TVs Now 'Smart' Enough To Get Hijacked, Pick Up Malware

from the what-a-time-to-be-alive! dept

Hook a “smart” TV up to a “dumb” pipe and this is the inevitable result.

In a comment on Reddit this week, user “moeburn” raised the possibility of new malware circulating for Smart TVs:

My sister got a virus on her TV. A VIRUS ON HER GODDAMN TV.
It was an LG Smart TV with a built in web browser, and she managed to get a DNS Hijacker that would say “Your computer is infected please send us money to fix it” any time she tried to do anything on the TV.

The Reddit post included this image:


If a TV can surf the web, it can be hijacked or pick up malware. It’s a little tougher to make malware stick to smart TV browsers, but while the commenter’s outrage might be warranted, shock isn’t.

SecureList dug into this hijacker and has both good news and bad news. The good news is this particular version was only live for a few days and disappeared more than four months ago. The bad news is that there’s nothing particularly unique about the attempted hijacking. Multiple domains served as hosts for the malware, including a handful at Amazon’s cloud services.

It’s not a new threat, but spotting it on a smart TV is rather novel. SecureList chased down other versions of the same scammy Javascript — which prompts people to call a phone number to “protect” their TV from malware — including this fantastic bit of non-native English that both impersonates a Chrome warning page and suggests your TV is now a portal to a vast selection of retail outlets.

MY GOD. IT'S FULL OF KIOSKS.

Fortunately, it appears this hijacking can be easily dodged. Even though the code prevents browsers from closing the dialog box (it will just pop up again), the threat can be nullified in other ways.

We also ran the file on a Samsung Smart TV and got the same result. It was possible to close the browser, but it did not change any browser or DNS settings. Turning it off and on again solved the problem as well. It is possible that other malware was involved in the case reported on Reddit, that changed the browser or network settings.

As SecureList points out, it’s not a smart TV-directed threat. It’s just something that will attack any browser on any device. Other variants may change browser settings or attempt to dump a malware payload, but this one appears incapable of doing so. And while it’s only a matter of time before this becomes more widespread, there are a number of factors limiting attacks on smart TVs.

  • Smart TVs are not often used to surf the web and users seldom install any app from web pages other than the vendor’s App Store – as it is the case with mobile devices
  • Vendors are using different operating systems: Android TV, Firefox OS, Tizen, WebOS.
  • Hardware and OS may even change from series to series, causing malware to be incompatible.
  • There are by far fewer users surfing the web or reading email on the TV compared to PCs or mobile devices.

But this is coupled with more bad news: if it has a browser, it can be attacked. Someone’s going to end up with a “ransomed” TV at some point… or a fridge… or anything else a manufacturer has decided would be more attractive to consumers with added connectivity.

Filed Under: ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “TVs Now 'Smart' Enough To Get Hijacked, Pick Up Malware”

Subscribe: RSS Leave a comment
45 Comments
That One Guy (profile) says:

Missed one

And while it’s only a matter of time before this becomes more widespread, there are a number of factors limiting attacks on smart TVs.

You left out a rather large reason why the attackers might be interested in targeting ‘smart’ devices like tvs:

The built in security is often laughable, if it exists at all.

Combine pathetic security with the makers of the ‘smart’ devices trying to grab as much data as they can for advertising purposes, not to mention the ‘convenience’ of having multiple devices linked together allowing the weakest link to act as a security hole for other devices that would otherwise be more secure, and while ‘smart’ devices may present problems for attackers, they also offer some very tempting targets.

That Anonymous Coward (profile) says:

Re: Missed one

Not to mention all of the systems that are always listening or offer camera views. All of those patents on getting people to stand up and cheer or say something to make an ad go by faster… who wouldn’t like to be able to look into peoples homes to find the nicer ones to empty? Or snapping photos from inside someones bedroom. Or that smarttv that was scanning all attached storage it had access to on the network if it was played on the tv or not… how hard to make it upload full files rather than just filenames?

Smart TVs suffer from the corporate blinders of nothing bad came come from this.
We have an awesome idea and everything will be perfect.
Budget for security? Why would we waste money on that?
Nothing bad will happen and even if bad things happen it’ll be down the road while we are making money today.

Stick a computer in everything!!! We can charge 3 times the price, it’ll be great! As more of these enter the market, there will be more targeted attacks…

Anonymous Anonymous Coward says:

Re: Missed one

Yes. Exactly how is one going to know that it’s their smart toaster that is looking through that camera on the smart TV and sending information to whomever and their brother-in-law while the smart thermostat is monitoring the smart garage door opener to determine if your home or not while the smart refrigerator spoofs the smart security system with images of half empty milk containers and redirecting signals intended for the monitoring company to YouTube so would be thieves know that the coast is clear and they can come in and collect all your non-smart stuff?

Anonymous Coward says:

Re: Re:

Well… that has been done a few years ago. The medical implant was a pacemaker and the range was 30 feet. But before the attack could be made public the person died. I guess he was suicided, fell down the stairs or locked himself inside a sports bag and then put the keys to the lock under the bag afterwards… you know… classical suicide. After all you don’t want an attack that could kill a high level politician to be known to the public.

Anonymous Coward says:

Never mind medical implants there are MANY publicly accessible “industrial controls” with vendor default username/passwords. Until you search on Shodan and do a little poking and see that it includes Railway controls you do not get a really good realization of how truly lucky we are that trains are not ramming into each other every day.

Violynne (profile) says:

This isn’t an issue about television security. This is an issue about consumer stupidity being so damn problematic as to hook a fucking television to the internet.

No excuses will ever be accepted as to justify any reason to hook a television to the internet.

These consumers get everything they deserve being this fucking stupid.

Next, they’ll want to hook a teapot, light bulb, toaster, refrigerator, oven, or any other electrical device to the internet because “IT’S SO KEWL!”

Poetic justice, dispensed.

klaus (profile) says:

Re: Re: Re:

I’m sensing massive and subtle sarcasm. I got through the below before I thought… woah there Spartacus

“This is an issue about consumer stupidity being so damn problematic as to hook a fucking television to the internet.”

Way to blame the victim. This is absolutely about TV security and trust. What are people going to do when TVs ship with their own cellular chips, and don’t even bother asking for your wifi password? Will you be wrapping your TV in aluminium foil?

Anonymous Coward says:

Re: Re:

“These consumers get everything they deserve being this fucking stupid.”

Nice try TV industry.

I have a hard time with this “blame the victim” mentality, is there a particular reason you dislike ignorant consumers more than you dislike greedy manufacturers?

I doubt many consumers are demanding the “Internet Of Things”, no – it is the manufacturers who are trying to convince the consumers they need this shit.

Anonymous Coward says:

Re: Re:

No excuses will ever be accepted as to justify any reason to hook a television to the internet.

Well, not until all TV manufacturers decide that their TV’s need to phone home every ten minutes because [BS Marketing Reason].

I guess we should be saying ‘monitor’ or ‘display’ at this point, though. I’d assume that TVs will disappear, since I doubt that very many people use ’em as tuners anymore.

tqk (profile) says:

Re: Re:

No excuses will ever be accepted as to justify any reason to hook a television to the internet.

The fact that it exists and is selling TVs disproves that. As for the reason, of course it’s money, for selling their customers’ personal information to “business partners.” I’d expect customers to run away screaming from it, but most customers aren’t “tech-savvy” and tend to believe marketing pitches which boast consumer benefits of a connected experience.

radix (profile) says:

What's the market?

Who is demanding “smart” TVs anyway?

People who want to watch Netflix, but DON’T have a game console, roku/slingbox/etc, blu-ray player, or even an HDMI cable long enough to stretch from a computer?

Are the TV manufacturers getting kickbacks from the OTT service providers for including their apps? There’s got to be some reason they are putting so much effort into doing something so badly.

Anonymous Coward says:

Re: What's the market?

“People who want to watch Netflix, but DON’T have a game console, roku/slingbox/etc, blu-ray player, or even an HDMI cable long enough to stretch from a computer?”

That would be people looking for the elegant solution, one screen with no attached boxes. The simplicity of it, the clean lines. Give me an Xbox that’s an app that I download to my television rather than an ugly clunky box that sits beside it.

Tim K (profile) says:

Why do I even have to buy a smart tv?!?

I don’t want a smart tv. Not because of this, though this isn’t surprising. But it adds expense, and often the UI/UX is pretty terrible. as radix mentioned you have ~$30 devices like chromecast/fire stick if you want smart functionality. And those can easily/cheaply be upgraded. I don’t want to have to upgrade my TV every few years because some new app came out that my TV doesn’t support. So why bother making TVs ‘smart’ to begin with? It seems the only way to get ‘dumb’ TVs mostly now is to get off brand TVs. Can someone please start selling dumb TVs again that are a bit cheaper than these supposed smart TVs.

Anonymous Coward says:

Re: Why do I even have to buy a smart tv?!?

I bought a TV in the early days of connectivity, it had an ethernet port but there was no real implementation of it at the time (remember DLNA). Eventually software caught up and I was able to connect the TV to the router and serve content to it from a mac running Serviio, now I’ve got a TV that only faces my network and not the internet and I’m very glad of that – but everything on my hard drive is available on the big screen.

Anonymous Coward says:

what means "disappeared"?

What exactly does “disappeared” mean, in context of this malware?

The article states:

“The good news is this particular version was only live for a few days and disappeared more than four months ago.”

At a glance, one might think that “disappeared” = “gone”, yet the TV that is the subject of the article managed to catch it (even though it “disappeared”).

So does “disappeared” mean it went into stealth mode or something? Or does “good news” mean Good News™? Or.. ?

Chronno S. Trigger (profile) says:

Re: what means "disappeared"?

In this case, the virus went offline and cannot be contracted from the original source. It has also not been found again in the wild (not saying it’s gone, just saying it’s not around right now). The Reddit post in question was from a while ago (if it was real in the first place), and the other examples are simple JavaScript fake outs.

Anonymous Coward says:

We are coming up on a pivot point. All these things connected to the internet so that they can be datamined about who you are and what you do in your life. As usual, no one thinks security till after the fact. So all that bought these smart tvs that will connect to the internet are in for some real experiences down the road in a few years. Sadly, it’s not just tvs.

Your vehicle, the traffic lights, your electricity provider, your water provider, grocery stores you buy your food from, your clothes from, nearly every business now has a presence on the internet.

Hackers will always go to the easiest and weakest point to get into money access. The two together spell some serious problems that are just beginning to show up but are the future.

I want nothing connected to the internet with the exception of my computer, which I can turn off. No wifi is allowed in this house. The tablet is not going to phone home. No internet connected devices that require the internet will be allowed in this household.

Even that does not prevent future problems. We are today in the same position as we were with MADD for nuclear war. That is the citizens are vulnerable totally with all this spying creating access points that have or will be discovered in the future. At some point someone is going to take advantage of it and when you go to the store you’re going to find people piled up in car wrecks at intersections, no food at the stores, no water at home, no electricity either, and it will all come to a head by such short sighted applications as you are seeing with these tvs.

anonymous coward says:

Re: Too much corporate push down

Corporate tech is pushing too much crap down to the US population. Most, is useless to most americans. Sad thing, too many americans want to be in the “in crowd” buying Apple shit, not even thinking about better alternatives (because they follow the crowd, or their employer does).

In my day (boomer), I could fix my cars, motorcycles, and lawnmowers. Basic stuff a man or woman could sort, and the engine was designed to be fixed. Guess what 21st century men and women, your daily transportation tool (car, motorcycle) can no longer be fixed on the road or at home unless you have a computer and mechanical engineering degree 🙂 So, young folks are now dependent on folks with the magic of medical doctors of the “old days” to fix a d*** car. Lucky, thanks to the post ww2 japan and german auto builders, modern cars and motorcycles last lots longer than old american cars. Finally american builders got the hint and are catching up. But f***, I just spent 3000 on a rebuilt ford transmission on a 125k explorer. Guess transmissions haven’t caught up to ford engines. I wish my motorcycle had an auto trans as the manual shifter crap leaks oil. Motorcycles seem always 10-20 years behind cars these days, even tho scooters now have auto transmissions. No modern motorcycle manufactures make a real “automatic transmission”, just a double clutch clunky lump, that no way compares to to real auto transmission or even scooter CVT.

Americans see so much new technology these days. Europe and far east are also catching up, and surpassing new american ideas and tech (IP theft). WTF? VR, wtf is VR useful for except for maybe flight simulation, maybe gaming? But its a big thing apparently in tech these days. Corporate push down. Typical humans, computer users, aren’t into VR gaming or aviation training (unless you have a military job flying drones, and those guys and gals are quitting that gig.

If I were a venture capitalist, I wouldn’t spend a cent on VR. There’s no daily use for VR. Except, “VR is a thing”.

If “smart tvs” become the only way I can consume “content” thru my cable tv provider, I’ll quit cable tv. I can get movies over the net on my computer. I can better control malware over a computer than a d** tv.

tqk (profile) says:

Re: Re: Re:

“when the parents are gone and the kids are home alone”=very bad parenting

Despite the laws’ attempts to lower the age of culpability, I still consider teenagers younger than age of majority (eighteen or twenty-one dependent on jurisdiction) are “kids.” Are you afraid to allow your soon-to-be-grownups alone in your house unsupervised? If so, how are they ever going to grow up?

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...