsung televisions; he generated a repeating reboot loop last spring. While devices that are sitting behind a router using network address translation seem to be safe (for the moment), new internet protocols may bypass that protection, and even if they don’t, anyone with access to your local network, physically or via WiFi could hack into your TV with the right know-how, this story demonstrates.
ReVuln is a firm that specializes in finding security exploits, and then sells that information to anyone willing to pay. This includes vulnerabilities in software like SCADA, which controls many aspects of infrastructure like power grids, airports and more. Instead of the discreet “bounty” system that was typically used in the past, where a reward would be given in exchange for discreet delivery of the information, ReVuln is opening up millions of people to attack, directly or indirectly. There’s a reason why companies like ReVuln and SlySoft hide in places like New Guinea and Malta: because they know that it’s unlikely that the local governments will do anything about their activities.
In the developing world, Smart TVs are quickly becoming what families use instead of a home PC, and since patching them is a major affair, and support for older models is often discontinued quickly, this is even further cause for concern (Windows by comparison enjoys eight years of security updates or more).
With smart connected devices penetrating to every aspect of life, including ovens or refrigerators, companies that manufacture them need to be proactive in creating secure devices that are modular enough to enable patching without the need for major certification process.
So does this mean you should unplug everything when not in use? Well, that’s certainly the safest method, but there’s no need to get that paranoid about it yet. Making sure that your router security is enabled is a good first step. Don’t leave passwords stored on the system, especially when important financial information is stored there. So in the very unlikely event that someone using this exploit does pay a visit, there’s not going to be a lot of reasons for them to stick around.
Via: [Ars Technica]