Smart TV's

[Sallubrious]

I've been looking into upgrading my TV and some the new "smart" TV's have some appealing features ie wifi, ethernet connectivity and built in web browsers etc, so I was curious about the hardware and software they run to provide those features.

After a quick investigation I found out they run a somewhat primitive OS and web browser that runs on single user profile without any real form of file permissions. Most of the software seemed to be based on Javascript or HTML of various incarnations so alarm bells started to ring.

Some of the more recent "Smart" TV's have inbuilt webcams and microphones so they can deliver Skype services so with the lack of file of permissions and the interwoven Java coding I was starting to see a few potential exploits that could be possible if such a device was connected to the internet.

Anyway it seems like this is a valid concern and after a quick websearch I'm at the stage where I would not use the inbuilt OS and browser functionality and adopt other strategies for viewing web content on a TV. I'd consider an android/linux based web TV/ mini PC where I can set permissions and implement a firewall policy and actually monitor what's going on with the connection (and disable javascript) to be a much safer way to connect to the internet.

From what I can see these new "smart" TV's have the potential to be a window into your living room complete with eyes ears. The camera and microphone have no hardware switch to turn them off and are solely dependent on software, so if a hacker or some prick from a security organisation decides to hijack your camera and microphone then you will have no way to stop them. Then there's other considerations like data collection for advertising purposes where a profile is built on your web habits and advertising is targeted to suit that profile.

A quick websearch on "smart TV's spyware" confirmed everything I suspected

Source

https://www.networkworld.com/community/blog/black-hat-smart-tvs-are-perfect-target-spying-you

Surfing the web from your TV is a "huge risk" that Lee compared to "web surfing within a web browser from many years ago." All apps run with "root" privileges. Since it's basically like a "regular PC," then an attacker could do things like sniff network traffic, install a keylogger, capture TV screenshots, or brick the TV. So Lee asked 100 friends which of the following is the worst case scenario if their TV is hacked:

Although 85% voted that a bad guy using your smart TV for surveillance was the worst case, Lee said the other 15% probably didn't understand what he could do after pwning a TV.

1. Stealing financial information.

2. Hijacking TV programs.

3. Breaking your TV.

4. Watching and listening via your TV.

Something to think about next time you're near your "Smart" TV and doing something you'd rather keep private even if it's on standby.

Edited January 4, 2014 by Sally

[bogfrog]

From what I can see these new "smart" TV's have the potential to be a window into your living room complete with eyes ears. The camera and microphone have no hardware switch to turn them off and are solely dependent on software, so if a hacker or some prick from a security organisation decides to hijack your camera and microphone then you will have no way to stop them. Then there's other considerations like data collection for advertising purposes where a profile is built on your web habits and advertising is targeted to suit that profile.

A quick websearch on "smart TV's spyware" confirmed everything I suspected

Source

https://www.networkworld.com/community/blog/black-hat-smart-tvs-are-perfect-target-spying-you

Something to think about next time you're near your "Smart" TV and doing something you'd rather keep private even if it's on standby.

Everything I have suspected is being revealed.

I think in general any 'smart' technology is specifically manufactured to spy on us, as well as to limit our well being, mental agility and creativity with social media to replace genuine social interactions and mind-numbing games to replace meaningful cognitive stimulation.

It wont be long before they will be encouraging everyone to get a USB port embedded in their foreheads so we can plug our consciousness straight in to the plastic-fantastic-advertising-oozing-from-every-pore-alternative-reality of smart TV for 24hrs a day 7days a week.

Then a system could be devised (its probably being manufactured as i type) so we have no need to leave the tv, a grand creation of technology they will call it, a chair which serves us food and water, where we can piss and shit, wash and sleep. No need at all to leave the black box, the crusher of dreams and the destroyer of freedom.

[Sallubrious]

I don't think there is any real need for a usb port in our heads just yet, most people are more than happy to carry their consciousness in their pocket in the form of a smart phone and use it to convey all their thoughts to world through it. They have gps tracking & microphones free for anyone with the technical ability to use it from anywhere in the world.

I had some issues with smart phones too, when I found out about carrier IQ spyware that was being shipped as standard in US phones. It wasn't supposed to be happening in OZ but when I rooted my android I found it on mine. At least with an android phone there is a permissions structure that can be used to stop someone from having free access to the entire phone if it's compromised although most people willingly wave that right when they install apps that want root access and other escalated privileges at the same time.

Smart TV's don't have a layered permissions structure, everything is run as root, which is a major leap backwards compared to a modern computer OS with a functional permissions structure. So if a hacker or intel agency finds the slightest exploit in any seemingly unimportant app or file on the system they can pwn the entire system. People will be using the browser to make credit card purchases and login into email etc so this is serious issue.

The problem is they are making them so cheap & they have so many desirable features that makes them very appealing. It's almost come to the point where if you want new tech you have to be an expert in IT security or just accept an ever growing level of invasion of privacy.

[naja naja]

I am happy with my Apple TV. $108 bargain. Not sure of its security. But I am not letting a web cam or mic into my house anytime soon.

[indigo264nm]

Get a very basic computer with two NIC's and set up a firewall, input your ADSL model into firewall, set up the switch and run your cabling and your wireless router from there. Set up a wireless client filter on your wireless router, disable WPS and use a strong password. Can even disable DHCP and only use static routing to be extra sure.

Won't stop the NSA because they can exploit anything, but will stop hackers getting in.

[indigo264nm]

I am happy with my Apple TV. $108 bargain. Not sure of its security. But I am not letting a web cam or mic into my house anytime soon.

$35 raspberry pi + openELEC does everything and more that Apple TV can give you. Open source hardware, open source software. Leaks have definitely shown that there are backdoors into Apples walled garden.

In terms of webcams they're hard to avoid these days because pretty well all laptops have em - can open the fucker up and disconnect the cable though, or run a applet that tells you if it's been enabled.

Scary times.

[Sallubrious]

Yeah I've settled on raspi for my setup too indigo, I'm tempted buy one of the cubieboards or a cubietruck but they don't have the user base yet and still have a few issues to iron out.

There's a few companies out there specialising in finding exploits with smart devices and they sell their findings to the highest bidder in preference to the manufacturer. Many times the highest bidder is a security organisation. So most of the exploits will never be known by the general public.

You can cover the webcam with a bandaid or a piece of elastoplast with something under it to protect the lens so it doesn't get shitted up by the adhesive.

Edited January 14, 2014 by Sally

[santiago]

You could perhaps blue tac over the mic and cam. That should work until the cam is actually the screen or behind it and the mic internal. If then still you dont want secret agents or programs, hackers spying on you turn it off at the wall.

Using my phone which im terrible at so this reply is guided towards post 2.

[2XB]

Surely if one sets up their firewall properly on their router there should be no issue.??

[santiago]

You need to set up a router properly just to watch a so called smart tv and firewall it to protect yourself from people watching people watching people. I think your right, blu tac is a bit of a waste, ill use chewing gum.

[Sallubrious]

Surely if one sets up their firewall properly on their router there should be no issue.??

Yes & no

It depends on how the firewall is implemented, if you use click and set type of setup then it's dependent on how the router was configured. If you are using ipchains/iptables setup then you have a bit more control but even then it can be a false sense of security.

A lot of firewalls don't monitor much more than packet headers, so if the header looks OK and it's coming through the open port of the firewall then it can still carry a malicious payload especially if the data is encrypted. A high end firewall with some form of packet inspection and employs DNS lookups would give you a better chance of keeping it safe.

[Scarecrow]

>All apps run with "root" privileges

holy moly, that ain't good. sounds like you'd be better off using an actual computer, and just setting it up for television. hell, use that shit for games while you're at it.

maybe Steam OS will pull through for us with reasonable security permissions?

[Sallubrious]

Yeah that's what indigo was suggesting. Connecting that way gives you gives you several layers of security and the ability to monitor your logs to get a real handle of what's going on. It's easier to implement a better firewall than most routers have out of the box that way too.

Using the Raspberry pi (which is a real computer) as the web interface on the TV gives you another layer securiy that you have control over & it has a permission based file system where you can take steps to keep root access limited to what needs it for the system to function. For under $40 the raspi is a better system than most smart TV's have at the moment.