Android Ransomware Infects LG Smart TV, Company 'Refuses' To Help (bleepingcomputer.com) 85

Security firms have been warning us for more than a year about the possibility of Android malware jumping from phones and tablets to other Android-powered devices, such smart TVs. The latest incident involving ransomware on a smart TV involves software engineer Darren Cauthon, who revealed that the LG smart TV of one of his family members was infected with ransomware right on Christmas day. What's worse? He claims LG wouldn't help him with perform factory reset of the device. From a report: Based on a screenshot Cauthon posted online, the smart TV appears to be infected with a version of the Cyber. Police ransomware, also known as FLocker, Frantic Locker, or Dogspectus. The infected TV is one of the last generations of LG smart TVs that ran Google TV, a smart TV platform developed by Google together with Intel, Sony, and Logitech. Google TV launched in 2010, but Google discontinued the project in June 2014. In the meantime, LG has moved on from Google TV, and the company's TVs now run WebOS. Cauthon says he tried to reset the TV to factory settings, but the reset procedure available online didn't work. When the software engineer contacted LG, the company told him to visit one of their service centers, where one of its employees could reset his TV.

    So, will they be renaming the company to "Life Sucks"?

      While they do seem to be using that as a motto right now, LG doesn't really even stand for "Life's Good" but rather "Lucky-Goldstar", which is a combination of two brands which merged to form the company. Amusingly, while Goldstar sold electronics, Lucky was more commonly associated with detergents and hygiene products.

      Amusingly, while Goldstar sold electronics, Lucky was more commonly associated with detergents and hygiene products.

        I hope the implied irony is how the company is now refusing to help sanitize their electronic devices. :-)

      Remember this company used to be called GoldStar, best known for substandard product and nonexistent customer service in the 90s. The brand name was so thoroughly trashed they renamed themselves LG.

    • but after the factory guys pull the lithium cell, or hook it to a tesla coil, or replace a module, or whatever to hard-reset the set, it's still vulnerable.

      "Smart TV" is bogus. never hook an ethernet cable to one. use a Roku or Chromecast or something else cheap, easily replaceable, and disposeable if you feel the need for direct streaming.

      but after the factory guys pull the lithium cell, or hook it to a tesla coil, or replace a module, or whatever to hard-reset the set, it's still vulnerable.

        It's more likely to be some masonic handshake like holding down certain buttons for exactly 2 pi seconds while standing on one leg with a pencil in your ear - which they could have read out over the phone.

      but after the factory guys pull the lithium cell, or hook it to a tesla coil, or replace a module, or whatever to hard-reset the set, it's still vulnerable.

        The circuit to pull/replace is the flux-capacitor and the TV will be fine once you get it up to 88 mph.

  • "the smart TV appears to be infected..."

    I guess the TV ain't so smart now...

    • Asked to detail how he got infected with the ransomware, Cauthon said "They [the relatives] said they downloaded an app to watch a movie. Halfway thru movie, tv froze. Now boots to this."

      10-to-1 odds his relatives downloaded some shady app promising "free movies" (aka pirated movies), and was downloaded from a shady source. This generally doesn't happen by itself, and it's pretty rare to get infected by stuff from the official store. Yes, it happens, but the *vast* majority of Android malware is on 3rd party sites.

      The general public needs to learn that downloading stuff from unverified 3rd party sources is going to get you infected sooner or later. To be perfectly honest, this is why App

      • The various branded flavours of Android on phones, tablets, and TVs are often locked into only downloading and installing apps from Google Play and/or their own branded app stores. Installing apps from 3rd parties, i.e. download the package and install it manually, is beyond most users knowledge and capabilities. It's more likely that the malware was installed from Google Play or the branded app store. Their verification and malware screening processes will always be at least a step behind the criminals.

  • Just wait for best buy to up sell geek squad for smart tvs

    I can't think any better demonstration of why smart TVs are such a bad idea than this. I hope this story gets as much chatter as possible.

    I can't think any better demonstration of why smart TVs are such a bad idea than this. I hope this story gets as much chatter as possible.

      Especially with NUCs and similar becoming so cheap... All I want is a dumb display!

      All I want is a dumb display!

        Amen to that. Is hooking up a cheap media box via HDMI so difficult to do these days?

    "The company told him to visit one of their service centers, where one of its employees could reset his TV."

funny, that seems like a legit offer of help.

    funny, that seems like a legit offer of help.

    • It is totally reasonable to expect a customer to hop a plane to the nearest service center. Absolutely.

        an untrustworthy user whose relative installed a trojan malware to play a pirated movie.

        He's lucky LG gave him the time of day. He richly deserves the trouble he's having.

        • Bullshit. They shipped the device configured to allow such behavior. I suppose you don't think newbies who get duped into the same problem deserve Microsoft's help reinstalling Windows either.

            I suppose you don't think newbies who get duped into the same problem deserve Microsoft's help reinstalling Windows either

            They deserve MS's help, but I would expect them to pay for it. The issue at hand isn't that the guy COULDN'T take it to a service center, as requested by LG, is that he didn't feel as though he should have to pay for it. If I screw up my computer by installing a 3rd party application it would be ridiculous to expect MS to fix it for free.

        • If your TV can be exploited by installing an app through the curated app store, then it's the TV's fault, not the user's.

          • ...just like guns "can be exploited" to shoot people, and vehicles "can be exploited" to run over them.

            It's a very dangerous argument you're making, that liability is derived from the end condition, rather than the initial effort. As long as LG put forth a reasonable effort to ensure that their products are free from defects, which seems likely considering the product timeline, LG is very unlikely to be at fault here.

            I'll also note a bit from TFA:

            It is unclear at this moment if Cauthon's relative downloaded an app from the official Play Store, or from a third-party source.

              Effort is a useless metric unless compared against someone mastered in the art. If a master would have found the issue effortlessly, assuming no hindsight, then the company did not make a good-faith "effort". They probably hired someone with "security skills" and checked off a box somewhere saying they did a security review, assuming that even happened.

            Don't mean to be pedantic, but the article does not clarify if it was an app-store app or a side channel 3rd party app. If it was the former, yeah, I'd agree it's the manufacturer's fault. If it's the latter, that's all on the user.
        • So you are accusing the customer of being the bad guy. You sound like you work for a Korean company help desk. As such you are a cunt. Go fuck yourself. Sound harsh? It's no more harsh than you accusing someone else of trashing their own TV for some sort of gain. So I say again fuck off and go away you low life troll.

            He installed malware from a movie pirating site, then he cries because LG wants to charge him to clean up the mess. No sympathy here.

        Read the article they want $340 for the service

      It is totally reasonable to expect a customer to hop a plane to the nearest service center. Absolutely.

Can you stick a TV in carry on?

        Can you stick a TV in carry on?

    • "The company told him to visit one of their service centers, where one of its employees could reset his TV."

      funny, that seems like a legit offer of help.

      At $340... When new 4k 55 inch TVs are $400. Sounds more like a hell of a business plan!

    • "The company told him to visit one of their service centers, where one of its employees could reset his TV."

      funny, that seems like a legit offer of help.

      That's my take on it, especially with a tv that is old, no longer being produced, and with on-line instructions (probably completely standard) tried that didn't work. A support person on the phone would only walk him thru the same procedure. It's infected with ransomware. If a reboot solved that problem, it wouldn't be a problem.

    I bought one of them Smart TVs, but it still had all the same dumb shows on it, so we put it up on a pair of sawhorses and are now using it as a dining table. Assholes at Best Buy didn't want to give me a refund.

  • Trying to load some off the wall app and they get ransom-ware instead.
    Who'd of thunk it!

    • And why would you ever want to let "Users" burn it down an reinstall from home? That is crazy talk!

    • TV's should be supported for at least 10 years, and should be in as much of a walled sandbox as possible. We have a TV that is now almost 9 years old, and thankfully it is not "smart". I actively avoid "smart" stuff, I just don't see any real upside for a "smart" toaster, fridge, oven thermometers, etc. Instead I see tons of downside.

      Companies churn through new stuff on a yearly basis and rarely support any older stuff, so that "smart" stuff quickly stops shipping apps to support it, and it is only a mat

  • when I was buying tv's a few years ago, the only models in the size I wanted were 'smart'.

    ok, no big deal. just don't give it a wifi access and don't ever let it on the net.

    simple. mine is still using factory firmware (which has bugs but the cure is worse, I'm told) and it won't ever be upgraded.

    it just runs hdmi from my htpc and that's that. I don't have cable/etc - I download what I want and watch it on the pc. bonus that the vizio sets would support 1080p@120hz and my intel skylake chip also supports

      You should see if you can find an attack vector just over HDMI. That would totally get you a speaking slot at a security conference.

    • Yeah, this is one problem with so-called "smart" TVs - the whole concept ignores how people buy televisions. TV owners tend to hold onto their sets for many years, while companies (understandably) generally aren't interested in maintaining the software for a device for more than two or three years. We bought an LG smart TV back in 2011; and after the first couple years passed, the only software updates which have been available all *removed* features (Amazon, Pandora, other "features" I don't recall).

      I assu

      just don't give it a wifi access and don't ever let it on the net.

      Vizio has this fun new trick. You literally can't configure the TV without their smartphone app and a wifi connection.

  • "He claims LG wouldn't help him with perform factory reset of the device."

    "[...] the company told him to visit one of their service centers, where one of its employees could reset his TV."

    How's that "wouldn't help"? He obviously gets help offered. Maybe not what he hopes to get, but it's a clear offer of help getting the TV working again.

    • How's that "wouldn't help"? He obviously gets help offered.

      RTFA. The cost of that "help" is more than the TV was worth.

      Wouldn't tell him how and wanted to charge $320...not exactly "refused", but certainly far from assisted.

      If that happened to me I might well characterize them as having refused to help me. A fuller explanation would be more accurate, but would also be so long most people wouldn't listen.

  • Do not connect the TV to the net ever or buy a commercial display with no 'SMART' features that will cease to be supported. Hook in the trusted device of your choice via HDMI. Roku, Chromecast, Pi with Kodi, PC, fire stick, you name it. Your source device will typically be much cheaper than the entire TV, faster, and better supported. Also very easy to replace if the manufacturer screws you over, while keeping the same display.

  • I want my display to be a dumb panel. Nothing good has ever come from combining two unrelated items into one package. Buy a printer/scanner/fax? Now you can't scan if you're out of toner. Good tools do one thing and do it well.

    We bought a nice Vizio with a good display. I played with the builtin apps long enough to verify that they were ancient junk that would never not suck. About that time it came out that Vizio was monitoring your content for advertising purposes [extremetech.com]

    so that completely ended the experiment.

      Try a factory reset. Then it is off the network entirely. Never set it up for that again.
  • This case highlights a more general problem with most(not quite all, Nexus devices and a few others aren't affected) Android hardware:

    Vendors just don't supply system images. If they are in a good mood, you might get some OTA updates; and there will be some key combo that allows you to initiate a 'system restore', which may do the trick if nothing has tampered with or corrupted the 'system' side of things and just wiping the user-writeable data is good enough; but if you want to reflash the entire device

  • The efforts of TV manufacturers are half-baked or an afterthought. I have yet to find a smart tv that works better than a dedicated device. Even something as cheap as a Fire/Roku stick is a better experience.

  • ...it probably is. Don't try to find some app to watch movies for free as an alternative to paying for them via approved, signed applications and you most likely will not get ransomware. If you try to find "free" stuff, you're playing the malware equivalent of Russian Roulette.

    On the note of resetting firmware, for most TV's you normally do this via the remote and the menu. However, in this particular case that won't work. There should be a way to physically hard-reset any consumer device to factory def

  • His relatives installed malware on his TV, without his permission or knowledge. He should bill them for the repair cost.

  • what if it is possible to unplug something inside, or snip a few wires, or cut a circuit board trace to turn off the internet/computer part of the TV basically disabling it so it is no longer an internet aware TV and a basic dumb TV that only handles cable/satellite or over the air broadcast TV???
  • I understand (if I do not share) the "business is business" rationale, maximizing profit regardless or morality, etc. However, I fail to understand the behavior of companies like LG, Samsung, Comcast, Verizon, etc. when they seem to act obnoxiously just because they can - i.e. they are in control, and because they can screw you, the customer, they will screw you, just because they can. Not that I was buying a lot of stuff from LG but, after this, it has definitely gained a slot in my list of companies from

  • ... and getting rid of it when the fucking TV didn't ship with it?

    It could be within the scope of the app store or a side load, but it's not the goddam hardware.

  • I guess it is possible to infect a TV through the HDMI cable if it acts as an Ethernet cable, but can it infect it through the other bits that flows through it? Maybe something in CEC or a video/sound that causes an buffer overflow.

    Just wondering what else that HDMI cable can transport. There are devices that filter out stuff like HDCP, maybe need device to filter CEC.

