Major Security Flaws Discovered In Internet HDTVs 128
wiredmikey writes "Security researchers have discovered several security flaws in one of the best-selling brands of Internet-connected HDTVs, and believe it's likely that similar security flaws exist in other Internet TVs. The security researchers were able to demonstrate how an attacker could intercept transmissions from the television to the network using common 'rogue DNS,' 'rogue DHCP server,' or TCP session hijacking techniques. Mocana was able to demonstrate that JavaScript could then be injected into the normal datastream, allowing attackers to obtain total control over the device's Internet functionality."
Heh (Score:2)
That could be hilarious. Oh won't someone think of the children at risk!
Re:Heh (Score:4, Funny)
Re: (Score:3)
It also grew arms, pulled down my pants, and put this bottle of hand-lotion on the table beside me!
Re: (Score:3)
Now THERE is a tv I would buy.
Re: (Score:2)
True. What GP should have said was
Re:Heh (Score:5, Funny)
Re:Heh (Score:5, Informative)
Re: (Score:1)
Their really is an xkcd for everything isnt there?
Re: (Score:3, Funny)
Re: (Score:2)
Re:Heh (Score:4, Insightful)
> This is one of the reasons I say we need NAT on IPV6.
No. You need a firewall.
Re: (Score:2)
Force people to watch nothing but The Jersey Shore. This could be the secret to getting people to watch it.
Re: (Score:2)
Re: (Score:2)
> People watch that crap without being forced to?
Yes, billions of people watch television without being forced to. Amazing, isn't it?
Outer Limits Intro ..... (Score:5, Funny)
"We control the horizontal."
"We control the vertical...."
Re: (Score:1)
Re: (Score:1)
Those controls disappeared decades ago.
Re:Outer Limits Intro ..... (Score:5, Interesting)
Those controls disappeared decades ago.
FTFA:
Screw the users. Looks like almost everyone has accepted the "you bought it but you don't control it" mentality.
Who do we blame? Steve Jobs. Verizon? Microsoft? The Supreme Court? Everyone for not making more noise?
Re: (Score:1)
Who do we blame?
I'll have to assume that's a rhetorical question, as I'm certain you know the answer :-)
Personally, I blame the voices in my head.
Re: (Score:2)
Who do we blame?
I'll have to assume that's a rhetorical question, as I'm certain you know the answer :-)
Personally, I blame the voices in my head.
Re: (Score:2)
Those controls disappeared decades ago.
FTFA:
Screw the users. Looks like almost everyone has accepted the "you bought it but you don't control it" mentality.
Who do we blame? Steve Jobs. Verizon? Microsoft? The Supreme Court? Everyone for not making more noise?
Wait a sec, are you saying that I could jailbreak my television? I don't know if it's incredibly awesome or incredibly depressing.
Re: (Score:3)
I guess you can now apply the business meaning....
http://en.wikipedia.org/wiki/Vertical_integration [wikipedia.org] & http://en.wikipedia.org/wiki/Horizontal_integration [wikipedia.org]
The entire entertainment chain being controlled all the way vertically: entertainment production, manufacture of devices and what you can watch; and horizontally across all distribution channels and devices that you watch it on.
basically the Apple business model.
Re: (Score:1)
...basically the Apple business model.
Eh, for me to complain would just be sour grapes. More power to 'em.
Ok now, go up a level from this article (Score:2)
great timing to make a point
Re: (Score:1)
Cool ... (Score:1)
but the same trick works even for unsuspicious human beings using your wireless/wired connection (you can hijack their web browser sessions, steal their credentials, etc). It's been known probably since the conception of the Internet that HTTP isn't a secure protocol - probably TV manufactures never thought of their devices to be used on [public|untrusted|malicious] networks.
But How Connected is the TV Anyways? (Score:3)
Re: (Score:3)
Re:But How Connected is the TV Anyways? (Score:5, Interesting)
I live in Japan. We just bought a new Sony Bravia TV, and unlike the ones in the states, it contains, a hard drive, and the ability to serve as a DVR. Someone hacks into it, and can now use it to store what ever they want, even use it as part of the botnet. Think it's not a security risk now? There is a reason my Television is not connected to the internet, even though it could be connected to it.
Re: (Score:1)
There is a reason my Television is not connected to the internet, even though it could be connected to it.
So why buy the TV?
Re: (Score:2)
I'll bite, this is my first HDTV, I also purchased some rabbit ears and dropped my cable TV because HD cable has the same problem that SD cable has: Endless Channels of Nothing Good On.
So I manage to get by with nothing but rabbit ears and connected TV which has Netflix/Pandora/(more) was well as PS3 and my audio component stack (including Myth) connected to it.
My wife and I don't care for the vapid sheeple fodder (in HD!) that is found on TV nowadays and, with a couple of exceptions, don't follow any show
Re: (Score:3)
The biggest problem I do see is that my Bravia is linked to my amazon.com account. We can purchase streaming movies with a few remote control key-presses. So I would guess if my TV is cracked, the thieves could go on an amazon shopping spree with my account.
But then, I've had credit cards compromised before (both personal and corporate). They were resolved with a couple phone calls, and I wasn't liable for anything.
So I am no
Re:But How Connected is the TV Anyways? (Score:5, Insightful)
Having my TV join a botnet still doesn't sound like that much of a crisis.
Right up until it is used as a proxy to download child porn, and all of a sudden you are having to explain why your IP has accessed CP to law enforcement, family, friends, the media.....
Yeah, I know CP is one of those bogey men used to persuade people to see danger from unlikely events, but an accusation of CP can be enough to ruin lives. If you can avoid it, it's probably for the best.
Also, if your TV is in a botnet then it might be inside your firewall, if you use a straight forward NAT router. The TV could be used to attack other computers on your LAN which may contain more important data.
Re:But How Connected is the TV Anyways? (Score:5, Insightful)
I would be more concerned with entertainment companies "hacking in to it" to remove programs you might be storing. The Kindle experience has shown us that devices that can be remotely accessed by the vendor can not be trusted.
I'll stick with dumb devices that simply do what I tell them.
Re: (Score:1)
Which model is it? I can't even find it online.
Re: (Score:2)
I live in Japan. We just bought a new Sony Bravia TV, and unlike the ones in the states, it contains, a hard drive, and the ability to serve as a DVR. Someone hacks into it, and can now use it to store what ever they want, even use it as part of the botnet. Think it's not a security risk now? There is a reason my Television is not connected to the internet, even though it could be connected to it.
Emphasis mine.
Let me be a "Devil's Advocate" here". If it's not hurting me, it's not really a security risk, right? Really more of an annoyance if I noticed my storage space reduced or somehow noticed a performance problem. Why are there millions of PC out there in botnets? Same reason, I suppose. "My PC has been a little slow lately, but I can still use it. I'll have my geek brother-in-law take a look at it some time if I think of it."
OK, so that attitude is horrifying to us geeks. But to your average PC u
ISP overages (Score:3)
Let me be a "Devil's Advocate" here". If it's not hurting me, it's not really a security risk, right?
Participating in a botnet is hurting you. It runs up your GB per month, for which some ISPs charge overage fees. It can get your Internet access shut down, or it can even get you prosecuted for participating in the distribution of illegal pornography, as internewt pointed out [slashdot.org].
Re: (Score:3)
Saying "don't be a television and a web browser" is like pointing at a PDP11 running Unix and saying, "Don't be a document editor and also a formatter and also a C compiler." You're trying to apply the Unix philosophy at the wrong level. Look inside and then you'll see it. There's a codec library (and/or hardware) that does one thing well, and is used as part of many applications, just like "sed" is.
Re: (Score:2)
These internet capable TVs are running a Linux kernel. There really is a lot you can do with them with the right knowledge. Would it really be that hard to spoof a connection to the firmware update site and pass custom firmware back to the TV? Or send commands back to the TV to dump its memory for you, thereby giving up your Amazon account info? Maybe even a small routine to sniff the local wire for your credentials and email them out?
It's really not as far fetched as you think.
Re: (Score:2)
You mean like this [sony.com]?
Tivoized? (Score:2)
Re: (Score:3)
It would become trivially easy to DOS attack someone's TV by making it display nothing but goatse and 2girls1cup.
Re: (Score:2)
I have a hard time seeing a compromised TV being as much of a security risk as a compromised PC. Would a TV have your personal information on it? Probably not.
Definitly yes.
Facebook updates, Email alerts and incomming IM messages superimposed over the tc picture probably would be the favourite apps. And they all need your login credentials.
Re:But How Connected is the TV Anyways? (Score:4, Informative)
The one that I just got supports external HDD's, USB Cameras, wired, wireless, HTTP (via vieracast). Granted, the TV's OS is very limited, but it supports enough that it could be very damaging if compromised.
For instance, my TV currently has stored in it passwords for my Skype/Netflix/Pandora accounts as well as my WPA2 creds.
The very limited VieraCast interface simply uses HTTP to generate it's menus and people have already started to use squid/DNS redirecting to do things like stream from Myth etc etc.
This guy so far seems to have made the most progress.
http://customvieracast.blogspot.com/ [blogspot.com]
Re:But How Connected is the TV Anyways? (Score:4, Funny)
"Would a TV have your personal information on it? Probably not."
How about the kiddie/personal porn on the USB HD attached directly to the TV?
Re: (Score:2)
Re:But How Connected is the TV Anyways? (Score:5, Informative)
1) Set up ssh and dynamic dns on compromised TV, or perhaps a cron job to do a reverse SSH tunnel every so often (to bypass firewall). Now you know where this connection is, at all times, and have full control, at any time.
2) Set up BIND DNS, set to forward to whatever malicious DNS server you want.
3) Either set up a phony DHCP server, and/or do some arp poisoning so that all traffic to the internet is routed thru the TV.
4) Control the entire household's internet connection -- rewriting HTTP pages, sending whatever DNS responses you want (Google? SURE, its this IP here in china!), capturing passwords (redirecting HTTPS to HTTP so that cert errors dont occur, or inserting non HTTPS javascript to capture the password), etc.
ANY smart device on a home network has the potential to wreak massive havok on that network.
Re: (Score:2)
Sure, you can run SSH and some of the othe
Re: (Score:2)
Crafting a piece of malware that could compromise several tens of millions of TVs would be worth doing even if there were tens of millions of others that it would not run on.
Re: (Score:2)
Are all the internet connected TVs using the same CPUs and operating systems? If not you would need to craft ways to deploy your requisite applications for each CPU/OS combination (not to mention you would of course need compatible binaries for each of them).
Crafting a piece of malware that could compromise several tens of millions of TVs would be worth doing even if there were tens of millions of others that it would not run on.
I agree with that logic. However the question there is at what point will there be tens of millions of internet-connected TVs that are capable of running the same malware by exploitation of the same vulnerability?
Sure, you can run SSH and some of the others through Java, which may clear the CPU/OS hurdle (assuming of course that the set runs Java fairly well) but then how will you get them to run when you want?
The bot will run whenever the set is on, of course.
Which, depending on the TV and its usage pattern, might not end up being all that useful for the botnet master.
Re: (Score:2)
If they are running linux, even if they only have 16mb of ram, 4mb of flash space, and a 216 mhz processor, you would be absolutely astonished at how much you could do.
FWIW most routers out there meet those specs, and can be flashed with DDWRT. They wouldnt use BIND, but they support cron, ssh, dnsmasq, dhcp, and quite a bit more. With double or triple the flash space, you start being able to really have some fun.
Re: (Score:2)
If you are intercepting all pages before they hit the computer, the process is simple. Person requests hxxps://www.mybank.com/login.htm. Infected bot intercepts it, makes the connection to the bank itself, decodes the page, and presents a "fake" version of the page, sans SSL. What ends up happening is the bot acts like a caching proxy, decoding each page as it comes in and providing a non-HTTPS version to the client.
Now, I dont think you could fake the SSL lock icon in the browser-- you may be able to fak
Re: (Score:2)
I should also note that you wouldnt even need to-- you could simply insert javascript into the HTTPS login page, as such pages are usually comprised of both HTTP and HTTPS components. You could rewrite the page with javascript so that parts are indeed HTTPS, but the actual submission is HTTP.
Re: (Score:2)
Compormised TV will be actually attack PC over lan.
This is valuable when NAT/Firewall is in picture - PC owner might be shielded from attacks by simply not having public IP or because ISP set up firewall.
Re: (Score:2)
As the PC becomes more secure there will be a push to find other devices in your house to use as botnet nodes.
Re: (Score:3, Funny)
I don't really see a TV as being useful in pumping out spam...
Approximately 16 minutes of every hour is devoted to spam... formerly known as "bathroom breaks"
Re: (Score:2)
The bot will have a built-in MTA, of course. More likely they will primarily be interested in stealing credentials, though.
Go back to dumb devices (Score:4, Interesting)
I hate how all these "smart" ones can be tricked into doing nefarious deeds.
Re: (Score:2)
As a sysadmin by profession, one of my favorite terms is "too stupid to break".
Re: (Score:2)
Unless I'm required to update it so I can watch OTA stations or cable or newly released movies.
In any case, I'd prefer not to anything extra I won't use that will pad the cost and allow for possible software bugs. And how long will it be before they're all wireless? What then? Cover my TV with aluminum foil?
Now why can't the hackers go fo cable box free HBO (Score:1)
Now why can't the hackers go for the cable box and hack us some free HBO
So, basically... (Score:3)
Major automotive security alert!!11!!! If someone steals your car, they get the stuff inside, too.
Ok, so... (Score:2)
Javascript is becoming a major plague (Score:3, Insightful)
Of course, the language per se is innocent. But embedding programmability in everything (Web pages, PDF what not) is becoming the biggest security nightmare all around. And the Web Masters want to entice us to be part of the fray. Quoth slashdot:
There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.
Thanks, but no, thanks. I might not want anything (Classic needs cookies, bad Fido, no cookies for you today). Quoth again Slashdot [slashdot.org]:
Why does "This Function Require JavaScript?"
Welcome to the now, man!
[...]
Well, thanks again, but no, thanks. I'm getting pretty well along without my browser executing random stuff from out there (in most cases in ain't even malicious, but wickedly bad programming, just DOSing my computer).
Meh.
Re: (Score:1)
Re: (Score:2)
Computer security 101:
When you run untrusted code on your computer, it is no longer your computer.
Esp. When the "untrusted" JavaScript code is compiled by IE's, Chrome's, and Firefox's engine into machine code on the fly... It's supposed to be run in a VM or interpreted, yet for the sake of speed we run it as machine code right on the metal -- Goodbye Sandbox!
Flaws in a TV? (Score:2)
Forget the security flaws, the ability to stream content to a HDTV is so variable, that you don't know if a set will actually cope with steaming until you buy it. So much for standards. Now THAT is a flaw! So that's why I've not bought a HDTV, and stick to a PC with a HD monitor - at least the computer can play anything I throw at it - and without wasting more electricity transcoding the content into something the TV might like.
Linux (Score:5, Interesting)
Don't most of the newer TVs run Linux? My father's LG does. So it's entirely possible that the first real viruses for Linux will run on TVs rather than normal computers.
Re: (Score:2)
My Sony Bravia certainly does. Now we see if the MS shills' predictions of Linux being hacked as much as Windows come true, given that it seems to be in everything from TVs to ebook readers to mobile phones these days.
Re: (Score:1)
How can you tell? Can you get a shell? Can you get busybox running? I'd love to get into my tv.
Re: (Score:2)
Network scanners like nmap show it running a linux kernel. I understand the Samsung TVs are also running Linux and there is a hack to get to a shell on them.
Re: (Score:3)
Also, it comes with a copy of the GPL and an offer for source code.
Re: (Score:2)
Sony offer source code for various devices here. Busybox is already installed on my TV but I've no idea how to get a shell up. I'm sure someone cleverer than me will work it out somehow.
Re: (Score:2)
Here: http://products.sel.sony.com/opensource/ [sony.com]
Stupid slashdot
Inevitable (Score:5, Insightful)
Q: What happens when you combine a TV with a computer?
A: You get a computer.
Re: (Score:1)
Re: (Score:2)
A2: You get a big iMac.
A "Big iMac" sounds like something you can eat.
Re: (Score:2)
> A "Big iMac" sounds like something you can eat.
But you can only put iCondiments on it and you must hold it just so.
Rogue DHCP server? (Score:5, Funny)
Well that's just great! You're telling me it's not safe to lug my HDTV into Starbucks anymore?
Might be a Panasonic (Score:1)
User permission (Score:4, Insightful)
Surely that should read, "without the user's permission".
Re: (Score:2)
Surely that should read, "without the user's permission".
What's the difference? Don't think that when you buy such a device you're the owner/user in this day and age. You're not. You're a consumer, no more no less. Your only job is to consume content, preferably pay every time, or at least watch the commercials. You may have some influence on what you get to watch, but the manufacturer controls the list you can choose from.
So now get back to that sofa, commercial break is starting in a moment.
Re: (Score:2)
Surely that should read, "without the user's permission".
I guess it depends on who owns your TV. Certainly sounds in this case like the author believes you've just licensed it.
Re: (Score:3)
Surely that should read, "without the user's permission".
No that's probably correct. The manufacturer probably uses the same chassis and hardware across many models, and the only difference is the software features. Another similar example is Video cards where the lesser models simply have a few cores turned off in the GPU. Enabling those features would give you the equivalent of the more expensive model.
Re: (Score:2)
No. The wording is correct due to the word "extend". In other words, you could unlock features that belong to a model with a higher price tag. The manufacturer would then not get as much money because the higher priced version will no longer sell because you can get the same features in the lower priced version.
Yes, that business model is crappy, but that is not the point.
Solution! iptvtables and ipv6tables (Score:1)
Solution! ipTVtables and ip6TVtables squidTVguard,
alternatively NETBSDTV ;o)
Same old same old (Score:2)
People are selling personal computers that come preloaded with insecure software? I'm shocked!
Oh, the personal computer is called something else, "internet TV," so that makes this news.
Re: (Score:2)
There is another difference.
People by now are used to having to update the software on their computer regularly. This is not a multi-purpose computer - this is a specialised device. Not many people, if any, are used to update the software on a device - that was until now generally not an issue, if possible in the first place. Even on modern devices it's, in my experience, not that easy anyway.
Point in case: I'm having problems updating my LG smart phone: the Android update software, Windows only, fails to
Re: (Score:2)
My Sony TV has an update firmware facility. I'm not sure I'd want to risk bricking my TV though. As to LG, well after my experience with the shoddy firmware on the Viewty (that LG refused to update) I wouldn't bother buying another.
Re: (Score:2)
the Android update software, Windows only, fails to recognise my phone when running in VirtualBox. Windows itself detects it just fine though.
VirtualBox has flaky USB support in my opinion. Try something stable like VMWare. Try booting from a copy of the Ultimate Boot Disk for Windows and see if the updater will run from there. Was your VirtualBox Windows install done with nlite? That might be your problem as well.
WHat for??? (Score:1)
When you can plug your computer into the back of the tv and use it as a screen, why give the tv functionality of a computer
where can you install the AV or firewall or malware programs on your tv, you cant, yet even M$ says you need those if you want to surf the web, the guy who thought of adding the browser to the tv was an idiot....sorry for saying...especially when i can just hook mine up and do the exact same thing by using the tv as my screen......!
missing the point (Score:2)
Re: (Score:2)
But the attack on the TV requires them to already have compromised your router/server, so they are already inside your NAT/FW.
As for setting up a DMZ... you mean people don't already have this?
Re: (Score:2)
I didn't say DMZ, I said a guest network. A DMZ is a subnet that is intended to expose your servers to _incoming_ connections from the internet.
I'm talking about a NATted subnet can only initiate outgoing connections. Basically another private lan that is partitioned from your sensitive machines.
And BTW there are plenty of ways to root a machine that don't involve compromising the router. Trojans being the most obvious example.
Re: (Score:2)
The exploit in question requires either DHCP or DNS to be subverted locally in order for the device to be attacked.
The ethernet socket on my LG TV has never worked (Score:2)
Why not set top boxes? (Score:2)
This is why we need FOSS (Score:2)
As devices become "smarter" and more connected, these kinds of flaws and vulnerabilities will only increase in number and severity. It's highly unlikely that there will ever be enough economic incentive for manufacturers to keep the embedded software in their consumer devices secure and up-to-date, not to mention the lack of software update mechanisms.
This is why we need Free Software. Standard platforms running Free Software can be patched and updated simply and easily, and maintained by community effort
Attacker is the user here (Score:2)
The attacker they really mean here, is the user who purchased the Internet-connected HDTV.
Indeed, it is possible for him to trick the TV that is connected to his network infrastructure into doing things the manufacturer had been trying to prevent the user from doing.
This is not very different from jailbreaking your own phone or video game console, except it's much more trivial.
Er... from where? (Score:2)
I don't think anyone has their "Internet TV" directly connected to the internet. They are *ALL* behind the firewall. Thus the only way to launch these attacks are from your own internal network.