Samsung has patched a smart TV bug that allowed hackers to remotely activate the integrated webcam and spy on viewers in their living rooms, as well as redirect the onboard browser to a compromised webpage. The security flaw, spotted by researchers at iSEC Partners, has been fixed with a firmware update pushed to affected sets, Samsung told CNN Money, but renews questions about the inherent safety of home appliances and the so-called “internet of things” as ubiquitous connectivity becomes commonplace.
The affected models were from Samsung’s 2012 range of smart TVs, the researchers said during a presentation at the Black Hat security conference this week. They found several methods to potentially hack the TVs’ browser or social media application, that once compromised would permit the hackers “to take complete control of the TV, steal accounts stored within it and install a userland rootkit.”
That done, it would be a straightforward matter to redirect any web query to a different page, Aaron Grattafiori and Josh Yavor of iSEC Partners suggest. With a little careful design, that could lead to users inadvertently handing over Paypal, banking, credit card, or other personal information, believing themselves to be on legitimate sites.
It’s the potential for the TV to be turned into a literal spy in the living room that is most disturbing, however. “If there’s a vulnerability in any application, there’s a vulnerability in the entire TV” Grattafiori said of the exploit; by cracking into the browser, the pair was able to seize control of the webcam Samsung integrates into select smart TV models, activating it with no visible indication on the set itself that they are being watched.
Samsung patched the flaw before the presentation took place, having been alerted to the issue in advance. As for those still concerned, Samsung points out that there are some physical methods by which privacy can be retained. “The camera can be turned into a bezel of the TV so that the lens is covered, or disabled by pushing the camera inside the bezel” the company points out. “The TV owner can also unplug the TV from the home network when the Smart TV features are not in use.”
Nonetheless, the iSEC researchers aren’t convinced that another route to hack the sets – or similar products – won’t be discovered. The issue is likely to become increasingly prevalent, security experts like Marc Rogers, principle researcher at Lookout Mobile Security, told SlashGear recently. Part of Rogers’ current focus is how manufacturers of what, until now, have been effectively appliances will handle the responsibility of managing updates and patches in a timely manner when internet connectivity becomes ubiquitous.
“Thinking about it, if you change the purpose of these things [like smart thermostats and smart TVs], how do you assess that?” Rogers questioned. “Look at all the new bits of data this thing has, and ensure that you put in appropriate levels of security onboard. Is there a patch management process in place? You can no longer say, well, these things are just updated as firmware; you need a scalable process. These are all things that we have to think about, and I don’t see many people doing it.”