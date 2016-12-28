Android Ransomware Infects LG Smart TV, Company 'Refuses' To Help (bleepingcomputer.com) 279
Security firms have been warning us for more than a year about the possibility of Android malware jumping from phones and tablets to other Android-powered devices, such smart TVs. The latest incident involving ransomware on a smart TV involves software engineer Darren Cauthon, who revealed that the LG smart TV of one of his family members was infected with ransomware right on Christmas day. What's worse? He claims LG wouldn't help him with perform factory reset of the device. From a report: Based on a screenshot Cauthon posted online, the smart TV appears to be infected with a version of the Cyber. Police ransomware, also known as FLocker, Frantic Locker, or Dogspectus. The infected TV is one of the last generations of LG smart TVs that ran Google TV, a smart TV platform developed by Google together with Intel, Sony, and Logitech. Google TV launched in 2010, but Google discontinued the project in June 2014. In the meantime, LG has moved on from Google TV, and the company's TVs now run WebOS. Cauthon says he tried to reset the TV to factory settings, but the reset procedure available online didn't work. When the software engineer contacted LG, the company told him to visit one of their service centers, where one of its employees could reset his TV.
So, will they be renaming the company to "Life Sucks"?
While they do seem to be using that as a motto right now, LG doesn't really even stand for "Life's Good" but rather "Lucky-Goldstar", which is a combination of two brands which merged to form the company. Amusingly, while Goldstar sold electronics, Lucky was more commonly associated with detergents and hygiene products.
:-)
I bought an LG TV recently, but I'm smart enough not to buy a smart TV. It works great, no frills, no nonsense, I love my Goldstar! In the 90s I had a goldstar CRT monitor and it sucked, they've come a long way.
It seems to be quite consistent:
Toshiba: http://www.toshiba-tmat.co.jp/... [toshiba-tmat.co.jp]
Samsung only sold to Lotte less than a year ago: http://www.samsungchemical.com... [samsungchemical.com]
who were a bit behind Sony which spun of it's chemical division 4 years ago: http://www.dexerials.jp/en/ [dexerials.jp]
Electronics companies have a VERY long history which includes a lot of chemical manufacture.
I expected no less (Score:5, Informative)
Remember this company used to be called GoldStar, best known for substandard product and nonexistent customer service in the 90s. The brand name was so thoroughly trashed they renamed themselves LG.
Hell they didn't even own the www.lg.com domain
not a rejection, a redirection (Score:3)
but after the factory guys pull the lithium cell, or hook it to a tesla coil, or replace a module, or whatever to hard-reset the set, it's still vulnerable.
"Smart TV" is bogus. never hook an ethernet cable to one. use a Roku or Chromecast or something else cheap, easily replaceable, and disposeable if you feel the need for direct streaming.
It's more likely to be some masonic handshake like holding down certain buttons for exactly 2 pi seconds while standing on one leg with a pencil in your ear - which they could have read out over the phone.
Re:not a rejection, a redirection (Score:5, Interesting)
"Smart TV" is bogus. never hook an ethernet cable to one. use a Roku or Chromecast or something else cheap, easily replaceable, and disposeable if you feel the need for direct streaming.
Unfortunately the TV manufacturers are making it harder and harder to avoid some kind of network connection. Our Vizio comes with a really terrible and over-simple remote that doesn't do anything, to configure the TV you must at least use your smartphone and a crappy application.
At least in our TV's case, they are only one step from the conventional TV and remote so I can order an older TV's remote and get most of the functionality, but it's still annoying as hell.
But you're right, I doubt I will ever hook the TV to the Ethernet or the Wifi. Bad enough that I couldn't avoid doing that with the Blu-ray player, otherwise I'd just let the computer that I've put into the entertainment center supply whatever I need.
I made sure to test them out in the store first. Not only will I not buy a "smart" TV, it has to have an intuitive physical interface that I can operate without a remote if needed. I was skeptical of the LG at first because it used a miniature joystick that's out of sight on the bottom surface. However, as soon as I moved it, a menu popped up, and it was easy and intuitive to find and select options without having to learn some nifty interface paradigm.
Some of the other brands had traditional buttons, but
Re:not a rejection, a redirection (Score:4, Interesting)
"the smart TV appears to be infected..." (Score:2)
Re:"the smart TV appears to be infected..." (Score:5, Insightful)
Asked to detail how he got infected with the ransomware, Cauthon said "They [the relatives] said they downloaded an app to watch a movie. Halfway thru movie, tv froze. Now boots to this."
10-to-1 odds his relatives downloaded some shady app promising "free movies" (aka pirated movies), and was downloaded from a shady source. This generally doesn't happen by itself, and it's pretty rare to get infected by stuff from the official store. Yes, it happens, but the *vast* majority of Android malware is on 3rd party sites.
The general public needs to learn that downloading stuff from unverified 3rd party sources is going to get you infected sooner or later. To be perfectly honest, this is why Apple's walled garden with locked-down devices may be better for your typical user. Most people certainly can't handle the responsibility of keeping a modern PC clean, and it appears they can't even keep a smart TV malware free. Remember the saying "a little knowledge is a dangerous thing"? Well, time and time again we see that users seem to have just enough knowledge to thoroughly screw themselves and their devices.
I feel for them having to shell out a few hundred to learn this lesson, but its a lesson worth learning before they get infected with a banking trojan on their PC. Of course, we don't really know the whole story, so I'm sort of reading between the lines and could certainly be wrong about this. But I doubt it.
Re:"the smart TV appears to be infected..." (Score:5, Informative)
The various branded flavours of Android on phones, tablets, and TVs are often locked into only downloading and installing apps from Google Play and/or their own branded app stores. Installing apps from 3rd parties, i.e. download the package and install it manually, is beyond most users knowledge and capabilities. It's more likely that the malware was installed from Google Play or the branded app store. Their verification and malware screening processes will always be at least a step behind the criminals.
There are criminals inside of my walled garden? Preposterous!
Nonsense, there are plenty of step-by-step guides on YouTube [youtube.com] showing you how to sideload any app on an Android TV. Any 15-year old can follow along.
If this was an app downloaded directly from an official source, it surely would have been mentioned, as this would have shifted some of the liability in LG's direction - or at least would generate a lot more sympathy. So sorry, no, I'm not buying that it was from the official store.
Re: (Score:3)
you think there is no malware in official google store?
There you go: https://play.google.com/store/... [google.com]
4.5 stars
:DDD 161,829 positive reviews :)
https://virtuallyfun.superglob... [superglobalmegacorp.com]
Re: (Score:3)
You would think that something would go off in their head telling them not to follow instructions to disable security settings, but I suppose most people are used to being sheep and doing what they're told instead of engaging their brains and doing some critical thinking.
Re: (Score:3)
It's the Windows UAC curse. It didn't teach them that there are certain things where you should think before you act, all it taught them is that you have to click "yes" or it doesn't work.
Re: (Score:3, Insightful)
Re: (Score:2)
Feminist apps.
Just wait for best buy to up sell geek squad for smart tvs
A Perfect Illustrationk (Score:2, Insightful)
I can't think any better demonstration of why smart TVs are such a bad idea than this. I hope this story gets as much chatter as possible.
Re: (Score:3)
I can't think any better demonstration of why smart TVs are such a bad idea than this. I hope this story gets as much chatter as possible.
Especially with NUCs and similar becoming so cheap... All I want is a dumb display!
Re: (Score:2)
Re: (Score:2)
To a lot of people, unfortunately yes. You go to your elder relative or cousin and rattle off that sentence above, they throw up their hands and exclaim "Hey! Whoa! I ain't one of those computer geniuses!!"
It is literally rocket surgery to them...
:(
To a lot of people, unfortunately yes. You go to your elder relative or cousin and rattle off that sentence above, they throw up their hands and exclaim "Hey! Whoa! I ain't one of those computer geniuses!!"
It is literally rocket surgery to them...
:(
And you answer, "It is just a computer like on your desk, but smaller so you can stick it behind the TV." Then watch the lightbulb come on.
I tried to get my mother (in her 80s but, for all that, pretty tech-friendly) Netflix for her birthday, which with her 8-year-old not-Smart flatscreen would have meant a Roku box. After I explained it (for the 5th time in my life, I think), she finally announced "I don't want that stuff on my TV. It's too much." Calling it "just a computer" would not have helped. In this case, I think if it didn't require a change of HDMI input when using it she might have gone for it.
Also, even with the Chromecast, you
I wish that happened, but it does not. Mainly because only gamers, businesses, and power users have any computer on any desk.
Re: (Score:2)
"Refuses?" (Score:5, Insightful)
At $340... When new 4k 55 inch TVs are $400. Sounds more like a hell of a business plan!
Re: (Score:2)
That's my take on it, especially with a tv that is old, no longer being produced, and with on-line instructions (probably completely standard) tried that didn't work. A support person on the phone would only walk him thru the same procedure. It's infected with ransomware. If a reboot solved that problem, it wouldn't be a problem.
Re: (Score:2)
LG doesn't own most of it's service centers. Most of them are independent repair centers that service several brands. Having been a warranty tech in the past I can attest we don't get reimbursed for "research" work. If LG wants to see what's going on then they would ask us to replace the control board and send them broken part. Most likely they'll just force a wipe and firmware flash. OP should have bought a TV with an onsite warranty.
If it didn't cost $340 it might be legit. Also, if there was a service center within any reasonable distance of anything. I went to the service center locator and entered a few valid U.S. zip codes for well populated areas and it couldn't find a single service center within 50 miles of any of them.
So that sounds more like being blown off than offered help.
Why not just give him the instructions for how to actually do a factory reset?
Re: (Score:3, Insightful)
an untrustworthy user whose relative installed a trojan malware to play a pirated movie.
He's lucky LG gave him the time of day. He richly deserves the trouble he's having.
Re: "Refuses?" (Score:4, Insightful)
...just like guns "can be exploited" to shoot people, and vehicles "can be exploited" to run over them.
It's a very dangerous argument you're making, that liability is derived from the end condition, rather than the initial effort. As long as LG put forth a reasonable effort to ensure that their products are free from defects, which seems likely considering the product timeline, LG is very unlikely to be at fault here.
I'll also note a bit from TFA:
It is unclear at this moment if Cauthon's relative downloaded an app from the official Play Store, or from a third-party source.
Re: (Score:2)
Why, he is the customer, they should help. A better question is why isn't there a straightforward easy as child's play way to factor reset the device?
Re: (Score:2)
First of all, it could have been him who installed said "malware".
Secondly, he could have tried installing a nonmalware application infected with a trojan after the original developer has his credentials stolen/lost/whatever.
Thirdly, Google regularly removes malware from the Play Store.
Fourhtly, your expressed schadenfreude looks at the very least awkward.
/. has recently turned to shit. Insightful/informative posts are often ignored, hateful/factually incorrect comments are promoted.
Re: "Refuses?" (Score:5, Insightful)
No, he deserves a consumer electronics device that can be reliably reset to factory by the end user.
I suppose you don't think newbies who get duped into the same problem deserve Microsoft's help reinstalling Windows either
They deserve MS's help, but I would expect them to pay for it. The issue at hand isn't that the guy COULDN'T take it to a service center, as requested by LG, is that he didn't feel as though he should have to pay for it. If I screw up my computer by installing a 3rd party application it would be ridiculous to expect MS to fix it for free.
Re: (Score:2)
They offer a procedure, but their procedure doesn't work. They guy wasn't asking them to do the work. He was asking for them to inform him how he can perform the work himself.
You aren't refuting my point at all. If they have a published reset procedure that they supply to everyone, that (I can only assume) works for non-infected devices, but does not work on his infected device I would expect that he should have to pay for troubleshooting. No manufacturer in their right mind is going to e-mail you a HEX file and tell you to plug a programmer into the device to re-flash it, they are going to tell you to come to the service center with your check book. No different than if you
Re: (Score:2)
...you are wrong. Off you go now
...
Drain the oil out of your car, run the engine until it seizes, call GM and tell them your car won't start, see if you can get them to walk you through rebuilding the engine.
Yes, I most likely have one. Try me.
Re: (Score:2)
Can you stick a TV in carry on?
Re: (Score:2)
And the average 70" flat screen fits easily under your seat in economy.
Re: (Score:2)
Ever notice that when a sentence starts off, "I like how
...," the rest of it is a sophomoric diatribe about how the author doesn't actually, " ... like how ...?"
Re:Oh look, here comes the corporate white knight (Score:4, Insightful)
I like how everybody here understands sarcasm.
Ever notice that when a person gets called for being sophomoric, they play the, "sarcasm" card?"
So-called Smart TV (Score:5, Funny)
I bought one of them Smart TVs, but it still had all the same dumb shows on it, so we put it up on a pair of sawhorses and are now using it as a dining table. Assholes at Best Buy didn't want to give me a refund.
After the cutlery scratched it up, who can blame them for not taking it back?
had to buy a smart tv, but don't have to IP it (Score:2)
when I was buying tv's a few years ago, the only models in the size I wanted were 'smart'.
ok, no big deal. just don't give it a wifi access and don't ever let it on the net.
simple. mine is still using factory firmware (which has bugs but the cure is worse, I'm told) and it won't ever be upgraded.
it just runs hdmi from my htpc and that's that. I don't have cable/etc - I download what I want and watch it on the pc. bonus that the vizio sets would support 1080p@120hz and my intel skylake chip also supports
You should see if you can find an attack vector just over HDMI. That would totally get you a speaking slot at a security conference.
Re: (Score:2)
Yeah, this is one problem with so-called "smart" TVs - the whole concept ignores how people buy televisions. TV owners tend to hold onto their sets for many years, while companies (understandably) generally aren't interested in maintaining the software for a device for more than two or three years. We bought an LG smart TV back in 2011; and after the first couple years passed, the only software updates which have been available all *removed* features (Amazon, Pandora, other "features" I don't recall).
I assu
Re:had to buy a smart tv, but don't have to IP it (Score:4, Informative)
What's the problem, really? (Score:3)
"He claims LG wouldn't help him with perform factory reset of the device."
"[...] the company told him to visit one of their service centers, where one of its employees could reset his TV."
How's that "wouldn't help"? He obviously gets help offered. Maybe not what he hopes to get, but it's a clear offer of help getting the TV working again.
Wouldn't tell him how and wanted to charge $320...not exactly "refused", but certainly far from assisted.
If that happened to me I might well characterize them as having refused to help me. A fuller explanation would be more accurate, but would also be so long most people wouldn't listen.
Re: (Score:3)
"Refuses to help" and "refuses to help for free" aren't the same thing.
Easy solution... (Score:2)
I hate smart TVs, and so should you (Score:2)
I want my display to be a dumb panel. Nothing good has ever come from combining two unrelated items into one package. Buy a printer/scanner/fax? Now you can't scan if you're out of toner. Good tools do one thing and do it well.
We bought a nice Vizio with a good display. I played with the builtin apps long enough to verify that they were ancient junk that would never not suck. About that time it came out that Vizio was monitoring your content for advertising purposes [extremetech.com]
so that completely ended the experiment.
Re: (Score:2)
Dude, adjust your tinfoil. I dislike smart TVs for several reasons - they're known to spy on owners, their UIs suck, their apps suck, and their app stores suck - but I like other modern conveniences. I applaud your backup strategy that you mention for no apparent reason, but I like having friends over and letting them use my Wi-Fi without jumping through insane hoops.
It's easy to be secure: just unplug the thing and be done with it. It's more satisfying to be secure and functional.
A more general problem... (Score:2)
Vendors just don't supply system images. If they are in a good mood, you might get some OTA updates; and there will be some key combo that allows you to initiate a 'system restore', which may do the trick if nothing has tampered with or corrupted the 'system' side of things and just wiping the user-writeable data is good enough; but if you want to reflash the entire device
Smart is an after thought (Score:2)
The efforts of TV manufacturers are half-baked or an afterthought. I have yet to find a smart tv that works better than a dedicated device. Even something as cheap as a Fire/Roku stick is a better experience.
If it sounds too good to be true... (Score:5, Informative)
...it probably is. Don't try to find some app to watch movies for free as an alternative to paying for them via approved, signed applications and you most likely will not get ransomware. If you try to find "free" stuff, you're playing the malware equivalent of Russian Roulette.
On the note of resetting firmware, for most TV's you normally do this via the remote and the menu. However, in this particular case that won't work. There should be a way to physically hard-reset any consumer device to factory defaults without requiring an OSD. The reasons you might need to do this go beyond malware such as a power outage during a firmware upgrade or maybe (gasp) the consumer device manufacturer pushed a bad software update, bricking your consumer device.
There is actually a way to reset your LG firmware without using the OSD though. Go to LG's website: http://www.lg.com/us/support/s... [lg.com], search for your TV model, then click on your TV's model number (found on the back of the TV). You will see modal dialog that has two links, one to the firmware and one to the software upgrade guide. The software upgrade guide walks you through the steps to put the firmware on a USB drive and upgrade it without needing to use the OSD. I found this youtube video that walks you through the whole process as well: https://www.youtube.com/watch?... [youtube.com]
Don't go drama on tech support which in a lot of cases is outsourced to call centers full of low income incompetent idiots. If you want something done right, figure it out and do it yourself. Be your own tech support.
Just bill the relatives for the repair (Score:3)
His relatives installed malware on his TV, without his permission or knowledge. He should bill them for the repair cost.
i wonder how those things are wired (Score:2)
Why do companies have to be that obnoxious? (Score:2)
Smartest thing I ever did to my smart TV (Score:2)
When I first booted the TV it asked me if it was going to be used as a TV or as a monitor and I chose monitor and plugged a ROKU into it.
Their Response Was Not a Refusal... (Score:2)
When he couldn't perform a factory reset, they told him to have it serviced. That seems like the right response to me.
What else are they supposed to do? Step him through disassembling it over the phone? Do any consumer support lines ever go that far?
Maybe the crypto malware tampered with just the right thing, or maybe there is a physical defect preventing the reset. At the service center, I assume they can replace whatever is necessary to resolve the problem.
I'd be more pissed off at a company that wasted
And that would be the locally available service center. And a fee.
One of the big lies about modern electronics is that they are repairable. Sort of, often. TVs are particularly difficult, with the lack of data the biggest problem. And service data is too precious to be let out of the system, so we no longer can even hope to repair a modern TV ourselves. Even for this issue, a reset.
Not good.
The big lie about modern electronics is that they're easily repairable.
Yes, the TV in question can be repaired. Mr. Cauthon can disassemble the thing, remove the boards, desolder the flash memory, attach it to a reader/programmer, change bits to match a known-good unit, then rebuild the entire thing to see if it works. It's not going to be easy, but it will work... Of course doing it that way would cost a lot more than just replacing the board with a spare and resetting the memory, so that's what the service center will do.
While you are spot on about the actual work involved to fix a modern device, I'm curious as to your assertion that some fraction of the world thinks that modern electronics are easily repairable. As far as I can tell, it's just the fine folks at iFixit that think modern electronics should be repairable.
Really, I have a rework station but rarely use it to fix a commercial device and even more rarely are successful. Mostly use it to fix my own copious errors.
What are you talking about? Pretty much the only thing everyone knows about modern electronics is that they are near impossible to fix, in anyway. Even if you do know a lot about them, it's either economically unfeasible to fix them or outright impossible altogether.
No need to de-solder anything. JTAG should be sufficient.
Of course, had the device been designed properly in the first place, there would be a recessed button to press in order to load everything from read only memory.
Re: (Score:2)
they'll be wiping its memory and re flashing it entirely. hence send it to a service center.
And the $340 to do so is no big deal...
Re: because they won't be resetting the tv. (Score:2)
More like: Plug in thumb drive. Key secret incantation into remote. Wait for the process to finish. Remove thumb drive. Bill customer
Re: (Score:3)
TV's should be supported for at least 10 years, and should be in as much of a walled sandbox as possible. We have a TV that is now almost 9 years old, and thankfully it is not "smart". I actively avoid "smart" stuff, I just don't see any real upside for a "smart" toaster, fridge, oven thermometers, etc. Instead I see tons of downside.
Companies churn through new stuff on a yearly basis and rarely support any older stuff, so that "smart" stuff quickly stops shipping apps to support it, and it is only a mat
LG "smart" TVs used to be based on Google TV, which was discontinued a couple years ago.
I know, I know, it's hard to believe a Google offering got discontinued...
Re: Company 'Refuses' To Help (Score:2)
Replacing a screen has a hard cost to LG of a few hundred dollars for the replacement part. Putting a flashdrive image on a ftp server with instructions for using it has per-tv marginal costs approaching zero.
Putting a flashdrive image on a ftp server with instructions for using it...
If they wanted to give an easy way to jailbreak the device, sure.
But I doubt they want that, so they make the consequences high for attempting to do so. I'm not saying I agree with the policy (if that's what they did), just that I understand why they did it.
Re: (Score:2)