Researchers at the controversial Malta-based security consultant and exploit-seller ReVun have identified a vulnerability in the Linux-based Samsung LED 3D TVs that would allow hackers to hijack the boob tube and retrieve sensitive information, and monitor and root the device itself.
"If the attacker has full control of the TV...then he can do everything like stealing accounts to the worst scenario of using the integrated webcam and microphone to 'watch' the victim," Luigi Auriemma of ReVuln told the IDG News Service.
Smart TVs are of course connected to the Internet and offer users the ability to tap into Web-based apps like Facebook, Netflix, Hulu, YouTube, gaming and so on. Some of those apps require credit card entries, which are then available to the controlling hacker. Essentially, someone bent on invading the living room via the vulnerability can gain access to all the TV’s settings and channel lists, SecureStorage accounts, widgets and their configurations, ID and credentials, any USB drives attached to the TV and even the remote control—so hackers could change channels and adjust the volume from afar.
ReVuln is a recent entrant into the market for buying and selling bug and vulnerability information and mostly focuses on vulnerabilities in SCADA and ICS software that run utilities, industrial systems and the like.
"The vulnerability affects multiple models and generations of the devices produced by this vendor, so not just a specific model as tested in our lab at ReVuln," Auriemma said.
Samsung could tap ReVuln for the information in order to create a firmware upgrade to fix the hole, but there’s no guarantee that ReVuln will help without being paid to do so. Its business is finding vulnerabilities and zero-days and then selling the details to concerned (and it insists legitimate) companies.
ReVuln has been in the news lately after uncovering 20+ vulnerabilities in SCADA systems last month but refusing to report them to the companies affected. SCADA software is used for industrial control mechanisms in utilities, airports, nuclear facilities, manufacturing plants and critical infrastructure, and the situation sparked a discussion on disclosure vs. nondisclosure of exploitable security holes.
In this case, ReVuln said that it hasn’t notified Samsung of the issue.