When a device gets connected to the web without any security it leaves the users vulnerable. This is a trend as the Internet of Things evolves. In this case, Samsung Smart TVs seem to have no security, a dumb TV. Dailywireless.org reports that 40% of Americans have connected their TV to the Internet.
At the same time, The Security Ledger is reporting that a “Security Hole in Samsung Smart TVs Could Allow Remote Spying.” The Malta-based firm ReVuln, says it has uncovered a remotely exploitable security hole in Samsung Smart TVs. If left unpatched, the vulnerability could allow hackers to make off with owners’ social media credentials. Attackers could also spy on those watching the TV using compatible video cameras and microphones.
ReVuln is a security research firm that offers information on security holes it discovers only to subscribers. However, it did confirm the previously unknown (“zero-day”) hole with Security Ledger. The zero-day affects Samsung Electronics Co. (005930) Smart TVs running the latest version of the company’s Linux-based firmware. It could give an attacker the ability to get access to any file on the remote device, As vulnerable are external devices (such as USB drives) connected to the TV.
In an Orwellian twist, the hole could be used to use cameras and microphones attached to the Smart TVs. Granting remote attackers the ability to spy on those viewing a compromised set. Luigi Auriemma of ReVuln told ComputerWorld via email, “If the attacker has full control of the TV … then he can do everything like stealing accounts to the worst scenario of using the integrated webcam and microphone to ‘watch’ the victim.”
Security Ledger says that the Smart TVs offer no native security features, such as a firewall, user authentication, or application whitelisting. More critically: there is no independent software update capability, Which means that, barring a firmware update from Samsung, the exploitable hole can’t be patched without “voiding the device’s warranty and using other exploits,” ReVuln said.
The company posted a video of an attack on a Samsung TV LED 3D Smart TV online. It shows an attacker gaining shell access to the TV. Copying the contents of its hard drive to an external device and mounting them on a local drive. This gave them access to photos, documents, and other content. ReVuln said an attacker would also be able to lift credentials from any social networks or other online services accessed from the device.
rb-
There is no patch for people. Until there is, Smart TV users will have to wait for Samsung to fix this huge security hole or fix it for themselves and risk voiding their warranty. Smart TV with a complete lack of security features, Smart TV Dumb Security.
Related articles
- Samsung Developer Conference Showcases New Smart TV Tools and Policies for Developers (news.samsung.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.