Any reader who has bought a TV in recent years will know that it’s now almost impossible to buy one that’s just a TV. Instead they are all “smart” TVs, with an on-board computer running a custom OS with a pile of streaming apps installed. It fits an age in which linear broadcast TV is looking increasingly archaic, but it brings with it a host of new challenges.
Normally you’d expect us to launch into a story of privacy invasion from a TV manufacturer at this point, but instead we’ve got [Priscilla]’s experience, in which her HiSense Android TV executed a denial of service on the computers on her network.
The root of the problem appears to be the TV running continuous network discovery attempts using random UUIDs, which when happening every few minutes for a year or more, overloads the key caches on other networked machines. The PC which brought the problem to light was a Windows machine, which leaves us sincerely hoping that our Linux boxen might be immune.
It’s fair to place this story more under the heading of bugs than of malicious intent, but even so it’s something that should never have made it to production. The linked story advises nobody to buy a HiSense TV, but to that we’d have to doubt that other manufactures wouldn’t be similarly affected.
Header: William Hook, CC-BY-SA 2.0.
Thanks [Concretedog] for the tip.
I guess it’s not at all beyond the realms of possibility that the huge numbers of smart TVs running embedded Linux variants could be backdoored and/or hijacked by malicious actors, states etc to spy and launch massive co-ordinated DDoS attacks against CNI…
That’s certainly possible, but more likely this is just reinforcement of the idea that hardware people can’t be trusted making software, and software people can’t be trusted making hardware.
TV makers have no motivation to find people good at both, as they are rare and tend to demand a higher cost.
TVs are one of those razor thin profit things and they know by experience there’s no reason to make them well or right. They will continue to see sales because most people don’t care.
I remember having a choice of just a display and providing your own smarts.
Stick to making what you know and stop making everything smart. This makes me wonder what other devices on our networks are “checking in” multiple times a minute that didn’t need to. Control it from the router and deny the communication?
If I can backdoor some CCTV cameras and use them as an attack vector (if I want but I don’t) then I can damn well do it with a TV too!
Part of the problem is something called “nice weather programming”, assuming everything is beautiful, dry, sunny, nice and well behaving. And with the smallest snowflake, everything breaks down and pulls everything else into the sh*thole, too.
This approach might work for a text editor or a music player. But a “task manager” should be somehow more hardened against the bad weather.
If you enumerate registry keys you should keep in mind that there might be a lot of them and there might be a problem if you get more than that lot of keys. Just saying.
And this is yet another good reason why you should use your ‘smart’ TV either as a normal TV never connecting it to a network or you put it and all the other crap you can’t really trust/control on its own isolated network.
This, exactly. Since ‘smart’ TV’s were introduced I’ve said loudly and repeatedly that they’re for ‘dumb’ people. I know, in some cases that’s unfair, especially now that non-smart TV’s are so hard to find. And yes, you can deny the TV an internet connection. But if there aren’t already TV’s that insist on a connection even to allow non-networked use cases, you can be sure that’s just around the corner.
If you pay for something which can be modified or limited, or even bricked by the manufacturer or a remote third party, then you don’t own that thing. You merely rent it, under unfavourable conditions. That applies equally to many smart TV’s, all Windows and MacOS computers, and most recent HP printers. This ‘rent-to-NOT-own’ trend is pure evil.
I have a TV I had to connect to the internet to set up, if I hadn’t I’d have nothing but a large piece of plastic to stare at, so never connecting you “Smart” TV to the network is not an option.
Not always the case.
When I needed a replacement monitor and found around here the monitors of the right dimensions were unobtainium or priced to make them that way I managed to find a ‘Smart’ TV that doesn’t care about having a network connection, the network features just don’t work. With the occasional message for completing setup when you press the wrong button on the remote and it wants to use some online features, but it even works as a TV tuner just fine and actually reads the program guide on the broadcasts etc. The only thing it doesn’t do but should that is really annoying is it won’t decode anything under something like 1080p so all the BIOS and GRUB type stuff isn’t displayed and for good measure the screen lies and just says the source is disconnected – apparently they couldn’t be bothered to put in the “out of range” message.
Yup. I have not had a ‘smart’ tv yet, but just moved 1,500 miles away and it looks like my next set will have to be one of those annoying junkers.
Thankfully, my network is very heavily partitioned with subnets for every device type and firewall rules only allowing necessary traffic between subnets (via pfSense). I have a chromecast on it’s own subnet and SSID, which cannot open connections to any other internal subnet, but some user subnets can reach the Chromecast. This requires MDNS packets to be reflected into the Chromecast subnet, but that’s trivial via a pfSense package (avahi).
TV will never be online, and if the Chromecast ever misbehaves it will not be able to mess with any other devices, avoiding any problems like this. Oh, and a relay turns off the Chromecast if no one is home / when we go to sleep. Dead simple and bulletproof setup for us with basic networking skills, but something the general public does not understand the benefit of and will not set up. I sometimes think that consumer network devices will one day offer network segmentation features that non-network types can configure, but ISP boxes are such junk they’ll probably implement it very poorly and somehow make your network less secure.
pfSense…
I was unaware of it, thanks for posting that!
Buy a projector. Best move I made
Projectors used to be an enormous difference back when 1080p ones were hitting the regular consumer market. Back then, they competed with “giant” 50″ tvs that cost even more. That made all the hassles of having a projector worth it.
And I did. It was GREAT for movie and Wii/Rockband/etc parties too.
But today?
With mother glass that has gotten so big?
Just get a cheap 65″-75″ tv and be done with it.
I just picked up an open-box 70″ for a buddy that runs android (which can be de-googled) for $450.
No having to control lighting.
No hanging/painting a screen.
Don’t get me wrong, if you really want a theater, a projector is still one of the best options. But they are no longer the only GOOD option for big screens.
You can get _cheap_ IPS dumb 4K tvs from wallmart.com
They aren’t great, but not terrible. Sceptre brand.
Keep buying them, so they don’t go away. The 43” makes a nice enough monitor. Under $200 last I looked. Only HDMI, but 60Hz, so good enough.
Or you move into the display market which is currently been flooded with Chinese brands.
or CCTV displays.
You can get displays with a ton of connectivity, things like RS232 control, video wall daisy chain and 24/7/365 spec’d operation, metal case, etc…
I want to go even further on dumbing down out TVs than others. I want them to basically just be a panel with a special (and open/free) connection to a brain box that can do all the display control you want.
Then a bunch of the features get moved off the pure display portion and we might see custom controller builds for extra features.
Companies do make those still, but they are stupid expensive as they are commercial/industrial grade units, and some have a plug-in module that lets you do all sorts of interesting things with them. (The ones I’m familiar with are from NEC / Sharp, which has their “OPS slot” which allows for things like a multimedia player to be installed in the display’s chassis without having to velcro wrap a seperate player on the display’s mount.)
Yes. I’ve always wanted the same. As my last 2 “TVs” have been projectors, that’s what I got!
You already have that option.
You just have to go the same route as a DIY monitor.
The panels are already standardized.
Just get a tv and connect the panel input to your own control board.
It’s not QUITE as easy as using a laptop panel with an eDP connection, but it’s not that different.
Roku bricking their devices over nonacceptance of a legal change,
And now this, yeah, don’t buy a “smart TV”!
If someone gives me one, I won’t plug in a network cable, and shut off its WiFi.
What bugs me the most about such smart TVs is some of them are slow, take their time to answer to commands. That is bad used experience right there.
Does anyone make a 55″ monitor?
From Newegg: Gigabyte S55U $850, Samsung Odyssey Ark $2000. Those are the largest from Newegg.
Wallmart.com,
Sceptre 55” 4K dumb TV. About $250. Very average IPS screen. Good enough. 60Hz. HDMI only. Bad speakers.
Honestly, the 43 is better. 55 is so large you have to move your eyes at typical monitor distance. 43 you can see it all.
The 55″ Spectre is out of stock at my MalWart… but the HiSense is available :-(
In the old days there were TV sets that if some component failed or got misaligned they could start to emit x-rays, and not only from the picture tube, but from the high voltage rectifier diode: so regulations were made and TV maker had to add safety controls. Other TV sets were capable to transmit back harmful signals back in the antenna connector, or make radio noise on the power line affecting long wave and medium wave radios. This was also covered to regulations.
The same thing should be done on the transmission/IP field. By the way I’m not sure if TV sold nowadays, especially off brands are compliant with the radio interference regulations: those decouplic capacitors and ferrites are expensive, not to mention the ugliness of metallic shields.
The FCC made those rules, and they have no jurisdiction over things that don’t transmit over the air radio signals.
Radio receivers transmit OTA radio signals, as do some home security systems. Just sayin’. And isn’t there a regulation about “must accept interference”?
Yes, Part 15. All US consumer electronics are SUPPOSED to abide by it.
Very very old days perhaps.
Transformer voltage was regulated to _not_ produce x-rays. The malfunction would have to result in an increased turns ratio in the high voltage transformer and a failure in the regulation.
TV manufacturers don’t really seem to care. All the smart TV’s I’ve seen are using customized interfaces so they can give you more ads and more bloatware. Most TV’s are incredibly slow and give you a bad experience. The one I have now is reasonably fast compared to the TV’s my friends have. But even then, I can’t get rid of Netflix, Disney and other bloatware (Hel will freeze over before I give them money).
I wanted a new TV a few years ago and bought a TCL 65″ one for 300 euro’s at a media market store. I tried the smart interface for a few minutes but after I found out that I couldn’t install custom software, such as youtube vanced, I was already done with it. I don’t use “live TV”, don’t even have that cable plugged in. I turned it off and left it hanging on the wall for 3 years without a power cable attached to it. Only a few weeks ago I turned it on, without a network cable, so I can use it with my Steam Deck. No power cable means no problems with security issues.
One day I’ll find out how to crack the system so I can install my own APK’s (for revanced). The TCL specific guides don’t work for my TV and to be honest, I don’t care all that much. As far as I’m concerned, it’s the tool you use to align the couch with. I watch most of the movies and TV shows I watch in the workshop while doing other stuff.
My “smart TV” is a mini-PC (or should I say “micro-PC?”) running Linux Mint and connected to the TV over the HDMI port…
Reminds me of my stupid Samsung which insists on the hostname “localhost” when it requests an IP address via DHCP. And Samsung doesn’t understand what’s the problem with that…
We factory defaulted our smart TVs and left them unconfigured with no network connection setup. Streaming is via AppleTV.
If I do put them back on the network they will be isolated in their own network segment that cant reach the main network.
Also run Pi-Hole with around 400k domains blocked via additional block lists, and Quad9 for upstream DNS (blocks bad domains).
I decide what my network devices talk to, not the other way around.
My guess is that at least one person reading this story is now whipping up a script to spam uPNP messages to cause all Windows boxes on the local segment to shite their pants.
If this is anything like the past local DoS exploits in Windows, it will see use in school computer labs, and maybe even offices where a disgruntled employee decides to cause some havoc on the way out. Especially fun since, from the article, it needs manual intervention to clean up after!
Definitely a Microsoft Windows issue. The TV was just the stick that poked it.
Modern TVs are filled with apps because they collect data on what is being watched and report back so TV manufacturers can sell the data. ACR (Automatic Content Recognition) can even recognize content that is playing on a separate HDMI input, when you’re not using the app at all. TV are now commonly sold as loss leaders, and the TV companies make up the difference by collecting and selling your viewing data. It would literally not be profitable for a TV company to sell a TV that isn’t loaded up with smart apps – in fact those are aimed at the “professional” line and are often called signage displays and easily cost 5x more than a consumer home TV.
Thanks for the heads up, I now understand.
No, a high end TV is not slow, but sure, same software on an entry level is probably overwhelming for a cheap SoC.
As it’s impossible to find descent size (75-80″) without the bloatware, disabling internet access is challenging : even by manually setting IP and disabling DNS/gateway, the TV still manage to sneak out after a while.
Any idea how to do it so I can keep streaming with with DLNA from my computer on the same network?
Separate subnet with no Internet, then pass multicast broadcast packets between that and the main network.
I have a Visio “smart” TV. I do not connect it to the network because it auto-downloads updates that have made the UI and remote functionality total crap. I reset it to factory defaults. What a shit-show.
I was really hoping the article was going to lead into, “Well, you can now buy a non-smart TV here…”.
Search for “signage display” or “signage monitor”. It’s what they use in shops, malls, stations etc. to show advertising and other information. They have much less features compared to TVs and cost a lot more, but are also a lot more sturdy and guaranteed to work like 18 or 24 hours/day.
Some are just monitors with video inputs and some have TV functionality, then some among the more recent ones are employing “smart” features by using Android and other crappy OSes, but the operation should be a lot less user hostile compared to TVs.
Sharp “Commercial Grade” TVs. Bonus, they have 3 year warranties covering 24/7 commercial operation.
I know I’m repeating.
Wallmart.com
Sceptre brand dumb 4k tvs.
Not available in store.
Cheap.
Vote with your money.
QuaIity control isn’t great, but returnable to local Wallyworld.
My new Philips Ambilight TV whined at me for days, propmting me to connect it to the internet. Nope. Never going to happen.
The article’s illustration is a close-up of the power button of Logitech Z5500. There, I’ve shared this very important bit of information with you all!
Some small, cheap TVs are fairly dumb. For $100 you can buy a 12 inch TV that will scan for available channels, display a program guide for the currently selected channel, allow various video adjustments, and select input sources. LCD quality varies greatly, so read reviews carefully.
Lolz I’ve never even heard of that brand. I have no problems with my Samsung 8k TV I got for under 1k. I can use it for off air TV stations but I mainly use it for PC Gaming that lets me do all the streaming I want without using the TV. I have had no problems. It could be low end TV’s are just junk and you get what you pay for. I tried to get a cheap but good TV for my roommate and a year of use and the backlight is dying. I found it humorous that somebody would call people stupid for buying smart TVs and in general there’s nothing wrong with them.
Pretty soon I need LDAP and SSO, separate DNS and DNS servers, firewalls to separate my home computing from my IoT and my Russian friends, … Detailed knowledge of arp command… A short term and long term plan for patching and upgrade… To watch Tubi!!!