[Rafael Scheel] a security consultant has found that hacking smart TVs takes nothing much more than an inexpensive DVB-T transmitter, The transmitter has to be in range of the target TV and some malicious signals. The hack works by exploiting hybrid broadcast broadband TV signals and widely known about bugs in web browsers commonly run on smart TVs, which seem run in the background almost all the time.
Scheel was commissioned by Cyber security company Oneconsult, to create the exploit which once deployed, gave full root privileges enabling the attacker to setup and SSH into the TV taking complete control of the device from anywhere in the world. Once exploited the rogue code is even unaffected by device reboots and factory resets.
Once a hacker has control over the TV of an end user, he can harm the user in a variety of ways, Among many others, the TV could be used to attack further devices in the home network or to spy on the user with the TV’s camera and microphone. – Rafael Scheel
Smart TV’s seem to be suffering from IoT security problems. Turning your TV into an all-seeing, all-hearing surveillance device reporting back to it’s master is straight out of 1984.
A video of a talk about the exploit along with all the details is embedded below.
Well at least you can do something with them when they’re a couple of years old and youtube and netflix change their API and you can’t update the onboard apps.
You’d best start saving then.
That’s fluoride.
People keep saying this. But seriously who the fuck cares.
The built in apps for these devices *suck*, most of us own devices which perform better (chromecast, ps4, xbone).
That’s being generous. For the last three flat panel screens I bought, none made it past 6 months without repairs. At two years, they’re just crippled messes. Of the last SEVEN I bought, only two (both smaller than 30″) hit two years problem and repair free.
The failure rates on sets in 40″+ range in my experience is 100% within six months.
I paid around $200 from the WalMart Circle Jerk to roughly $4k from less trashy places. I could shell out even more but for what? A nice road side display six months later.
Good job assholes. We went from energy sucking CRTs lasting twenty years or more to energy sipping landfill fodder that won’t even survive until the next Black Friday.
Are you running them in some kind of hostile conditions!?
It helps if you put them inside when it starts raining. Trust me.
What the hell do you do to your TVs!?
Why not compare similarly sized TVs and why can’t the CRT have a home cinema amp attached as well?
I take it as the point that a person who might have spent X amount on a relatively small CRT in 2000, may have replaced it recently with a much larger set up for same inflation adjusted X amount, and be sucking same or more watts…. Ergo, yes it’s theoretically more efficient than before, but if people buy much MORE of it instead then we’re not getting anywhere.
Is it in an RV, near train tracks, or earthquake-prone zone?
maybe he’s playing duck hunt with a real shot gun. I just revived my lcd tv the other day using a heatgun to reflow the chips on the mainboard.
I haven’t seen a modern 42″ TV that uses 120W. (A plasma certainly could, but not LCD.) Even my 50″ Seiki uses about 40W.
I’d like to see them hack my baird mechanical tv
Ah-ha! He hasn’t noticed the hidden selenium photocell!
The question is, if you can root a smart TV does that put you in a position to fix it’s security holes or does it need a lobotomy and a second media server running Debian then attached to it? What sort of real hack should we looking at after the TV has been cracked?
This particular exploit utilizes the TVs OTA tuner, and bugs in the software that is always watching the OTA signals.
(Why it does this always is bizarre, obviously while watching OTA TV you would need to, but if your input is set to HDMI or something there is no call to be using the tuner hardware still)
You would need to either completely disable all the internal software that uses the TV tuner, everything from the video signal to the guide data to closed captioning, etc. OR disable the hardware tuner circuitry such that it is useless and then hope the software doesn’t complain and refuse to work at all when it can’t find one of its “peripherals”
I know nothing about antenna design, but should there not be some way to plug a little device in the coax port that purposely causes interference such that you would need to be within an inch of the connector to get any useful signal through?
Even if so, how much of the other wiring inside the TV will act as an antenna enough to pickup signals?
Also is the TV a Samsung or LG brand or the like, which have built in cellular modems that phone home for firmware updates? In that case I’d imagine any “fix” you made could easily get wiped out and replaced again the next time it updates itself.
Personally I’d be a bit leery about using any type of signal jammer device in case it decided to screw with someone elses stuff and not just my own. Also with the cell modem bit I wouldn’t trust any fix I put in place to not get unfixed by their next forced software update.
No need to cause interference, a 75ohm dummy load that’s well shielded would ensure there’s nothing for the tuner to receive.
Obviously, you want a well matched dummy load to avoid impedance mismatch…
Damn, here I was all ready to just short the antenna middle pin to the shield…
Better break out the VNA and make sure my 75 ohm load is perfectly linear.
Well matched is ideal, but if some noise from inside the set reflects off the dummy load and back in, it’s just extra “noise” to mask what little signal may be picked up.
For the cellular modem you need of course a 50 Ohm load for best match. :-) I am sure it will not receive much if you just short the antenna connector out. Of course this could in theory damage the transmitter, in case you think about re-enabling it any time.
I think you just figured out a use for old coax crap I still have lying around.
The exploit was tested originally on two samsungs with latest firmware but is said to run on just about any smart TV.
As far as I am aware I believe all Samsung smart TVs that include a web browser are susceptible to this attack vector.
not as intricate but i just read this article too
https://www.netsparker.com/blog/web-security/hacking-smart-tv-command-injection/
Ha I didn’t see one that when I was researching the story.
By now, it seems that everybody (except the marketing people) knows that when a device have “smart” and/or “IoT” near it’s name, then that device is:
– dumb,
– full of bloatware and useless “features”,
– locked to a single provider,
– have backdoors by design,
– spying on its user,
– it’s a serious security threat for the local network or even for the whole Internet.
The marketing people are fully aware, but to make more profit, they need to shift more units – and broken by design comes to mind.
– can be bricked remotely
The vibrator market is going to get a lot more interesting then.
Sad part is smart TV’s are the dumbest things ever made. A roku box destroys the most expensive smart TV sold in functionality.
Ironically, my TV (by TCL) is considered a smart TV. But it’s really just a TV with a Roku built in. So, where do you draw the line between a smart TV and a set-top box?
Arcade games have had a standard (JAMMA) connector inside since 1985. Why couldn’t smart TVs have something similar? Just eject the manufacturer-provided shitty “smarts” and put in something more competent…
What we need is a hack that completely disables the “smart” and turns the TV into a monitor (and only a monitor; no camera or mic).
We live in a stupid world where a “smart” TV costs $500 and the same size monitor costs $3000 even though the monitor contains less stuff.
Well, yeah. Because they can subsidize the sale of the $500 smart TV by monitoring everything you do and selling that information to advertisers and/or locking you into proprietary services with recurring fees.
Because TV usually has worse image quality than a monitor?
Aren’t they exactly the same thing? Are you saying they use better-quality panels in dedicated computer monitors?
“We live in a great world where we can call stupid to anyone that are inferior to us/me(mostly me)”
Just don’t plug the ethernet cable in and don’t enter the wifi password?
OMFG 1337 h4x !!!111
That’s related to what kind of monitor you buy. A low quality monitor will cost you way less. BUT, the normal monitors you buy are either rated for higher pixel response times (‘cuz games), higher color space compatibility, and higher accuracy. These are all features which jack the price up to $3000. If you don’t need them, well, you can easily buy a $400 monitor for about the same price
Quite easy: You need a screw driver and a pair of side cutters – I hope you get the idea.
At what point do we quit calling this crap “incompetent security design” and start calling it “deliberate vulnerability”?
As someone else mentioned, why is the tuner even powered up when the unit is in HDMI input mode? All the efforts everybody goes through in the name of “low power” and nobody thought to shut off a part that is not being used 90% of the time????
To allow three letter entities to send its “start capture camera and mic and stream to this IP” command?
I want to enable the DVR function that Samsung disables for US and Canadian owners of their smart TVs. Then I could plug in a big USB 3.0 hard drive and record HD OTA broadcast.
Smart TV, Smart Phone. If the product has Smart in the name you can be sure that North America won’t be allowed to have the best version of it. I’ve had phones where the Euro or Asian version had things like composite or S-Video out capability or a radio tuner or USB-OTG but the NorthAm version not only didn’t have the feature, it wasn’t even in the hardware where a software hack could enable it.
Now we have televisions where the same hardware sold on different sides of the planet has features enabled or disabled for various reasons.
This was also done with Canon and some other printers where in EU and Asia they had the ability to print onto printable optical discs – but for NorthAm the feature was disabled and the disc tray slot blocked off. At least for Canon the tray and disc printing slot cover could be ordered and service mode entered to chose a country setting that had disc printing enabled.
Why can’t we have a multinational agreement that doesn’t allow for this location based feature limiting crap? If a TV has OTA DVR capability in the hardware, dammit it should have to work *everywhere* that hardware is sold.
Patents….. They’re local to the country, unless registered at an international Patent office (Still only covers participating countries, hence china-mart-alike countries and their many clone devices that otherwise infringes on patents)
Two people can patent the same thing on the same day
….but in different countries’ local patenting offices and still get their patents through!
Should I even ever consider one of these devices as a monitor, even after doing a tuner-ectomy? Broadcast TV has had nothing to offer me since the last century.
No reason to consider them when you can get a set-top box to connect to a projector. As long as the projector has pretty high lumens it can be used just like a TV would. It’s easy to avoid projectors with cameras or microphones since they would very prominently tout this as a feature and it’d be easy to idenify those parts with the cover off.
The reason it listens to DVB-T is because originally they designed in a feature where manufacturers could have firmware updates broadcast. I don’t think the feature ever really took off, but they keep including it.
Wouldn’t surprise me if real benefit is in setups like hotels or hospitals etc.
They would, for a nasty hacker
Alright, new rule : Everything that needs to have “smart” attached to its name.. isn’t
I think it was a note to self rule.
OK, so a stay in a decent hotel with a bit of kit could see me on a mass surveillance operation and website/business opportunity in the voyeur trade markets.
Well i guess there is an upside to getting a tuner free tv.
bullshit, DVB-T transmitters are not cheap