The adoption of connected entertainment devices, and in particular smart TVs, has grown exponentially. In fact, connected entertainment device adoption including smart TVs grew by 50 percent in Australia in 2017, according to Deloitte’s latest Mobile Consumer Survey 2017.
Much like mobile phones, smart TVs have become internet-connected ‘computers’. However, the internet connectivity of smart TVs and the vulnerable state of security in the IoT space in general has opened the floodgates to a deluge of threats to consumer privacy and security. The key issue is that smart TVs and other IoT devices for the home and office don’t have the same authentication standards of computers, and security is often treated as an afterthought.
Research has shown that various attacks against smart TVs are not only possible, but that they often require no physical access to the device or interaction from the user. It has also been demonstrated several times that, once compromised, an Internet-enabled TV can serve as a springboard for attacks on other devices within the same network, ultimately targeting a user’s personal information stored on more lucrative targets such as PCs or laptops.
Even more concerning is the ability for malware to turn smart TVs into bugging devices. In this attack vector, hackers create legitimate looking apps that, once downloaded, release malicious updates onto the smart TV, turning the built-in microphone into the perfect eavesdropper.
It goes without saying that the risks rapidly increase when such devices are used by businesses due to the lucrative nature of their data. In this scenario, the window of opportunity for attackers to breach organisations through less secure connected devices such as smart TVs in the boardroom creates a major concern. While cyberattacks against both consumers and businesses via smart TVs are not a current concern, it may only be a matter of time before cyber criminals begin exploiting their security flaws on a mass scale.
The history of smart TV spies
You probably enjoy watching your smart TV, but chances are that you don’t want it to watch you, too. However, “watching its watchers” is precisely what a smart TV can do.
Back in 2013, research revealed that by exploiting security holes in some models of Samsung’s internet-capable TVs, it was possible to remotely turn on the built-in camera and microphone. In addition to converting the TVs into all-seeing, all-hearing devices, they were able to take control of embedded social media apps, posting information on the users’ behalf and accessing their victims’ files.
From the consumer perspective this poses obvious privacy and security concerns. For the enterprise, this is also a major worry as it means hackers have the potential to spy on teleconferences and meetings to extract highly confidential information.
In 2014, it also came to light that there was a loophole in a widely used interactive TV standard known as HbbTV. It emerged that attack code could be buried in ‘rogue’ broadcasts that could target thousands of smart TVs in one fell swoop, hijacking these as well as other devices in the network, stealing logins, displaying bogus adverts, and even sniffing for unprotected Wi-Fi networks.
Concerns about the implications of smart TVs on privacy grew even further in 2015, when issues with Samsung’s ‘voice recognition’ function, enabling the use of voice commands, came to the fore. The company warned its customers who use the voice activation feature on their smart TVs that their private conversations would be among the data captured and shared with third parties. However, the voice information picked up in such ‘official snooping’ was not always encrypted, enabling the possibility of intruders to listen in on private conversations.
So have we become smarter about smart TV safety?
The short answer is no. In February, the results of hack tests on internet-connected TVs of five major brands, each of which use a different smart TV platform, were released. The devices were found to be susceptible to rather unsophisticated hacks that would enable an attacker to remotely flip through channels, crank up the volume to blaring levels, install new apps, and knock the device off Wi-Fi.
The review also found that users need to consent to the collection of very detailed data about their viewing habits – unless they’re ready to forgo the smart features of their new smart TV. Over the years, several manufacturers have been found to engage in behind-the-scenes acquisition of, and trafficking in, data about the viewing habits of consumers.
Issues with HbbTV were in the spotlight again in 2017. A security researcher demonstrated a technique for deploying a rogue over-the-air signal to compromise internet-enabled televisions. Once taken over by the attacker, the TV could be used for an apparently endless list of malicious actions, including to spy on the user via the TV's microphone and camera, and to burrow deep into the local network. As many as 9 in 10 smart TVs sold in recent years were estimated to be prone to this hack. According to one projection, over 750 million smart TVs will be in use worldwide by the end of 2018. With attacks growing increasingly sophisticated by the day, and more and more consumers snapping up smart TVs, the security conversation surrounding them is here to stay. Much like mobile phones, smart TVs have become internet-connected ‘computers’. It would no doubt help if we thought of them as such and protected them accordingly.