Today's high-end televisions are almost all
equipped with "smart" PC-like features, including Internet
connectivity, apps, microphones and cameras. But a recently discovered security
hole in some Samsung Smart TVs shows that many of those bells and whistles
aren't ready for prime time.
The flaws in Samsung Smart TVs, which have now been patched,
enabled hackers to remotely turn on the TVs' built-in cameras without leaving
any trace of it on the screen. While you're watching TV, a hacker anywhere
around the world could have been watching you. Hackers also could have easily
rerouted an unsuspecting user to a malicious website to steal bank account
information.
Samsung quickly fixed the problem after security researchers at
iSEC Partners informed the company about the bugs. Samsung sent a software
update to all affected TVs.
But
the glitches speak to a larger problem of gadgets that connect to the Internet but have virtually no security to speak of.
Security cameras,
lights, heating control systems and even door locks and windows are now
increasingly coming with features that allow users to control them remotely.
Without proper security controls, there's little to stop hackers from invading
users' privacy, stealing personal information or spying on people.
In
the case of Samsung Smart TVs, iSEC researchers found that they could tap into
the TV's Web browser with ease, according to iSEC security analyst Josh Yavor.
That gave hackers access to all the functions controlled by the browser,
including the TV's built-in camera.
"If
there's a vulnerability in any application, there's a vulnerability in the
entire TV," said Aaron Grattafiori, also an analyst at iSEC.
Yavor
and Grattafiori were also able to hack the browser in such a way that users
would be sent to any website of the hacker's choosing. While the hack would
have been obvious if the website on the screen didn't match the desired
address, Yavor says there could be serious implications if a bad actor sent a
user to a lookalike banking page and retrieved a user's credentials.
The
research was conducted on different models of 2012 Samsung Smart TVs and was
presented this week at the Black Hat cybersecurity conference in Las Vegas.
In
a statement , Samsung said it takes user safety very seriously. Addressing the
camera flaw, a company spokesperson said, "The camera can be turned into a
bezel of the TV so that the lens is covered, or disabled by pushing the camera
inside the bezel. The TV owner can also unplug the TV from the home network
when the Smart TV features are not in use."
Samsung
also recommends that customers use encrypted wireless access points.
The
iSEC crew said they remain skeptical that the technology is perfectly secure,
even after Samsung patched the bugs.
"We
know that the way we were able to do this has been fixed; it doesn't mean that
there aren't other ways that could be discovered in the future, " Yavor
said.
Companies
like Samsung pay hackers when they report security vulnerabilities like the
ones iSEC found. The researchers are iSEC confident that there are more
undetected flaws in these devices that they are running a fund-raiser off of
finding bugs in Smart TVs at technology conference Def Con later this week.
Yavor
and Grattafiori say users should run regular updates from vendors like they
would for anti-virus definitions or system updates on the smartphone.
And
when all else fails, users can always put tape over their cameras.