Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Cellphones Software Television

Millions of Smart TVs, Phones and Routers At Risk From Old Vulnerability (trendmicro.com) 65

itwbennett writes: Adding fuel to the growing concern over how manufacturers of devices such as routers and smart TVs deal with security vulnerabilities that emerge in their products, Trend Micro found that a 3-year-old vulnerability in a software component used in millions of smart TVs, routers and phones still hasn't been patched by many vendors. Although a patch was issued for the component in December 2012, Trend Micro found 547 apps that use an older unpatched version of it, wrote Veo Zhang, a mobile threats analyst on the Trend Micro blog. 'These are very popular apps that put millions of users in danger; aside from mobile devices, routers, and smart TVs are all at risk as well,' he wrote.
This discussion has been archived. No new comments can be posted.

Millions of Smart TVs, Phones and Routers At Risk From Old Vulnerability

Comments Filter:
  • by ginoledesma ( 161722 ) on Friday December 04, 2015 @01:45PM (#51057939)

    Summary doesn't mention this, but the vulnerability is in libupnp [cert.org] that is used by most of these mobile apps.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Summary doesn't mention this, but the vulnerability is in libupnp [cert.org] that is used by most of these mobile apps.

      UPNP? Well, there's your problem. A protocol that requires zero authentication and has complete trust when it's enabled. What could possibly go wrong?

    • by Z00L00K ( 682162 )

      I always disable UPnP just because it's inherently unsafe and can in addition to that also generate strange side-effects.

      Having that protocol enabled can be compared to having no firewall at all.

  • This is a problem with electronic devices having software. I think my TV and Bluray player probably have this vulnerability because the software hasn't been updated in ages. I don't know if my router does, but I disabled UPnP long ago on the router. At least routers are upgraded more often but your mileage may vary.
    • by kheldan ( 1460303 ) on Friday December 04, 2015 @02:00PM (#51058067) Journal

      This is one reason I don't use smart TV at all

      There, fixed that for you, friend.

      In this day and age of mass surveillance and the corporate practice of scraping people's lives for data to sell to other corporations, just like so many scammers and malware authors do, I wouldn't at all be surprised if they haven't 'fixed' the 'bug' because it's not a bug, it's a feature, intended to allow them them 'send carefully crafted packets' to allow 'execution of arbitrary code' (read as: 'run code that allows enhanced snooping on what you're doing with your TV, and to turn on the camera and microphone to spy outright on you) so they can collect their otherwise illegal data and still maintain a plausible deniability.

      In my opinion you're asking for trouble if you connect a so-called 'smart TV' to any network in the first place. Do yourself a favor and reject the entire idea and buy a non-smart TV instead. You want 'smarts'? Connect it to a media center PC or a DVR or something else. Or maybe just, I dunno, watch TV instead of making it a lifestyle? FFS TVs are turning into just gigantic versions of people's phones. Enough already..

      • by mlts ( 1038732 )

        The only reason I can see for use for a smart TV is because it might have native support for Hulu, YouTube, or other content channels. Even then, there are appliances for this sort of thing, and one can put a firewall appliance to allow connections to the content provider, deny them everywhere else.

        Smart TVs are like IoT in general. Not needed, a solution looking for a problem, and will bring in far more security issues than it will bring benefits. Yes, there are ways to secure IoT, for example, having d

      • I've been doing some TV shopping lately, and it's getting more and more difficult to find TV's that aren't 'smart'. I've taken to proclaiming loudly "Smart TV's are for dumb people" whenever I'm in Best Buy or a similar store. But I may end up buying one of the damned things myself; if I do, I will immediately void the warranty by taking it apart and, at the very least, disconnecting the WiFi antenna.

        • Don't forget to put a 50-ohm termination on that, or it'll radiate/receive anyway, or if you can identify and isolate the final amp, disconnect it from the supply rail.
        • by steveg ( 55825 )

          Don't tell it your SSID or password.

          Now if someone tells me that the TV will go searching for an open access point and connect, I give up. Rip it open and disable the antenna. :-)

          • by Endymion ( 12816 )

            That will only work for a little while. Once the next generation of system-on-a-chips are available, these spyware devices will simply connect to the cellular network at off-peak hours.

            Precedent? "Onstar"

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      My 2009-era "Smart" TV (read: TV with UPnP, DLNA, and wired ethernet, no apps) got exactly one software update. That software update did the following:
      1) Disabled the "maintenance" menu
      2) Disabled further updates
      3) Blew the soft-fuse to prevent anyone from hard-hacking the two disabled features back.

      Any vulnerabilities it had in early 2010 when that update was rolled out are baked in and are not ever going to change.

      Since it can't be patched, and since the DLNA rendering client is downright fecal in its use

      • It's been awhile since I looked, but there's a smallish Samsung TV-hacking community out there that may have information on taking back your TV, as well as sources of modded firmware with various consumer-friendly changes.
      • People have found ways to replace those "blown" fuses. Do some digging around man. You might require some knowledge of how to use a soldering iron.

  • by gstoddart ( 321705 ) on Friday December 04, 2015 @01:49PM (#51057975) Homepage

    Yawn, wake us up when something new happens.

    That millions and millions of consumer devices have been rushed to market are riddled with security holes should be common knowledge by now.

    They have no standards, no penalty, and just want to get products out the door. And then they probably spend zero time maintaining the OS on those products or fixing security holes.

    The same as we've heard at least twice a week for a while.

    Honestly, if companies aren't going to change, and consumers are still going to keep buying insecure crap because it's got Netflix in it ... well, this will keep happening.

    Me, I'll keep refusing to buy this stuff knowing full well it's likely to have huge security and privacy issues.

    But let's stop acting surprised. People having been warning of this stuff since these things became available. The security defects were almost inevitable.

    • by Anonymous Coward

      >But let's stop acting surprised.

      Who's acting surprised?

    • Me, I'll keep refusing to buy this stuff knowing full well it's likely to have huge security and privacy issues.

      Trouble is that you'll end up shopping at Goodwill because all the new stuff is "smart" (something of a misnomer I agree).

      And eventually, you won't even be able to find a dumb TV in the thrift stores.

      For some reason, this process is known as "progress"

      I can't think why.

  • by sanf780 ( 4055211 ) on Friday December 04, 2015 @02:00PM (#51058071)
    After all, TV OEMs want to sell products one year, and sell new products next year. They do not want to spend money on supporting old sets.

    This one also goes for other connected things: automobiles, routers, mobile phones...

  • by bigdady92 ( 635263 ) on Friday December 04, 2015 @02:12PM (#51058127) Homepage
    Good lord this is such a non issue even Windows XP's Firewall blocks this vulnerability from occurring naturally. You have to implicitly allow port 1900 to go OUT your firewall which is nonsense into and of itself. Furthermore, if you ALLOW your WAN port to be open on port 1900 you may be screwed.

    Since most (I'm assuming) firewalls sold in this day and age Deny everything and only Allow when queried an attacker would have to be on your local LAN in order to sniff out an affected device and then hopefully hack through the compromised device to get into your system.

    I'm more concerned with the vulnerable Android apps having the flaws than my TV being 'hacked'.
  • by TimothyDavis ( 1124707 ) <tumuchspaam@hotmail.com> on Friday December 04, 2015 @02:55PM (#51058449)

    I hereby facetiously give permission to all of the black hats out there to push malware to these televisions. The more damage you can do, the better.

    I've been trying to shop around for a 4K 'television' that is really just a monitor, and the only available options at any reasonable price are "Smart" TVs. The fact that manufacturers are coupling the content playback engine with the display is just stupid. This article is the main reason why: It is very hard to create a Smart TV that is always up to date and has the latest capabilities for content. So manufacturers are left trying to create a revenue stream post sale by spying or selling content, or just not updating the OS with latest security and features.

    Instead of Smart TVs, I wish they would make 4k displays with DisplayPort inputs that can drive 4K at higher than 30FPS. A TV is a product that should last 15-20 years. The devices that I hook up to the TV (PC, Tivo, cable box, xBox, whatever) are all components that have shorter life expectancies at this time because a ton of changes are happening in that area of the market. TVs just need to be dumb and simply display the content.

  • "Trend Micro found that a 3-year-old vulnerability in a software component used in millions of smart TVs"

    What vulnerability tests did the makers of the Smart TVs do with the libupnp library, before releasing to market.

Truth is free, but information costs.