Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Television The Internet IT Technology

Major Security Flaws Discovered In Internet HDTVs 128

wiredmikey writes "Security researchers have discovered several security flaws in one of the best-selling brands of Internet-connected HDTVs, and believe it's likely that similar security flaws exist in other Internet TVs. The security researchers were able to demonstrate how an attacker could intercept transmissions from the television to the network using common 'rogue DNS,' 'rogue DHCP server,' or TCP session hijacking techniques. Mocana was able to demonstrate that JavaScript could then be injected into the normal datastream, allowing attackers to obtain total control over the device's Internet functionality."
This discussion has been archived. No new comments can be posted.

Major Security Flaws Discovered In Internet HDTVs

Comments Filter:
  • That could be hilarious. Oh won't someone think of the children at risk!

  • by Anonymous Coward on Saturday January 08, 2011 @10:34AM (#34804354)

    "We control the horizontal."
    "We control the vertical...."

    • WEll they need to take control of my tv and hack a fucking web browser like Chrome into it so I can surf the internet.
    • Those controls disappeared decades ago.

      • by tomhudson ( 43916 ) <barbara@hudson.barbara-hudson@com> on Saturday January 08, 2011 @01:19PM (#34805598) Journal

        Those controls disappeared decades ago.

        FTFA:

        This attack could render the product unusable at important times and extend or limit its functionality without the manufacturer’s permission.

        Screw the users. Looks like almost everyone has accepted the "you bought it but you don't control it" mentality.

        Who do we blame? Steve Jobs. Verizon? Microsoft? The Supreme Court? Everyone for not making more noise?

        • Who do we blame?

          I'll have to assume that's a rhetorical question, as I'm certain you know the answer :-)

          Personally, I blame the voices in my head.

          • Who do we blame?

            I'll have to assume that's a rhetorical question, as I'm certain you know the answer :-)

            Personally, I blame the voices in my head.

            1. Sit down in bus next to some total stranger
            2. Ask them if the voices in your head are bothering them - if so, you'll try to ask them to keep it down
            3. GOTO 1
        • by Ihmhi ( 1206036 )

          Those controls disappeared decades ago.

          FTFA:

          This attack could render the product unusable at important times and extend or limit its functionality without the manufacturer’s permission.

          Screw the users. Looks like almost everyone has accepted the "you bought it but you don't control it" mentality.

          Who do we blame? Steve Jobs. Verizon? Microsoft? The Supreme Court? Everyone for not making more noise?

          Wait a sec, are you saying that I could jailbreak my television? I don't know if it's incredibly awesome or incredibly depressing.

      • I guess you can now apply the business meaning....

        http://en.wikipedia.org/wiki/Vertical_integration [wikipedia.org] & http://en.wikipedia.org/wiki/Horizontal_integration [wikipedia.org]

        The entire entertainment chain being controlled all the way vertically: entertainment production, manufacture of devices and what you can watch; and horizontally across all distribution channels and devices that you watch it on.

        basically the Apple business model.

  • and get to the main page. now, observe the title & summary of this article. then, gaze towards the article & summary below, while keeping this one in mind.

    great timing to make a point ....
    • by xystren ( 522982 )
      I wonder if they have the same security bulletin writers as Microsoft does, it reads just like a patch Tuesday update description. No real details, except that your system can be completely compromised.
  • but the same trick works even for unsuspicious human beings using your wireless/wired connection (you can hijack their web browser sessions, steal their credentials, etc). It's been known probably since the conception of the Internet that HTTP isn't a secure protocol - probably TV manufactures never thought of their devices to be used on [public|untrusted|malicious] networks.

  • I have a hard time seeing a compromised TV being as much of a security risk as a compromised PC. Would a TV have your personal information on it? Probably not. Would it be able to access a computer on your home network enough to get at personal information? Seems unlikely. Sure, I suppose it may be possible for an internet TV to become a botnet agent helping in a DDoS attack or something, but even that seems like it would be of minimal utility. I don't really see a TV as being useful in pumping out spam, either, unless the manufacturers were putting mail agents in there to report problems back to the manufacturer.
    • I strongly suspect everyone here will feel much the same way, but TFA and I agree that there are a lot of people out there who are just technically challenged enough to use their web-capable TVs on sites where credit cards might be involved, or perhaps not find it surprising when attempting to purchase PPV content responds with a mysterious credit card prompt they've never seen before. The TFA also mentions scenarios where the TV's functionality could be extended, limited, or denied to the user, in addition
    • by theNetImp ( 190602 ) on Saturday January 08, 2011 @10:54AM (#34804528)

      I live in Japan. We just bought a new Sony Bravia TV, and unlike the ones in the states, it contains, a hard drive, and the ability to serve as a DVR. Someone hacks into it, and can now use it to store what ever they want, even use it as part of the botnet. Think it's not a security risk now? There is a reason my Television is not connected to the internet, even though it could be connected to it.

      • There is a reason my Television is not connected to the internet, even though it could be connected to it.

        So why buy the TV?

        • by IMightB ( 533307 )

          I'll bite, this is my first HDTV, I also purchased some rabbit ears and dropped my cable TV because HD cable has the same problem that SD cable has: Endless Channels of Nothing Good On.

          So I manage to get by with nothing but rabbit ears and connected TV which has Netflix/Pandora/(more) was well as PS3 and my audio component stack (including Myth) connected to it.

          My wife and I don't care for the vapid sheeple fodder (in HD!) that is found on TV nowadays and, with a couple of exceptions, don't follow any show

      • Having my TV join a botnet still doesn't sound like that much of a crisis.

        The biggest problem I do see is that my Bravia is linked to my amazon.com account. We can purchase streaming movies with a few remote control key-presses. So I would guess if my TV is cracked, the thieves could go on an amazon shopping spree with my account.

        But then, I've had credit cards compromised before (both personal and corporate). They were resolved with a couple phone calls, and I wasn't liable for anything.

        So I am no

        • by internewt ( 640704 ) on Saturday January 08, 2011 @08:30PM (#34810202) Journal

          Having my TV join a botnet still doesn't sound like that much of a crisis.

          Right up until it is used as a proxy to download child porn, and all of a sudden you are having to explain why your IP has accessed CP to law enforcement, family, friends, the media.....

          Yeah, I know CP is one of those bogey men used to persuade people to see danger from unlikely events, but an accusation of CP can be enough to ruin lives. If you can avoid it, it's probably for the best.

          Also, if your TV is in a botnet then it might be inside your firewall, if you use a straight forward NAT router. The TV could be used to attack other computers on your LAN which may contain more important data.

      • by multisync ( 218450 ) on Saturday January 08, 2011 @12:07PM (#34805156) Journal

        it contains, a hard drive, and the ability to serve as a DVR. Someone hacks into it, and can now use it to store what ever they want, even use it as part of the botnet

        I would be more concerned with entertainment companies "hacking in to it" to remove programs you might be storing. The Kindle experience has shown us that devices that can be remotely accessed by the vendor can not be trusted.

        I'll stick with dumb devices that simply do what I tell them.

      • We just bought a new Sony Bravia TV, and unlike the ones in the states, it contains, a hard drive, and the ability to serve as a DVR.

        Which model is it? I can't even find it online.

      • I live in Japan. We just bought a new Sony Bravia TV, and unlike the ones in the states, it contains, a hard drive, and the ability to serve as a DVR. Someone hacks into it, and can now use it to store what ever they want, even use it as part of the botnet. Think it's not a security risk now? There is a reason my Television is not connected to the internet, even though it could be connected to it.

        Emphasis mine.

        Let me be a "Devil's Advocate" here". If it's not hurting me, it's not really a security risk, right? Really more of an annoyance if I noticed my storage space reduced or somehow noticed a performance problem. Why are there millions of PC out there in botnets? Same reason, I suppose. "My PC has been a little slow lately, but I can still use it. I'll have my geek brother-in-law take a look at it some time if I think of it."

        OK, so that attitude is horrifying to us geeks. But to your average PC u

        • Let me be a "Devil's Advocate" here". If it's not hurting me, it's not really a security risk, right?

          Participating in a botnet is hurting you. It runs up your GB per month, for which some ISPs charge overage fees. It can get your Internet access shut down, or it can even get you prosecuted for participating in the distribution of illegal pornography, as internewt pointed out [slashdot.org].

    • by Tuoqui ( 1091447 )

      It would become trivially easy to DOS attack someone's TV by making it display nothing but goatse and 2girls1cup.

    • I have a hard time seeing a compromised TV being as much of a security risk as a compromised PC. Would a TV have your personal information on it? Probably not.

      Definitly yes.

      Facebook updates, Email alerts and incomming IM messages superimposed over the tc picture probably would be the favourite apps. And they all need your login credentials.

    • by IMightB ( 533307 ) on Saturday January 08, 2011 @11:15AM (#34804678) Journal

      The one that I just got supports external HDD's, USB Cameras, wired, wireless, HTTP (via vieracast). Granted, the TV's OS is very limited, but it supports enough that it could be very damaging if compromised.

      For instance, my TV currently has stored in it passwords for my Skype/Netflix/Pandora accounts as well as my WPA2 creds.

      The very limited VieraCast interface simply uses HTTP to generate it's menus and people have already started to use squid/DNS redirecting to do things like stream from Myth etc etc.

      This guy so far seems to have made the most progress.

      http://customvieracast.blogspot.com/ [blogspot.com]

    • by nospam007 ( 722110 ) on Saturday January 08, 2011 @11:19AM (#34804710)

      "Would a TV have your personal information on it? Probably not."

      How about the kiddie/personal porn on the USB HD attached directly to the TV?

    • The limitation on what a compromised device can do is it's internet connection, not the processor. An compromised HDTV that has web browsing is capable of doing anything a compromised PC can. Not to mention the fact that the HDTV probably has the users login information for netflix and the like stored un-encrypted. I also doubt its all that easy to patch the TV.
    • by LordLimecat ( 1103839 ) on Saturday January 08, 2011 @11:37AM (#34804866)

      1) Set up ssh and dynamic dns on compromised TV, or perhaps a cron job to do a reverse SSH tunnel every so often (to bypass firewall). Now you know where this connection is, at all times, and have full control, at any time.
      2) Set up BIND DNS, set to forward to whatever malicious DNS server you want.
      3) Either set up a phony DHCP server, and/or do some arp poisoning so that all traffic to the internet is routed thru the TV.
      4) Control the entire household's internet connection -- rewriting HTTP pages, sending whatever DNS responses you want (Google? SURE, its this IP here in china!), capturing passwords (redirecting HTTPS to HTTP so that cert errors dont occur, or inserting non HTTPS javascript to capture the password), etc.

      ANY smart device on a home network has the potential to wreak massive havok on that network.

      • I pondered the possibility of that happening on a TV. And indeed, it seems like a pretty solid way to do it, however there is one large hurdle to clear - actually getting the applications to run on the TV. Are all the internet connected TVs using the same CPUs and operating systems? If not you would need to craft ways to deploy your requisite applications for each CPU/OS combination (not to mention you would of course need compatible binaries for each of them).

        Sure, you can run SSH and some of the othe
        • Are all the internet connected TVs using the same CPUs and operating systems? If not you would need to craft ways to deploy your requisite applications for each CPU/OS combination (not to mention you would of course need compatible binaries for each of them).

          Crafting a piece of malware that could compromise several tens of millions of TVs would be worth doing even if there were tens of millions of others that it would not run on.

          Sure, you can run SSH and some of the others through Java, which may clear the

          • Are all the internet connected TVs using the same CPUs and operating systems? If not you would need to craft ways to deploy your requisite applications for each CPU/OS combination (not to mention you would of course need compatible binaries for each of them).

            Crafting a piece of malware that could compromise several tens of millions of TVs would be worth doing even if there were tens of millions of others that it would not run on.

            I agree with that logic. However the question there is at what point will there be tens of millions of internet-connected TVs that are capable of running the same malware by exploitation of the same vulnerability?

            Sure, you can run SSH and some of the others through Java, which may clear the CPU/OS hurdle (assuming of course that the set runs Java fairly well) but then how will you get them to run when you want?

            The bot will run whenever the set is on, of course.

            Which, depending on the TV and its usage pattern, might not end up being all that useful for the botnet master.

            • If they are running linux, even if they only have 16mb of ram, 4mb of flash space, and a 216 mhz processor, you would be absolutely astonished at how much you could do.

              FWIW most routers out there meet those specs, and can be flashed with DDWRT. They wouldnt use BIND, but they support cron, ssh, dnsmasq, dhcp, and quite a bit more. With double or triple the flash space, you start being able to really have some fun.

    • Compormised TV will be actually attack PC over lan.

      This is valuable when NAT/Firewall is in picture - PC owner might be shielded from attacks by simply not having public IP or because ISP set up firewall.

    • As the PC becomes more secure there will be a push to find other devices in your house to use as botnet nodes.

    • Re: (Score:3, Funny)

      I don't really see a TV as being useful in pumping out spam...

      Approximately 16 minutes of every hour is devoted to spam... formerly known as "bathroom breaks"

    • I don't really see a TV as being useful in pumping out spam, either, unless the manufacturers were putting mail agents in there to report problems back to the manufacturer.

      The bot will have a built-in MTA, of course. More likely they will primarily be interested in stealing credentials, though.

  • by GrumblyStuff ( 870046 ) on Saturday January 08, 2011 @10:42AM (#34804434)

    I hate how all these "smart" ones can be tricked into doing nefarious deeds.

    • As a sysadmin by profession, one of my favorite terms is "too stupid to break".

  • Now why can't the hackers go for the cable box and hack us some free HBO

  • by msauve ( 701917 ) on Saturday January 08, 2011 @10:53AM (#34804522)
    If you have control over the network infrastructure, you can give a host DHCP/DNS info which might not be right and make it go where you want.

    Major automotive security alert!!11!!! If someone steals your car, they get the stuff inside, too.
  • If someone gets into your home network, maybe they can mess with your TV... I think maybe you would have bigger problems if someone was actually able to get on your network, since they could do many worse things.
  • by Anonymous Coward on Saturday January 08, 2011 @11:08AM (#34804620)

    Of course, the language per se is innocent. But embedding programmability in everything (Web pages, PDF what not) is becoming the biggest security nightmare all around. And the Web Masters want to entice us to be part of the fray. Quoth slashdot:

    There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

    Thanks, but no, thanks. I might not want anything (Classic needs cookies, bad Fido, no cookies for you today). Quoth again Slashdot [slashdot.org]:

    Why does "This Function Require JavaScript?"

    Welcome to the now, man!
    [...]

    Well, thanks again, but no, thanks. I'm getting pretty well along without my browser executing random stuff from out there (in most cases in ain't even malicious, but wickedly bad programming, just DOSing my computer).

    Meh.

    • I was trying to use Sprint's web site to see whether their cellphone service was worth using. It seemed to require JavaScript, the latest Flash, a fast web connection, and the latest web browsers to even show any useful content. Lacking all these, I had to give up.
  • Forget the security flaws, the ability to stream content to a HDTV is so variable, that you don't know if a set will actually cope with steaming until you buy it. So much for standards. Now THAT is a flaw! So that's why I've not bought a HDTV, and stick to a PC with a HD monitor - at least the computer can play anything I throw at it - and without wasting more electricity transcoding the content into something the TV might like.

  • Linux (Score:5, Interesting)

    by tsa ( 15680 ) on Saturday January 08, 2011 @11:14AM (#34804672) Homepage

    Don't most of the newer TVs run Linux? My father's LG does. So it's entirely possible that the first real viruses for Linux will run on TVs rather than normal computers.

  • Inevitable (Score:5, Insightful)

    by nitehawk214 ( 222219 ) on Saturday January 08, 2011 @11:26AM (#34804776)

    Q: What happens when you combine a TV with a computer?

    A: You get a computer.

  • by WD ( 96061 ) on Saturday January 08, 2011 @11:27AM (#34804784)

    Well that's just great! You're telling me it's not safe to lug my HDTV into Starbucks anymore?

  • digging around the pdf, it seems that http://www.xxxxxxxx.tv/data/home-screen.js [xxxxxxxx.tv] is mentioned. Other places on the internet mention that path in conjunction with bd.vieracast.tv and bd.vieracast.eu, and Panasonic tv's
  • User permission (Score:4, Insightful)

    by Gumshoe ( 191490 ) on Saturday January 08, 2011 @11:44AM (#34804930) Journal

    This attack could render the product unusable at important times and extend or limit its functionality without the manufacturer's permission.

    Surely that should read, "without the user's permission".

    • This attack could render the product unusable at important times and extend or limit its functionality without the manufacturer's permission.

      Surely that should read, "without the user's permission".

      What's the difference? Don't think that when you buy such a device you're the owner/user in this day and age. You're not. You're a consumer, no more no less. Your only job is to consume content, preferably pay every time, or at least watch the commercials. You may have some influence on what you get to watch, but the manufacturer controls the list you can choose from.

      So now get back to that sofa, commercial break is starting in a moment.

    • This attack could render the product unusable at important times and extend or limit its functionality without the manufacturer's permission.

      Surely that should read, "without the user's permission".

      I guess it depends on who owns your TV. Certainly sounds in this case like the author believes you've just licensed it.

    • This attack could render the product unusable at important times and extend or limit its functionality without the manufacturer's permission.

      Surely that should read, "without the user's permission".

      No that's probably correct. The manufacturer probably uses the same chassis and hardware across many models, and the only difference is the software features. Another similar example is Video cards where the lesser models simply have a few cores turned off in the GPU. Enabling those features would give you the equivalent of the more expensive model.

    • No. The wording is correct due to the word "extend". In other words, you could unlock features that belong to a model with a higher price tag. The manufacturer would then not get as much money because the higher priced version will no longer sell because you can get the same features in the lower priced version.

      Yes, that business model is crappy, but that is not the point.

  • Solution! ipTVtables and ip6TVtables squidTVguard,

    alternatively NETBSDTV ;o)

  • People are selling personal computers that come preloaded with insecure software? I'm shocked!

    Oh, the personal computer is called something else, "internet TV," so that makes this news.

    • There is another difference.

      People by now are used to having to update the software on their computer regularly. This is not a multi-purpose computer - this is a specialised device. Not many people, if any, are used to update the software on a device - that was until now generally not an issue, if possible in the first place. Even on modern devices it's, in my experience, not that easy anyway.

      Point in case: I'm having problems updating my LG smart phone: the Android update software, Windows only, fails to

      • My Sony TV has an update firmware facility. I'm not sure I'd want to risk bricking my TV though. As to LG, well after my experience with the shoddy firmware on the Viewty (that LG refused to update) I wouldn't bother buying another.

      • the Android update software, Windows only, fails to recognise my phone when running in VirtualBox. Windows itself detects it just fine though.

        VirtualBox has flaky USB support in my opinion. Try something stable like VMWare. Try booting from a copy of the Ultimate Boot Disk for Windows and see if the updater will run from there. Was your VirtualBox Windows install done with nlite? That might be your problem as well.

  • When you can plug your computer into the back of the tv and use it as a screen, why give the tv functionality of a computer
    where can you install the AV or firewall or malware programs on your tv, you cant, yet even M$ says you need those if you want to surf the web, the guy who thought of adding the browser to the tv was an idiot....sorry for saying...especially when i can just hook mine up and do the exact same thing by using the tv as my screen......!

  • If you are worried that someone can change what's on your TV you are missing the point. The real concern is that by rooting your TV (which might have a linux shell for example) this can then be used as a vector to access anything on your home network that would otherwise be protected by NAT/FW. More sophisticated users would be well advised to set up a separate guest LAN that can only get straight out to the net.
    • by Barny ( 103770 )

      But the attack on the TV requires them to already have compromised your router/server, so they are already inside your NAT/FW.

      As for setting up a DMZ... you mean people don't already have this?

      • As for setting up a DMZ... you mean people don't already have this?

        I didn't say DMZ, I said a guest network. A DMZ is a subnet that is intended to expose your servers to _incoming_ connections from the internet.

        I'm talking about a NATted subnet can only initiate outgoing connections. Basically another private lan that is partitioned from your sensitive machines.

        And BTW there are plenty of ways to root a machine that don't involve compromising the router. Trojans being the most obvious example.

        • by Barny ( 103770 )

          The exploit in question requires either DHCP or DNS to be subverted locally in order for the device to be attacked.

  • Perhaps that's just as well then, maybe I should stop complaining even though it's a feature I paid for and never got.
  • Running a wide variety of apps on a TV has tremendous potential, but just as with PCs, game consoles and smartphones, the tech is changing so fast that the user will need to overhaul it every few years, so this tech should be implemented as set top boxes. Nobody wants to throw out their whole TV just because one small part of it is obsolete.
  • As devices become "smarter" and more connected, these kinds of flaws and vulnerabilities will only increase in number and severity. It's highly unlikely that there will ever be enough economic incentive for manufacturers to keep the embedded software in their consumer devices secure and up-to-date, not to mention the lack of software update mechanisms.

    This is why we need Free Software. Standard platforms running Free Software can be patched and updated simply and easily, and maintained by community effort

  • The attacker they really mean here, is the user who purchased the Internet-connected HDTV.
    Indeed, it is possible for him to trick the TV that is connected to his network infrastructure into doing things the manufacturer had been trying to prevent the user from doing.

    This is not very different from jailbreaking your own phone or video game console, except it's much more trivial.

  • I don't think anyone has their "Internet TV" directly connected to the internet. They are *ALL* behind the firewall. Thus the only way to launch these attacks are from your own internal network.

If all else fails, lower your standards.

Working...