Smart TV Exploit Means Hackers Can Watch You Watch TV

from the i-spy-with-my-little-eye dept

Remember all the hubbub (now there's a word I never thought I'd use; thanks a lot, aging process) over Comcast's kind of, maybe plan to spy on subscribers through their cable box as they watch TV, fold their laundry, or engage in coitus? There was quite an outcry at the time, even as Comcast said that the plan was only to have the cameras be able to recognize when different types or numbers of people were watching the tube. People just didn't feel comfortable with corporations being able to spy on them. As a result, Comcast backed away from the plan -- the people had defeated the corporation.

All, apparently, so that hackers could spy on them instead. At least, that's what some reports are saying about Samsung Smart TVs and an exploit that would allow hackers to snatch social media credentials, access any files or devices connected to the smart TV...oh, and to use the built in cameras to spy the hell out of people as they do whatever they do while watching television.
In an e-mail exchange with Security Ledger, the Malta-based firm said that the previously unknown ("zero day") hole affects Samsung Smart TVs running the latest version of the company's Linux-based firmware. It could give an attacker the ability to access any file available on the remote device, as well as external devices (such as USB drives) connected to the TV. And, in a Orwellian twist, the hole could be used to access cameras and microphones attached to the Smart TVs, giving remote attacker the ability to spy on those viewing a compromised set.
The group that reportedly discovered the vulnerability, ReVuln, proudly stated that they would not publish any information about what they'd uncovered except to paying subscribers because screw everyone else (not an actual quote). They also have a company policy, apparently, that would prevent them from working with Samsung directly on a fix or even to disclose the hole, leading me to reach the logical conclusion that Dr. Evil is apparently running that company.

Even more fun, thanks to how Samsung designed the product, chances are any fix that could be produced would be difficult to implement.
Currently, the Smart TVs offer no native security features, such as a firewall, user authentication or application whitelisting. More critically: there is no independent software update capability, meaning that, barring a firmware update from Samsung, the exploitable hole can't be patched without "voiding the device's warranty and using other exploits," ReVuln said.

The company posted a video of an attack on a Samsung TV LED 3D Smart TV online. It shows an attacker gaining shell access to the TV, copying the contents of its hard drive to an external device and mounting them on a local drive, providing access to photos, documents and other content. ReVuln said an attacker would also be able to lift credentials from any social networks or other online services accessed from the device.
In other words, customers get to wait around until Samsung can figure this thing out on their own, since ReVuln won't help them out by company policy, or risk voiding their warranty on their smart TV that has a complete lack of security features. Nicely done, everyone involved.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    :Lobo Santo (profile), Dec 12th, 2012 @ 3:19pm

    And the fix:

    About 1 square inch of duct-tape.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Zakida Paul (profile), Dec 12th, 2012 @ 3:24pm

    So, how many of you watch porn with your trousers round your ankles on your smart TV?

    I can see you....

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    The Real Michael, Dec 12th, 2012 @ 3:27pm

    They should change the name to Stupid TV, because that's what you'd have to be to purchase a TV with a built-in camera/microphone: Stupid.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      gorehound (profile), Dec 12th, 2012 @ 5:50pm

      Re:

      And this is something I also believe.
      No way will you ever see a TV w/ Cam & Mike here...............and if the day comes when that is the only way to get a TV then I will violate the Warranty to make sure it never will work.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        The Real Michael, Dec 13th, 2012 @ 5:20am

        Re: Re:

        If you managed to successfully disable or remove the camera/mic, you're good to go. But you can bet in the future that manufacturers will integrate them in such a way that if removed, the TV won't work. I'd rather buy a refurbished vintage TV than one of those Stupid TVs.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 12th, 2012 @ 3:41pm

    Not sure the bashing of ReVuln's business model is justified. That's one way a company likes that makes money. Discovering things no one else does. If they make all that information free, they can't make money fixing things etc.

    As they say in Malta, "Il-hovercraft tiegħi hu mimli sallur!"

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      athe, Dec 12th, 2012 @ 6:20pm

      Re:

      So how do they make money if their company policy prevents them from disclosing information (for a price, obviously) to the people who are able to fix it (Samsung)?

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Dec 12th, 2012 @ 10:55pm

        Re: Re:

        Yeah, you would think the only "person" who would be willing to give you a substantial (>1MM) amount of money for a fix would be the products manufacturer.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 12th, 2012 @ 3:43pm

    So this is how Samsung spied on Apple? I'm sure Apple is getting rid of all Samsung TVs (smart or dumb) from it's offices.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 12th, 2012 @ 3:46pm

    Thankfully I don't own a "smart" tv... but would you be safe as long as it isn't connected to the internet?

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    FormerAC (profile), Dec 12th, 2012 @ 3:47pm

    Who didn't see this coming?

    The very first time I saw a commercial for these TVs I said to my friends there would be a hack like this. Its a no brainer.

    However I do see a great creeper business opportunity here ... setup a website where you can watch a random person watching TV. The ultimate in reality television.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 12th, 2012 @ 3:47pm

    Nope not in the market for a tv. So good luck hacking an non-existent one. If I were in the market for a tv, it would be one that doesn't connect to the internet, won't use PPV, and won't be trying to access anything not directly plugged into it of my own devices.

    This is just one more example of why targeted ads are such a bad idea. There seems to be no bottom of the barrel too low to stoop to when it comes to money and commercials. Privacy is the first thing to fall. We've tons of examples where to ad companies targeted ars are their wet dream. They tend to act like just everyone is dying to access their latest dumb ideas.

    Here's one that doesn't want ads, doesn't have to have them, can't see where anything is cheaper because of them. I recall not one single time when some company said you don't owe us this month because ads are paying for it.

    Not one solitary time.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Tunnen (profile), Dec 12th, 2012 @ 3:51pm

    Isn't this part of one of those old "In Soviet Russia" jokes?

    You watch TV, but in Soviet Russia TV watches you!

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    That One Guy (profile), Dec 12th, 2012 @ 3:56pm

    Hmm, this has some potential advertising value for any manufacturer who doesn't make smart tv's.

    "Smart TV's: Not such a smart idea after all."

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 12th, 2012 @ 4:00pm

    Verizon patent suit in 3... 2... 1...

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 12th, 2012 @ 4:06pm

    So they announce finding a hole, but won't tell the company what it is?

    I'm sorry, what exactly is this company's business plan? Find vulns and convince others that they should become "subscribers" so they know what they are?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 12th, 2012 @ 5:19pm

    Dont worry guys, 51% the country WANTS to excercise their right to voyerism, its the other half that wants privacy, so offcourse we dont get a say

    Intead of using government resources to stop this stuff, throught software security awareness, they'd rather install their own backdoors

    Oh rejoice the voyeurs of the world

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 12th, 2012 @ 5:28pm

    Whats the difference between government surveilance and hacker surveilance?

    One, you get no choice in the matter, and the other you............oh wait......never mind

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 12th, 2012 @ 5:45pm

    The question we gotta start asking ourselves, this shows for everyone to see, what the hardware and software is capable of, question is, do ALL corporations out there, with their outspoken belief in EVERYONES liberty, which they continue to show us in a loving way........not putting their own, CLOSED source snooping tools.

    Silly me, im sure there is accountability for this very thing, i mean its so obvious that i should just assume that it is........oh my government, how much like a warm blanket you are before the winter hits

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 12th, 2012 @ 5:45pm

    The question we gotta start asking ourselves, this shows for everyone to see, what the hardware and software is capable of, question is, do ALL corporations out there, with their outspoken belief in EVERYONES liberty, which they continue to show us in a loving way........not putting their own, CLOSED source snooping tools.

    Silly me, im sure there is accountability for this very thing, i mean its so obvious that i should just assume that it is........oh my government, how much like a warm blanket you are before the winter hits

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 12th, 2012 @ 5:45pm

    The question we gotta start asking ourselves, this shows for everyone to see, what the hardware and software is capable of, question is, do ALL corporations out there, with their outspoken belief in EVERYONES liberty, which they continue to show us in a loving way........not putting their own, CLOSED source snooping tools.

    Silly me, im sure there is accountability for this very thing, i mean its so obvious that i should just assume that it is........oh my government, how much like a warm blanket you are before the winter hits

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 12th, 2012 @ 5:46pm

    The question we gotta start asking ourselves, this shows for everyone to see, what the hardware and software is capable of, question is, do ALL corporations out there, with their outspoken belief in EVERYONES liberty, which they continue to show us in a loving way........not putting their own, CLOSED source snooping tools.

    Silly me, im sure there is accountability for this very thing, i mean its so obvious that i should just assume that it is........oh my government, how much like a warm blanket you are before the winter hits

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 12th, 2012 @ 5:47pm

    The question we gotta start asking ourselves, this shows for everyone to see, what the hardware and software is capable of, question is, do ALL corporations out there, with their outspoken belief in EVERYONES liberty, which they continue to show us in a loving way........not putting their own, CLOSED source snooping tools.

    Silly me, im sure there is accountability for this very thing, i mean its so obvious that i should just assume that it is........oh my government, how much like a warm blanket you are before the winter hits

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 12th, 2012 @ 5:48pm

    Sorry for quadrouple post, techdirt issues

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 12th, 2012 @ 5:51pm

    A free society Vs a society dictated by "representatives", the 1%

    One is not like the other

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 12th, 2012 @ 5:57pm

    Well the news that these TVs can be hacked to spy on people isn't really surprising. Of course it's good to spread the news so everyone is aware of it, but anyone a bit savvy about computers and the Internet would know that 1) It's possible to hack into any device connected to the Internet - nothing is or has ever been 100% secure and 2) This includes webcams and microphones.

    I'm baffled some people would be so naive as to think those TVs are safe, but I guess a lot of folk just haven't received proper education about computers and the web.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 12th, 2012 @ 6:10pm

      Re:

      And the simple solution, isolate the important information, on the important computer from the important internet

      No bluetooth, no wifi, no cables

      Only worrying about the more easier to identify, human "physical" element

      Who writes these damn cybersecurity bills

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      nasch (profile), Dec 13th, 2012 @ 1:16pm

      Re:

      I'm baffled some people would be so naive as to think those TVs are safe, but I guess a lot of folk just haven't received proper education about computers and the web.

      To the average consumer, this isn't a computer, it's a TV. So how could a TV have computer vulnerabilities? Getting hacked is something that happens to computers, not TVs, right? I don't know what Samsung's excuse is; they certainly know it's a computer.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Travicane, Dec 12th, 2012 @ 6:24pm

    Most of these POC Smart TV's have a virtually useless USB Port (as do set top boxes,etc). The Linux kernal/custom shell is not accessible by the user. So the fact that the TV is Linux is relevant only to hackers.

    If the TV was based on true open source linux with a user friendly shell, with a usable USB port, a solution would likely be available in days for a moderately tech smart user. These are becoming more common as time goes by, as the old in mind die off!

    Don't yell at me for being ageist, I am a senior.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Overcast (profile), Dec 12th, 2012 @ 7:33pm

    And even if this gets fixed, other exploits will be found.

    The groups that fluff their chest and make a deal out of it, I don't worry about too much - it's those that don't say anything about what they are hacking into - those worry me.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Overcast (profile), Dec 12th, 2012 @ 7:34pm

    Speaking of which - why don't these companies provide lens covers for these device cameras? That way you KNOW if it's able to see anything or not.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 13th, 2012 @ 10:34am

      Re:

      Your not the only one with that thought

      Offcourse if they were really determined to invade privacy, i guess they could r&d on methods to conceal a second camera

      In that scenario, god bless the hobbiests who like tearing into their technology to document online, the individual componants used in our technology

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Dec 13th, 2012 @ 11:12am

        Re: Re:

        Possible Hobbiest scenario:
        "Look at the spec list, there are 4 HD camera devices included in the TV design specs, but only one of them is listed as the 'Audience viewing device', the other 3 are listed as:
        Corporate Information Retrieval Device (do not access or warranty void)
        Government Information Retrieval Device (do not access or warranty void)
        Backup Information Retrieval Device (do not access or warranty void)

        I wonder where those are and what information they are retrieving and for who?"

        Patenting and copyrighting this so that when it happens, I can sue and collect my payday (that's what we are all waiting for right, being able to sue our way to being one of the 'rich elite').

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Migzy, Dec 12th, 2012 @ 8:48pm

    uhh install a firewall/router??

    Not sure why nobody else has pointed out the obvious but most likely a properly configured router would solve the issue...

    From the video of the exploit on the linked article it looks like they need direct IP access to said tv to exploit it...

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      nasch (profile), Dec 13th, 2012 @ 1:19pm

      Re: uhh install a firewall/router??

      Not sure why nobody else has pointed out the obvious but most likely a properly configured router would solve the issue...

      A) Other people have pointed it out. B) What percentage of internet users in the US do you suppose have a properly configured router, or have any idea how to configure one? I would be surprised if it's half.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    anonymouse, Dec 12th, 2012 @ 10:51pm

    not that exciting really

    I used to work for a big Telecom company and i had the ability to listen in to any telephone conversation, all i needed to do was plug my headset in and away you go, now it is even simpler as you can do everything on a screen and have a headset on all day. Even with all of this power, with the ability to listen to hundreds of thousands of people, it took a total of less than 15 minutes of listening to different conversation to get bored, imagine the hackers, hacking into cameras facing a wall or to a group of people watching tv , how boring, the chances of that anyone having sex or being naked in front of the tv is so small it would be a 1 in a million chance to catch someone at it.
    Saying that I still put some tape over my camera and make sure the xbox is switched off.especially if I am going to have sex.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      The Real Michael, Dec 13th, 2012 @ 5:27am

      Re: not that exciting really

      Well, sex wouldn't be the only incentive. A hacker can find a person of interest, e.g. an attractive young girl, and make her the target of his fantasies, always watching her. Who knows? Maybe he'll even figure out where she lives...

      That being said, the solution is simple: keep the TVs with the built-in camera/mic out of your home.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Dec 13th, 2012 @ 9:50am

      Re: not that exciting really

      Personally, I'd be far less concerned with hackers than with corporate and government spying.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Paul Keating, Dec 13th, 2012 @ 2:44am

    Product Return

    "Chaching" the sound of Samsung refunding all of those willing to simply take back their TV under a warranty claim.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Paul Keating, Dec 13th, 2012 @ 2:45am

    Think of the children............

    "think of the children" approach would work wonders here.........

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    fairuse (profile), Dec 13th, 2012 @ 4:16am

    Samsung's motives are always suspect

    Key piece of information here is LED 3D TV. I do not know how many people own 3D TV sets but my take is 3D TV is a flop.

    Samsung invested in a prototype and that is all the Smart TV is. DOA

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      BigKeithO, Dec 13th, 2012 @ 11:39am

      Re: Samsung's motives are always suspect

      I have a 3D / Smart TV. The 3D and the Smart portion might not be very useful but that doesn't mean the set is DOA. The TV itself is extremely nice, the 3D and Smart portion were just tacked on and didn't cost anything extra. Seems silly to call them DOA.

      The best use of 3D I've seen to date has to be video games. Try out a little Assassin's Creed in 3D before you write the entire thing off. Next Gen consoles + 3D TV's... you might see them take off.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        fairuse (profile), Dec 13th, 2012 @ 10:02pm

        Re: Re: Samsung's motives are always suspect

        Point taken. Browsing Samsung site I get the impression the target market for the the set is not "family 8:00p -11:00p cop shows, reality shows, etc.

        Targeted Buyer
        The person who can drop 3 to 6 grand on big screens for graphics. Everything displayed via compressed cable feed is just gravy.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 13th, 2012 @ 5:16am

    This is why I love my HTPC I built it and at the very least I can at least fix it when it breaks even if it is as insecure as any other type of hardware connected to the internet.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 13th, 2012 @ 7:36am

    Isn't this already happening with our computers anyways?

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    John85851 (profile), Dec 13th, 2012 @ 12:02pm

    Who needs all these "smart" features?

    I can understand smart TV's including things like NetFlix or Hulu or other streaming services, but do any customers really NEED Facebook, Twitter, or a *camera* on their TV? Who thought putting a camera on a TV was a good idea?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Barry, Dec 13th, 2012 @ 2:16pm

    Blackmail?

    Come on folks, this is an easy one. The Russians or Democrats set up a free porn site (I'm sure this has already been done). When poilitician or anyone possibly considering runnig against a socialist watches / streams / download anything at all, than does what every single man on this planet and most women do (a man can hope), the incumbent politicins now have a video of you diddling yourslelf (that's not where the term "turning Japanese comes from). Obama says "hey, I'm sticking around for a few more terms untill I finish this transformation" and who's gonna object with the threat of there personal porn video being released on the internet?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    F!, Dec 14th, 2012 @ 12:55am

    I thought people were ok with this?

    Why is it OK for a laptop to have a built in camera, if it sounds like a stupid idea for a TV? I still think anyone who accepts them on laptops must have a hole in their head.

    How many of you have cameras on your desktop machines that you leave plugged into the computer, which runs all day long?

    Cameras on your personal tracking device )otherwise known as cell phones)?

    Web cams are simply an open invitation to Big Brother (and hackers). I recall my initial instinctive reaction when I first heard of them in the 1990s was one of absolute disgust and bafflement that anyone could ever want such a privacy invasive toy. I didn't expect them to last long. Boy was I wrong...

    I'm still no less baffled and disgusted than I was then.

    So please explain why it's suddenly not OK to have them on your TV when you have them everywhere else?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    hahah, Dec 21st, 2012 @ 7:43am

    umm ..

    just because a device isnt connected to the internet doesnt mean it isnt capable of being spied.. bluetooth is some scary stuff too.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This