Major Security Flaws Discovered In Internet HDTVs

wiredmikey writes "Security researchers have discovered several security flaws in one of the best-selling brands of Internet-connected HDTVs, and believe it's likely that similar security flaws exist in other Internet TVs. The security researchers were able to demonstrate how an attacker could intercept transmissions from the television to the network using common 'rogue DNS,' 'rogue DHCP server,' or TCP session hijacking techniques. Mocana was able to demonstrate that JavaScript could then be injected into the normal datastream, allowing attackers to obtain total control over the device's Internet functionality."

Javascript is becoming a major plague

[Anonymous Coward]

Of course, the language per se is innocent. But embedding programmability in everything (Web pages, PDF what not) is becoming the biggest security nightmare all around. And the Web Masters want to entice us to be part of the fray. Quoth slashdot:

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Thanks, but no, thanks. I might not want anything (Classic needs cookies, bad Fido, no cookies for you today). Quoth again Slashdot [slashdot.org]:

Why does "This Function Require JavaScript?"

Welcome to the now, man!
[...]

Well, thanks again, but no, thanks. I'm getting pretty well along without my browser executing random stuff from out there (in most cases in ain't even malicious, but wickedly bad programming, just DOSing my computer).

Meh.

Inevitable

[nitehawk214]

Q: What happens when you combine a TV with a computer?

A: You get a computer.

User permission

[Gumshoe]

This attack could render the product unusable at important times and extend or limit its functionality without the manufacturer's permission.

Surely that should read, "without the user's permission".

Re:But How Connected is the TV Anyways?

[multisync]

it contains, a hard drive, and the ability to serve as a DVR. Someone hacks into it, and can now use it to store what ever they want, even use it as part of the botnet

I would be more concerned with entertainment companies "hacking in to it" to remove programs you might be storing. The Kindle experience has shown us that devices that can be remotely accessed by the vendor can not be trusted.

I'll stick with dumb devices that simply do what I tell them.

Re:Heh

[John Hasler]

> This is one of the reasons I say we need NAT on IPV6.

No. You need a firewall.

Re:But How Connected is the TV Anyways?

[internewt]

Having my TV join a botnet still doesn't sound like that much of a crisis.

Right up until it is used as a proxy to download child porn, and all of a sudden you are having to explain why your IP has accessed CP to law enforcement, family, friends, the media.....

Yeah, I know CP is one of those bogey men used to persuade people to see danger from unlikely events, but an accusation of CP can be enough to ruin lives. If you can avoid it, it's probably for the best.

Also, if your TV is in a botnet then it might be inside your firewall, if you use a straight forward NAT router. The TV could be used to attack other computers on your LAN which may contain more important data.