Related Links

Related Stories

Top 5 Stories


Black Hat 2013: Researchers Demo How Smart TVs Can Watch You

02 August 2013

Two different presentations at Black Hat Las Vegas on August 2nd 2013 called new attention to the risks posed by smart TVs increasingly found in homes and offices around the world. Researchers demonstrated how vulnerabilities in these systems can be used to steal online credentials, sensitive data and even turn device cameras against users to record them illicitly. Ericka Chickowski reports.

"You can do whatever you want on a smart TV because it's just a regular PC", says Seungjin Lee, a researcher from Korea University. "So you could do hijacking, keylogging when the users are web surfing, (and) sniffing traffic."

In his talk Lee explained techniques that an attacker could use to gain and maintain persistent shell access to most smart TVs remotely or locally, and ways to leverage those to keep tabs on users through what most would view as an innocuous device. Meanwhile, Aaron Grattafiori and Josh Yavor of iSEC Partners offered a similar presentation that highlighted their findings that culminated in a number of vulnerabilities discovered in Samsung TVs, reported late last year and fixed by the manufacturer this year.

The key finding that the duo discovered was that the apps running on Samsung TVs—and likely others—are web apps coming with all the same vulnerability baggage that traditional web applications bring.

"So this is JavaScript and this is loading the JavaScript app. This whole thing is a web app", said Grattafiori, senior security engineer, pointing to a demo screen showing a Samsung smart TV menu. "Those boxes, your menu when you move your mouse around, that's all DIVs. And a lot of those files are encrypted and decrypted at runtime."

According to the duo, many of the Samsung apps that they examined during their research were rife with common web vulnerabilities like cross-site scripting flaws that allowed for remote and arbitrary execution of code on the television. Many of the existing apps could also be manipulated for the force of evil. For example, a download API could be made to also upload content, giving an attacker the opportunity to upload any document on the TV, from online credentials to stored content like photos or other sensitive material.

Grattafiori believes that TV manufacturers have got to up their game with some kind of cross-platform security and to train their developers to securely code. In the meantime, consumers should be wary.

"Consider where you have the TV aimed - maybe your bed is not the best option”, he says. "Browse carefully and think about investing in sticky notes to stick over the camera."


This article is featured in:
Application Security  •  Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×