Millions of Smart TVs, Phones and Routers At Risk From Old Vulnerability (trendmicro.com) 65
itwbennett writes: Adding fuel to the growing concern over how manufacturers of devices such as routers and smart TVs deal with security vulnerabilities that emerge in their products, Trend Micro found that a 3-year-old vulnerability in a software component used in millions of smart TVs, routers and phones still hasn't been patched by many vendors. Although a patch was issued for the component in December 2012, Trend Micro found 547 apps that use an older unpatched version of it, wrote Veo Zhang, a mobile threats analyst on the Trend Micro blog. 'These are very popular apps that put millions of users in danger; aside from mobile devices, routers, and smart TVs are all at risk as well,' he wrote.
Re:Apologists unite! (Score:4, Informative)
It must be in one of those open source components, since Slashdot is not listing the actual component name.
Too busy trying to get a first post to bother reading the first line in the first link?
The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet.
Re: (Score:2)
ie, I'm using the standard features of my consumer-grade broadband router to deny incoming connections from routing into my LAN?
I've just assumed that all of the OSes on my network are vulnerable to something and I've taken steps to mitigate that. To do anything else would be asking for trouble. That same sort of consideration would apply to the "Internet of Things" and to appliances that are more special
Re:Apologists unite! (Score:5, Insightful)
Well ... let's see ... first you could have a vulnerable cable modem [slashdot.org] your ISP gave you ... and a lot of people might not have a firewall behind that and connect directly to it. Hell, you could even have a modem from your ISP which does the wifi you use in your house.
The level of network security in most households probably means that the number of people who could easily have devices exploitable by this is likely not small.
The problem is that consumer adoption of the "internet of stuff" is growing FAR faster than the quality of security they have. Many people simply won't even know they're at risk, because they just took it out of the box and did the easiest bit of configuration.
Re: (Score:2, Funny)
I agree with your sentiment, but an old saying comes to mind. Something about not having to outrun a bear if you can outrun your buddy. You don't have to have perfect security. Just better security than the guy one IP address over.
Re: (Score:2)
So, if I'm actually firewalling-off my LAN from the Internet then I'm probably going to be fine? ie, I'm using the standard features of my consumer-grade broadband router to deny incoming connections from routing into my LAN? I've just assumed that all of the OSes on my network are vulnerable to something and I've taken steps to mitigate that. To do anything else would be asking for trouble. That same sort of consideration would apply to the "Internet of Things" and to appliances that are more special-purpose in nature too.
Add to that there's a risk taking updates on consumer devices because they frequently alter, reduce or break functionality. Think "Other O/S" or Cinavia on the PS3. Right now, my LG TV works great with my PS3 media player and wants an update. I've blocked it. Release notes don't tell all and Google's not very good at negative verification. SInce there's really no back out plan for most of these devices, I only update if I know it's needed for something I want.
libupnp vulnerability (Score:5, Informative)
Summary doesn't mention this, but the vulnerability is in libupnp [cert.org] that is used by most of these mobile apps.
Re: (Score:2, Informative)
Summary doesn't mention this, but the vulnerability is in libupnp [cert.org] that is used by most of these mobile apps.
UPNP? Well, there's your problem. A protocol that requires zero authentication and has complete trust when it's enabled. What could possibly go wrong?
Re: (Score:3)
I always disable UPnP just because it's inherently unsafe and can in addition to that also generate strange side-effects.
Having that protocol enabled can be compared to having no firewall at all.
This is one reason I don't use smart TV apps (Score:2)
Re: (Score:2)
Re: (Score:3)
uPNP is on by default on consumer routers, so yes. Most people buying routers can barely plug the thing in without someone telling your how (not an exaggeration). The last thing they can do is set up the necessary port forwarding for their kids' game consoles on their own. Something that makes it "just hook it up and it works" will be used by them regardless of safety concerns.
Re:This is one reason I don't use smart TV apps (Score:4, Insightful)
This is one reason I don't use smart TV at all
There, fixed that for you, friend.
In this day and age of mass surveillance and the corporate practice of scraping people's lives for data to sell to other corporations, just like so many scammers and malware authors do, I wouldn't at all be surprised if they haven't 'fixed' the 'bug' because it's not a bug, it's a feature, intended to allow them them 'send carefully crafted packets' to allow 'execution of arbitrary code' (read as: 'run code that allows enhanced snooping on what you're doing with your TV, and to turn on the camera and microphone to spy outright on you) so they can collect their otherwise illegal data and still maintain a plausible deniability.
In my opinion you're asking for trouble if you connect a so-called 'smart TV' to any network in the first place. Do yourself a favor and reject the entire idea and buy a non-smart TV instead. You want 'smarts'? Connect it to a media center PC or a DVR or something else. Or maybe just, I dunno, watch TV instead of making it a lifestyle? FFS TVs are turning into just gigantic versions of people's phones. Enough already..
Re: (Score:2)
The only reason I can see for use for a smart TV is because it might have native support for Hulu, YouTube, or other content channels. Even then, there are appliances for this sort of thing, and one can put a firewall appliance to allow connections to the content provider, deny them everywhere else.
Smart TVs are like IoT in general. Not needed, a solution looking for a problem, and will bring in far more security issues than it will bring benefits. Yes, there are ways to secure IoT, for example, having d
Re: (Score:2)
I've been doing some TV shopping lately, and it's getting more and more difficult to find TV's that aren't 'smart'. I've taken to proclaiming loudly "Smart TV's are for dumb people" whenever I'm in Best Buy or a similar store. But I may end up buying one of the damned things myself; if I do, I will immediately void the warranty by taking it apart and, at the very least, disconnecting the WiFi antenna.
Re: (Score:2)
Re: (Score:2)
Don't tell it your SSID or password.
Now if someone tells me that the TV will go searching for an open access point and connect, I give up. Rip it open and disable the antenna. :-)
Re: (Score:2)
That will only work for a little while. Once the next generation of system-on-a-chips are available, these spyware devices will simply connect to the cellular network at off-peak hours.
Precedent? "Onstar"
Re: (Score:3, Interesting)
My 2009-era "Smart" TV (read: TV with UPnP, DLNA, and wired ethernet, no apps) got exactly one software update. That software update did the following:
1) Disabled the "maintenance" menu
2) Disabled further updates
3) Blew the soft-fuse to prevent anyone from hard-hacking the two disabled features back.
Any vulnerabilities it had in early 2010 when that update was rolled out are baked in and are not ever going to change.
Since it can't be patched, and since the DLNA rendering client is downright fecal in its use
Re: (Score:2)
Re: (Score:1)
People have found ways to replace those "blown" fuses. Do some digging around man. You might require some knowledge of how to use a soldering iron.
Oh look, another one ... (Score:3)
Yawn, wake us up when something new happens.
That millions and millions of consumer devices have been rushed to market are riddled with security holes should be common knowledge by now.
They have no standards, no penalty, and just want to get products out the door. And then they probably spend zero time maintaining the OS on those products or fixing security holes.
The same as we've heard at least twice a week for a while.
Honestly, if companies aren't going to change, and consumers are still going to keep buying insecure crap because it's got Netflix in it ... well, this will keep happening.
Me, I'll keep refusing to buy this stuff knowing full well it's likely to have huge security and privacy issues.
But let's stop acting surprised. People having been warning of this stuff since these things became available. The security defects were almost inevitable.
Re: (Score:1)
>But let's stop acting surprised.
Who's acting surprised?
Re: (Score:2)
Me, I'll keep refusing to buy this stuff knowing full well it's likely to have huge security and privacy issues.
Trouble is that you'll end up shopping at Goodwill because all the new stuff is "smart" (something of a misnomer I agree).
And eventually, you won't even be able to find a dumb TV in the thrift stores.
For some reason, this process is known as "progress"
I can't think why.
Appliances do not get updates (Score:3, Insightful)
This one also goes for other connected things: automobiles, routers, mobile phones...
Shutdown Port 1900 on WAN0 (Score:3)
Since most (I'm assuming) firewalls sold in this day and age Deny everything and only Allow when queried an attacker would have to be on your local LAN in order to sniff out an affected device and then hopefully hack through the compromised device to get into your system.
I'm more concerned with the vulnerable Android apps having the flaws than my TV being 'hacked'.
Re: (Score:2)
What if Microsoft put Windows 10 on everything?
Then you would have two problems.
Re: (Score:2)
If there is a problem with the smart features (vulnerabilities, spying on the part of manufacturer, etc.) of my Roku or other set top box, I replace it. $50 to $100. If I want to upgrade, more processing power, memory, etc., I replace it.
But the smart features on the TV are fixed. To fix a problem or upgrade, you replace the TV. If it's a software issue, sure, that can be upgraded, but not hardware.
Some people upgrade their TVs every few years, in which case this might not matter, but I expect a TV to la
Re: (Score:2)
Re: (Score:2)
If you buy a "spyware" TV, but disable any problematic feature, you are sending the message to the manufacturer that they can get away with more of this crap in the future. Only by hitting them where they notice - their profit - will they change their behavior.
The same goes for any other product. Technically capable people that disable malicious features but still buy the product are a big part of t
Re: (Score:2)
Only by hitting them where they notice - their profit - will they change their behavior
Not buying a particular device is not always a practical choice. Often, the choice is between having to compromise to get the product or service or not get anything, because "all" vendors have incorporated the same unwanted feature(s). This notion that consumers have ultimate control in the market is a falacy. First, the consumer can only choose from what companies choose to bring to market, and this rarely is what he or she deems to be most ideal. Second, many to most purchases made by the middle and l
Re: (Score:2)
Yes. That's the sacrifice I talked about. There was a time many years ago when these problems could be fought without needing a sacrifice. Now, fighting against these trends requires a sacrifice. You might not get to watch TV. That might even impact other areas of your life. It might even be a significant loss of wage or opportunity. Why would you think fighting against a well-funded opponent would be free or easy?
My point was that these costs are increasing. You
Permission granted (Score:3)
I hereby facetiously give permission to all of the black hats out there to push malware to these televisions. The more damage you can do, the better.
I've been trying to shop around for a 4K 'television' that is really just a monitor, and the only available options at any reasonable price are "Smart" TVs. The fact that manufacturers are coupling the content playback engine with the display is just stupid. This article is the main reason why: It is very hard to create a Smart TV that is always up to date and has the latest capabilities for content. So manufacturers are left trying to create a revenue stream post sale by spying or selling content, or just not updating the OS with latest security and features.
Instead of Smart TVs, I wish they would make 4k displays with DisplayPort inputs that can drive 4K at higher than 30FPS. A TV is a product that should last 15-20 years. The devices that I hook up to the TV (PC, Tivo, cable box, xBox, whatever) are all components that have shorter life expectancies at this time because a ton of changes are happening in that area of the market. TVs just need to be dumb and simply display the content.
Re: (Score:2)
Millions of Smart TVs at risk from old vulnerabili (Score:2)
What vulnerability tests did the makers of the Smart TVs do with the libupnp library, before releasing to market.