There were a couple of interesting presentations at Black Hat yesterday Aaron Grattafiori and Josh Yavor from iSEC Partners and Seungjin Lee from Korea University were both talking about hijacking Smart TVs. These devices are Internet connected and basically do a lot of their stuff using web browser technology, including JavaScript and other well known attack vectors. iSEC Partners were testing Samsung TVs in particular, but they all work pretty much the same way and apparently the manufacturers’ programmers haven’t done much to consider the security aspects.
Grattafiori was particularly keen to point out that the cameras on such devices were as susceptible to hijacking as anything else.
He went on “Because the TV only has a single user, any type of compromise into an application or into Smart Hub, which is the operating system — the smarts of the TV — has the same permission as every user, which is, you can do everything and anything.”
He suggested you might want to make sure the TV in your bedroom has it’s lens covered with a sticky label.
Earlier this year Samsung has issued a software update for the TVs affected by the security flaws described in Las Vegas, but the fact they’re all using flaky browser technology means we should all be wary of them.