Smart TV Exploit Means Hackers Can Watch You Watch TV
from the i-spy-with-my-little-eye dept
Remember all the hubbub (now there's a word I never thought I'd use; thanks a lot, aging process) over Comcast's kind of, maybe plan to spy on subscribers through their cable box as they watch TV, fold their laundry, or engage in coitus? There was quite an outcry at the time, even as Comcast said that the plan was only to have the cameras be able to recognize when different types or numbers of people were watching the tube. People just didn't feel comfortable with corporations being able to spy on them. As a result, Comcast backed away from the plan -- the people had defeated the corporation.
All, apparently, so that hackers could spy on them instead. At least, that's what some reports are saying about Samsung Smart TVs and an exploit that would allow hackers to snatch social media credentials, access any files or devices connected to the smart TV...oh, and to use the built in cameras to spy the hell out of people as they do whatever they do while watching television.
In an e-mail exchange with Security Ledger, the Malta-based firm said that the previously unknown ("zero day") hole affects Samsung Smart TVs running the latest version of the company's Linux-based firmware. It could give an attacker the ability to access any file available on the remote device, as well as external devices (such as USB drives) connected to the TV. And, in a Orwellian twist, the hole could be used to access cameras and microphones attached to the Smart TVs, giving remote attacker the ability to spy on those viewing a compromised set.
The group that reportedly discovered the vulnerability, ReVuln, proudly stated that they would not publish any information about what they'd uncovered except to paying subscribers because screw everyone else (not an actual quote). They also have a company policy, apparently, that would prevent them from working with Samsung directly on a fix or even to disclose the hole, leading me to reach the logical conclusion that Dr. Evil is apparently running that company.
Even more fun, thanks to how Samsung designed the product, chances are any fix that could be produced would be difficult to implement.
Currently, the Smart TVs offer no native security features, such as a firewall, user authentication or application whitelisting. More critically: there is no independent software update capability, meaning that, barring a firmware update from Samsung, the exploitable hole can't be patched without "voiding the device's warranty and using other exploits," ReVuln said.
The company posted a video of an attack on a Samsung TV LED 3D Smart TV online. It shows an attacker gaining shell access to the TV, copying the contents of its hard drive to an external device and mounting them on a local drive, providing access to photos, documents and other content. ReVuln said an attacker would also be able to lift credentials from any social networks or other online services accessed from the device.
In other words, customers get to wait around until Samsung can figure this thing out on their own, since ReVuln won't help them out by company policy, or risk voiding their warranty on their smart TV that has a complete lack of security features. Nicely done, everyone involved.