Zero Day Hole In Samsung Smart TVs Could Have TV Watching You 249
chicksdaddy writes with news of a remote exploit in Samsung Smart TVs, and a warning for those who got one with a built-in camera. From the article: "The company that made headlines in October for publicizing zero day holes in SCADA products now says it has uncovered a remotely exploitable security hole in Samsung Smart TVs. If left unpatched, the vulnerability could allow hackers to make off with owners' social media credentials and even to spy on those watching the TV using built-in video cameras and microphones. In an e-mail exchange with Security Ledger, the Malta-based firm said that the previously unknown ('zero day') hole affects Samsung Smart TVs running the latest version of the company's Linux-based firmware. It could give an attacker the ability to access any file available on the remote device, as well as external devices (such as USB drives) connected to the TV. And, in a Orwellian twist, the hole could be used to access cameras and microphones attached to the Smart TVs, giving remote attacker the ability to spy on those viewing a compromised set."
Re:Call me dumb but (Score:4, Insightful)
Because it would be really hard to use skype without them?
Re:D'oh! (Score:5, Insightful)
Black tape. Try finding a zero day hole in that biatch!
Re:the software is open source (Score:4, Insightful)
"It's open source, just patch it yourself."
If there ever was a sentence to describe the elitist attitude of open-source nerds, this is it.
Another reason to own a dumb TV (Score:4, Insightful)
Am I the only one who prefers "dumb" TVs anymore? (Score:5, Insightful)
Re:The end (Score:5, Insightful)
The main problem with 'smart' TVs is that you end up with a TV that(barring ghastly shoddiness) will last for several years; but the 'smart' part of it will be lucky to receive a firmware update or two, generally delivered by a team of crack programmers who previous job was providing horribly malformed DDC information...
If it's a discrete computer, or some dinky Roku stick or whatever, you can upgrade it when the streaming service of the month goes out of business, or the manufacturer loses interest in you.
'Smart' devices ... (Score:4, Insightful)
I've always been leery about everything wanting to have internet access.
Partly because I don't see any benefit from the features of having my TV connect to the internet, and partly because I don't trust that vendors have any clue about security.
If you're going to run things like this, you should definitely have a firewall to keep the outside world at bay. The fact that Samsung has no fix for this tells me there's probably loads of devices like this which will prove to be insecure.
I've never even plugged my Blu Ray player into the network, and I'm getting close to the point of disconnecting my XBox from the network because I don't use any of the on-line features and the ads which have started showing up in games is annoying.
If you need an internet connection for me to play a game on a console ... well, I simply won't buy your product. And I didn't buy the box to be marketed to.
Re:It was built this way, really... (Score:4, Insightful)
I read it that way initially and nearly wrote off the comment, but then I thought about it further. TVs could contain cable modems, but it isn't necessary. They're decoding digital data streams all day. Half the buffer overflow exploits I've seen in the past few years have involved image/video decompression, usually in the area of embedded tag parsing or some other similarly esoteric bit of functionality. Within a DVB bitstream, you have lots of side channels for things like program listings, CC data, etc. Any code that works with any of those pieces of data could contain bugs. And then some portion of your TV is 0wn3d.
Although the notion that such backdoors are intentional seems a little paranoid, the GP actually makes a good point about TVs being complex digital devices with no real firewall between them and potentially malicious data streams. The fact that there's no middleman for the malicious data—anybody anywhere on your local loop could potentially overpower the legitimate data and provide malicious data in its place—is just the icing on the cake.
That said, attacking smart TVs over the Internet (after exploiting bugs in the firewall) is probably a more straightforward attack approach. Network-attached smart TVs with cameras and any sort of network connectivity are pretty much a porno video waiting to happen. Anybody who says otherwise is kidding him/herself.