dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer

Search Topic:
uniqs
3632
share rss forum feed


antdude
A Matrix Ant
Premium,VIP
join:2001-03-25
United State
kudos:5
Reviews:
·Time Warner Cable

Samsung TV vulnerability could let a hacker change the ch.

»www.pcworld.idg.com.au/article/4 ··· channel/ from »www.linuxsecurity.com/content/vi ··· w/158435

"A vulnerability present in many Samsung TVs could also allow an attacker to turn on its webcam, researchers say..."
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.

TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel

1 recommendation

It was only a matter of time before something like this happened.

What sucks for those who have purchased such TVs, is that now their only choice to be 100% secure is to disconnect the TV from the internet entirely, until a patch is made available to fix the vulnerability. Effectively their expensive "smart" TV has just become an ordinary TV.

Personally I'd rather my TV remain a simple display device and nothing more. Besides, what happens a few years down the road when the manufacturer stops supporting your model of "smart" TV? You're SOL, it's not like a PC where you can put any OS or software that you'd like.

I expect we'll see this sort of thing happen more and more, as more devices and appliances are being given "smart" functionality.


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

2 recommendations

said by TheMG:

It was only a matter of time before something like this happened.
...Besides, what happens a few years down the road when the manufacturer stops supporting your model of "smart" TV? You're SOL, it's not like a PC where you can put any OS or software that you'd like.
... I expect we'll see this sort of thing happen more and more, as more devices and appliances are being given "smart" functionality.

It's a manufacturer's dream. A device becomes obsolete and unusable simply by its maker dropping support whenever he wants... no matter the care a customer has exercised in maintaining and repairing it over the term of his ownership. If we, as customers, keep demanding and believing we can't live without certain "features" in products that then require ongoing manufacturer "support", we will see more and more of this. The fault ultimately lies with customers for signing on for products that make us completely vulnerable to such planned obsolescence. Why are we upset that manufacturers pull the trigger after we've bought their gun, handed it to them, and pointed it at ourselves? If a product has such obsolescence vulnerabilities designed-in, simply exercise buyer restraint and do without it. Manufacturers will of necessity track the buyer's market, wherever it moves.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3

1 recommendation

reply to antdude
Looks like Mele20 See Profile's concerns were valid.

»Re: Job seekers getting asked for Facebook passwords
--
Don't feed trolls--it only makes them grow!


goalieskates
Premium
join:2004-09-12
land of big
said by StuartMW:

Looks like Mele20 See Profile's concerns were valid.

»Re: Job seekers getting asked for Facebook passwords

Indeed.

Time was I bought appliances with more features and happily paid a premium within reason. Now things have changed to the point I look for appliances with fewer features and less potential exposure. Sheesh.

OZO
Premium
join:2003-01-17
kudos:2
reply to Blackbird
said by Blackbird:

It's a manufacturer's dream. A device becomes obsolete and unusable simply by its maker dropping support whenever he wants...

Exactly. And if they see, that customers're becoming stubborn and don't want to go and buy a new model from them soon, they will start making and spreading viruses for their own devices (not directly, of course, but rather by contracting other companies). Then they'll start making money form developing anti-virus software for their devices and / or offering "protection plans" for users to subscribe... You think it's a conspiracy theory? No, it's just a business plan. Business as usual...
--
Keep it simple, it'll become complex by itself...


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3
reply to goalieskates
said by goalieskates:

Now things have changed to the point I look for appliances with fewer features and less potential exposure.

Yup. I have a Samsung Blu-ray player that can connect to my wi-fi. That said I've verified that, when "off", it doesn't phone home.

Recently I bought a (wi-fi only) Android tablet. I didn't trust it either. Found out that even when "off" it remained connected via wi-fi. Eventually found the setting (set to the default) to disable that. Now it only connects (verified) when I ask it to.

In short if any device can connect to the internet don't trust it until it has been suitably "conditioned".
--
Don't feed trolls--it only makes them grow!


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

1 recommendation

said by StuartMW:

... In short if any device can connect to the internet don't trust it until it has been suitably "conditioned".

Stop right at that point. I don't trust any device connected to the Internet, period. The Internet's a worldwide, unpoliced, wide-open, public network. Whyever would I agree to connect my TV, my radio, my camera, my stereo, my refrigerator, my thermostat, my alarm system, or whatever else to such a direct networked sewer-line of potential attack? Computers at least I can attempt to keep my eye upon and keep protected with a fair amount of direct personal effort and time. I don't need to face the same tasks with everything else I use. Any appliance features achievable only in an Internet-connected manner are features I can live quite nicely without. The older I get, the more I marvel at this lemming-like penchant in modern society for chasing after the latest, hyped features-d'jour that correspondingly open gaping doorways to all manner of hacking attacks, unwanted external manipulation, and manufacturing strategems for planned obsolescence. The day is fast approaching when the popular cry will be raised: "what were we thinking?!"
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3
Well if there's no wi-fi connection then it's not connected--unless I enable it.
--
Don't feed trolls--it only makes them grow!


Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2
Then, why pay more for a useless feature? I'm with BB on this one.
--
I'm not anti-social, I just don't like stupid people.


darcilicious
Cyber Librarian
Premium
join:2001-01-02
Forest Grove, OR
kudos:4
How is wifi useless for a tablet??
--
♬ Music is life ♬


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3
reply to Juggernaut
said by Juggernaut:

Then, why pay more for a useless feature? I'm with BB on this one.

Sorry but I don't get the point.

If I have a gadget that has wi-fi/internet capability but don't leave it (the wi-fi) connected 24/7/365 but only turn it on when I want to use it how is that a "useless feature"?
--
Don't feed trolls--it only makes them grow!


Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2
reply to darcilicious
It's not, of course. BB was talking about appliances like fridges, microwaves, etc. Those can be differentiated from a dedicated device like a tablet.
--
I'm not anti-social, I just don't like stupid people.


darcilicious
Cyber Librarian
Premium
join:2001-01-02
Forest Grove, OR
kudos:4
BB was also responding to StuartMW who mentioned having a tablet where he "didn't trust it either. Found out that even when "off" it remained connected via wi-fi. Eventually found the setting (set to the default) to disable that. Now it only connects (verified) when I ask it to."
--
♬ Music is life ♬


Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2
True, sorry for the confusion. I was responding to his post about the kitchen appliances.
--
I'm not anti-social, I just don't like stupid people.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3

2 edits
reply to Juggernaut
said by Juggernaut:

BB was talking about appliances like fridges, microwaves, etc.

I took it as everything non-PC.
said by Blackbird:

I don't trust any device connected to the Internet, period.

It's true (IMO) that a TV/Blu-ray player/etc doesn't need to be connected to the internet. However these days many like to stream movies (e.g. Netflix) and/or music (e.g. Pandora) to their TV/Home Theater/whatever. Manufacturers therefore include that capability into those products. I personally don't stream stuff so the whole argument is mostly academic to me.

As for other appliances (fridge, microwave, toaster etc) I see no useful purpose for an internet connection to those.
--
Don't feed trolls--it only makes them grow!

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 edit
reply to Juggernaut
said by Juggernaut:

Then, why pay more for a useless feature?

That's not how it works. Rather, you select a TV based on TV quality, and then you buy it with the internet features or you don't buy it at all.

That is, my N-year-old Samsung LCD had internet nonsense, period. I couldn't say "like that but no Internets, please" regardless of whether I was willing to pay more or less money.

Likely I could have found a worse-looking TV without internet features, but since my concern was the TV, that didn't seem like a good bargain.

It's no different from my TV having onboard games, "art gallery", ability to display photos, etc. It's not an option. Oh, how I long for the days when the "pointless electronic features" consisted merely of putting an utterly unnecessary digital clock into every toaster.

Probably my next TV will be a monitor, though last time I looked, they seemed to be more expensive than TVs. Very odd. Pay more to get less.


Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11
reply to antdude
My Samsung CRT is immune.


cowboyro
Premium
join:2000-10-11
Shelton, CT
reply to antdude
Such a vulnerability requires a TV that is directly accessible from the internet (public IP or specifically opened ports), or the hacker to have access to the local network.
Non-issue for 99.9999% of the people.

TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel
said by cowboyro:

Such a vulnerability requires a TV that is directly accessible from the internet (public IP or specifically opened ports), or the hacker to have access to the local network.
Non-issue for 99.9999% of the people.

The details of the vulnerability have not been described/released, so I'm not sure how you came to that conclusion.

It is possible to gain access to a computer by dropping a piece of malware onto it, by having the user visit an infected web page. This type of attack can potentially give the attacker full control, and does not require the device to have a public IP or to be wide open to the internet. Most consumer firewalls and routers are effective at stopping things from getting in, but quite poor at stopping things from getting out. The same method of attack might be possible on "smart" devices.

Anyways, the exact method in which this Smart TV attack works is all speculation at this point in time, so we can't be 99.999999% sure of anything.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:6
reply to antdude
Maybe this is why I got an email just now from Samsung saying they will be updating SmartHub on my TV tonight? Nah...probably just coincidence.

At least I don't have a 2012 Samsung...the 2011 Smart 6000 series does have a web browser (except for the lowest level version of that series) but none of them have cameras or mikes.

Mine's usually connected to the network but hasn't been since I disconnected the Sam Knows router trying to figure out why my two computers couldn't see each other (I left the Linksy router operable). Then the computers can see each other but the TV is offline and I guess that is good after reading the artcle..(but why it is offline I don't know as it is attached to the Linksy router).

I'd like to know if mine is vulnerable as I do want to keep it online (after I figure out what I am doing wrong with the network).
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:14
reply to StuartMW

 

Indeed bud,ME AND MELE HAVE VERY HIGH CONCERNS because we value privacy and we know just how compromised privacy has gotton!

said by Mele20 :
Maybe this is why I got an email just now from Samsung saying they will be updating SmartHub on my TV tonight? Nah...probably just coincidence.
No such thing as COINCIDENCE mele!

Bob4
Account deleted

join:2012-07-22
New Jersey
reply to antdude

Re: Samsung TV vulnerability could let a hacker change the ch.

said by The Register :
ReVuln says it plans to sell information on the vulnerabilities, rather than report them to equipment manufacturers, in order to "speed up" the development of a fix. Consistent with this general policy, ReVuln is not going into details about the flaws it claims to have discovered.
How convenient. Create some FUD about a device, then charge big bucks for the details of the FUD.

Meanwhile, my Samsung UN40ES6100 is behind a router. How is someone going to get malicious software installed on it? How would they even know I have a Samsung TV in the first place?

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
said by Bob4:

How is someone going to get malicious software installed on it?

I think the crucial detail is that this TV has a built-in web browser. So (1) you need to use the web browser, and (2) browse a bad web site.

I don't have that capability, but my TV has the ability (if I attached an Ethernet cable) to check for firmware updates: I suppose that exposes my TV to the risk that Samsung may have sloppy security on its web server.

Bob4
Account deleted

join:2012-07-22
New Jersey
said by dave:

I think the crucial detail is that this TV has a built-in web browser. So (1) you need to use the web browser, and (2) browse a bad web site.

Using the built-in web browser is slightly less pleasant than getting a root canal. So not much danger there.


Bamafan2277
Premium
join:2008-09-20
Jeffersonville, IN
reply to antdude
I have a low tech fix to the high tech problem of them accessing the camera.

Electrical tape over the lens of the camera. Problem fixed. Better yet tape a picture of a hairy old man in front of the camera. give them something to look at.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:6
reply to dave
Or AllShare also you could get infected that way....sharing from your cell phone or various other media.

Hard to use the web browser unless you have 8000 or 9000 series that comes with a keyboard on the back of the Samsung clicker.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3
reply to Bob4
said by Bob4:

...my Samsung UN40ES6100 is behind a router.

Not only are my "toys" behind a router they're segmented from my computer LAN and firewalled. Even if a hacker got to them I doubt it'd do them much good.
--
Don't feed trolls--it only makes them grow!

Bob4
Account deleted

join:2012-07-22
New Jersey
reply to Mele20
You can attach USB keyboards, but why bother. Just use a PC to browse the web.


cowboyro
Premium
join:2000-10-11
Shelton, CT
reply to TheMG
said by TheMG:

The details of the vulnerability have not been described/released, so I'm not sure how you came to that conclusion.

Most TVs, including Samsung, don't have a web browser. Just vendor-supplied apps. So no infected page can be visited, the user can only access a handful of vendor-approved services. That leaves only one access avenue, and that is direct access.