Would we even know if our “Smart” TVs were hacked?

Rafael Scheel doesn’t think so:  https://www.bleepingcomputer.com/news/security/about-90-percent-of-smart-tvs-vulnerable-to-remote-hacking-via-rogue-tv-signals/

I know enough of the stuff that goes on in the receivers to think these at least plausible.

Well, still not planning to get a “smart” TV any time soon. And if I do, I expect that I’ll try to turn off at least most of the “smart” functionality.

Got a separate box for the smarts and it doesn’t have a mic or camera.

The FBI is right, the Jake is wrong. It’s that simple. Just read the manual shipped with your Internet connected device and follow best practices — and turn off microphones and cameras if not used.

What is outrageous about Smart TVs is now most TVs have customized ads that can’t be disabled in most cases. They snoop on you and then they use your bandwidth to show you ads based on your viewing habits. If you want to use the internal apps in your TV to watch, let’s say, Netflix, you have to plug it and suffer the consequences. It should by illegal to tie an unrelated product to forced customized ads like this. An opt-in should be required. This is an unjustified invasion of privacy that isn’t required to provide functionality.

However, it is a bit weird to scare people about the risk of having their tv hacked while the risk seems to come more from other devices hacked on the same network, devices that are not necessarily less invasive if hacked. If you don’t browse the web on your tv and you only use the streaming apps, if you keep its firmware updated and if you use a guest network on your router for less secure devices, I wonder how you will be hacked if there is no unpatched vulnerability enabling an over the air attack coming from some determined actors. To me, the biggest risk seems to be from the manufacturers and it is to your privacy.

As for an over the air attacks or other, manufacturers should be liable to fix any security issue that could pose a threat to a user for a minimum number of years that corresponds to a least the reasonable expected lifetime of the product.

The Outer Limits …

https://www.youtube.com/watch?v=FCcdr4O-3gE

I would agree with anonymous. Jake is in lala land if he thinks this is nonsense.

We already, know snooping and hacking using IOT connected cameras, and other devices already happens.  In fact it wasn’t too long ago every discoverd how many laptop camera’s were being used too snoop on people.

We already know that some companies (cough, VIZIO, cough) have been recording users audio and watching habits and selling the data.

We also know TV manufactures care little to nothing about security!

That is a bad soup.  I would just stay away.

When Smart TV’s first came out Samsung was caught sending a compete inventory of the file names on you network. I currently us MiraCast to send video’s from a PC to the main TV. This works find for me. At some point I will add a mini PC to each TV and use a tablet to remote in and display the content I want on that TV.

By using a PC I can control what access it has to the internal and external network. A Smart TV is a dumb idea.

I must disagree; Jake is right & the FIBs are wrong. In February 2018, Consumer Reports published that Samsung smart TVs & smart TVs on the Roku platform were & still can be hacked. The hacks are still minor; changing channels & volume, and remotely playing offensive videos. As for “cyberstalking”, controlling the camera & microphone… it couldn’t be done then… & probably still can’t be done now. Standalone IoT devices & devices like FB Portal & Portal TV could be hacked… if hackers got past routers without default passwords changed and/or changed to commonly known hackable ones, or no password protection at all.

Options to prevent the above:

1. Get a “Dumb” TV without Internet access & hook to an Over-the-Air (OTA) antenna or cable TV. For cable access, make sure the TV is cable-ready or use a set-top box.
2. If you must buy a “Smart” TV, Don’t connect it to the Internet & functionally make it “Dumb”.
3. If you must buy a “Smart” TV and must connect it to the Internet, follow the instructions for your specific TV or platform in this CR article: https://www.consumerreports.org/privacy/how-to-turn-off-smart-tv-snooping-features/#samsung

Turning off Automatic Content Recognition (ACR) will stop 90-95% of data collection & prevent targeted ads. Turning off Advertising or Marketing options and ACR will allow general ads.

As far as hacking goes with smart devices, I use wireless isolation on my router’s Wi-Fi access point “guest” network.

That means any wireless device that is connected to my “guest” network can only access the internet, and none of the other devices on my home network. So no network sniffing or scanning is possible. I only allow my potentially untrusted devices to use the “guest” network, which really limits the damage they can do over my network.

But as far as media streaming smart devices go, you will need to allow internet access to stream any content, so that is where they have got you, as far as collecting usage data. Choose wisely, and read those manuals! 🙂

I respectfully disagree with Jake’s assessment.  Wireshark also concurs with my opinion.  I’m going to go so far as to say this is unlike Jake . . . has his twitter account been compromised?

That is all.

North American TV receivers are ATSC, not DVB, which is a European broadcast standard.

So not sure if sure if the previously disclosed hack using an over-the-air DVB-T broadcast would have any effect on ATSC TV receivers.

Not sure what triggered Jake.  I read the FBI article.  Sounded pretty reasonable and factual to me.  They were not preaching doom and gloom, just telling it as it is.  Actually similar to a slew of articles/advisories written by various security gurus.  Seriously, if the FBI article muted the potential risk, they’d get their behind handed to them later if consumers got harmed by some “new” exploit.  Note that I used the word “if” there.

I run a pihole at home.  When I got a Roku TV I was blown away at the massive amount of telemetry traffic I saw in the pihole logs.  Things improved when I added some Roku specific rules to the pihole server.  Fortunately, I got a Roku TV that doesn’t have – or support- a camera or microphone.

I spent some time reviewing Roku’s API.  Heck, I’ve used the API for scripting turning the TV on and off & changing channels while away from home (to make it look like I’m home).  But I have to say (in my opinion): the API is a disaster waiting to happen, due to the seemingly rich attack surface.

Then there’s the Closed Captions vulnerability for some TVs & media players.  I believe this has been patched on most smart TVs by now.  At least, I hope so.

The biggest security issue I see for smart TVs is that the manufacturers stop developing firmware/security updates after just a few years for many models.  Problem is, a lot of folks keep their TVs *forever*.

For smart TVs, I think keeping them behind a good quality (and regularly updated) securely configured firewall/router is an absolute must.  But many households have deficient/obsolete firewall/router setups, offering poor-to-no protection.

I have been aware of reports of “smart” TVs spying on people for perhaps two years or more already. I have no experience with “smart” TVs, or “smart” anything, for that matter, other than some smart friends — and girlfriends — to whom I can definitely refer to without the need to use ironical quotation marks. But I am protected from this I’m-being-spied-by-my-own-TV Orwellian problem by no longer watching television, at all, due to my, by now, terminal abhorrence of commercial television, here in the US, with its endemic plague of garish, loud and noisy adds placed right when things are starting to get interesting or to make sense in a show, stopping it for five or ten minutes of unrelated topics such as toilette cleaners, kitty litter, or some smarmy fellow I don’t much care for asking me to vote for him.

I wouldn’t even think of connecting a TV to the internet.  I’d prefer to have the dumb variety, all else being the same, but those apparently don’t exist, unless you just buy a computer monitor and use that as your TV.  I haven’t bought a TV in ages… dumb TVs were (as far as I know) all they had when I bought my last one.  It has a CRT and is 4:3 aspect ratio, and I bought it brand new, so that’s how long it’s been.

The thing that worried me was that I’d read that at least one smart TV would connect to any open wireless network it could find if you didn’t give it one.  I don’t want my TV stealing my neighbor’s bandwidth without my permission just because he’s unaware enough to have set it up that way.  Theoretically speaking, of course; none of the dozens of SSIDs I can detect from my house are actually open right now, but that has not always been the case.

I don’t know if any of them still do that or if this was ever actually true in the first place, but the prospect of things (cars, for example) phoning home without me explicitly giving them a connection is the thing that bothers me the most.  Not connecting them is one thing, but having to actively block them from doing something is quite another.  I wish the builders of my house had put in a Faraday cage during construction… at this point, there are no radio signals of any kind I want entering the house.  I never use my cellular phone (it basically exists to call a tow truck if my car breaks down), and it is a dumb phone, of course, and I haven’t listened to radio in ages.

I would be quite happy if the massive amounts of radio interference from the 30 or so wifi networks within range (among any other things on the 2.4 GHz band, which could include as many bluetooth devices as there are wireless networks) wouldn’t prevent successful bluetooth use within my house at some times of the day.  Trying to stream audio from my laptop to my desktop (which has better speakers) is impossible at some times, even though the antennae are no more than two feet from one another, with direct line of sight.  Switching to another source or another sink (the place where the audio is being sent) does not help, and it happens in Windows as well as Linux.

I’ve never seen any of the “just use bluetooth, it’s 2019!” people defending Apple’s “courageous” decision to remove the headphone jack mention this scenario.

No, he’s right. If you can’t point to any evidence it has occurred, you shouldn’t be reporting it as a risk. Being able to hack an IoT device and being able to use it to actually stalk you are different things.

Plus, unless you modified your ISP’s modem, you will be unreachable from the outside Internet without some way to get the TV to initiate the connection. If you haven’t put on any unregulated apps, it’s as safe or safer than your smartphone, which also has a camera and mic on it. But you don’t get warnings about those.

We are on a site where we are told not to worry about exploits until they actually exist in the wild. Why are so many people not applying that to TVs, and thinking a completely hypothetical hack is a valid thing to release an FBI Warning about?

Do you rememeber when mobile phones were “locked” just by pressing * and everybody who stole your telephone was able to read all your conversations, see phone calls, etc? Who cared? Nobody, thats who. People today are paranoid. Who thinks, that something can be safe and hackerproof? Utterly wrong assumption. Why do people buy IoT fridge when attacker (programmer) can remotly see how many beer cans you have left in fridge?

FBI must say, that this is possible, but I think its more like scaring people, if nothing else. If you are affraid of somebody abusing your camera, you should have it covered. Its everybody itself who is responsible for his security.

Hackers existed, exist and will continue to exist. Wanna see me on my couch watching TV? Go ahead, you will be disapointed 😀

anonymous wrote:

No, he’s right. If you can’t point to any evidence it has occurred, you shouldn’t be reporting it as a risk. Being able to hack an IoT device and being able to use it to actually stalk you are different things.

Plus, unless you modified your ISP’s modem, you will be unreachable from the outside Internet without some way to get the TV to initiate the connection. If you haven’t put on any unregulated apps, it’s as safe or safer than your smartphone, which also has a camera and mic on it. But you don’t get warnings about those.

We are on a site where we are told not to worry about exploits until they actually exist in the wild. Why are so many people not applying that to TVs, and thinking a completely hypothetical hack is a valid thing to release an FBI Warning about?

Huh??

I’ve used multiple ISPs over the years for home connectivity.  Each with different modems.  In every case, the logs of my firewall/router show constant inbound probing/scanning from addresses all over the world – 7x24x365.  I haven’t ever observed the modems doing any significant form of packet filtering.

Some ISPs do block some protocols to/from home service.  Like Windows file & printer sharing, SMTP (server side) and sometimes uPNP.  But whatever blocking they do (if they do it) is quite limited.

For consumers, safe computing (“security”) is the result of the priorities they set & choices they make.  When I learn of a new vulnerability, I don’t wait until I’m a victim before I take steps to mitigate the risk(s) in a reasonable fashion.

anonymous wrote:

No, he’s right. If you can’t point to any evidence it has occurred,

The FBI publish a warning only after the fact, so this warning means that there are already TV hacks in the wild.
The FBI, as any tech company, doesn’t publish evidence unless the bug/hack. has been fixed. In the case of smart TVs the chance for that to happen is nil.

I tend to agree with the reality of the problem of “smart” TVs presenting a potential threat to personal privacy, regardless of any FBI warnings about them. Anything actively connected to the Internet — sending and receiving messages to determine what it does — can be hacked. Manufacturers of equipment meant to work while being online have repeatedly showed themselves not to be terribly good at providing safe operating software for their gadgets and also as not being really keen to update it so as to keep up with the ever-evolving online threats.

That said, and if we were to agree that “smart” TVs are, from the image quality point of view,  pretty much the best of all TV sets one can buy these days, then I would like to know this:

Can recent models of smart TVs now being sold, be connected to a PC via (let’s say) an HDMI cable, to use it as an large external monitor for streaming shows picked up with the PC, as well as any other uses where having a very large screen monitor can be of help?

Because, doing that would allow one to still get the use of a good, modern TV set without having to worry about being spied/snooped at home by the “smart” side of it. That is, assuming that there are no really good new TV sets that are “dumb” any more. And if it turned out that the apprehensions about the spying and the snooping are actually overrated, then the “smart” TV could still be used as such… and Bob’s your uncle. (We have discussed this old saying already.)

OscarCP wrote:

Can recent models of smart TVs now being sold, be connected to a PC via (let’s say) an HDMI cable, to use it as an large external monitor for streaming shows picked up with the PC, as well as any other uses where having a very large screen monitor can be of help?

Not sure my laptop would use the 43″ UHD Samsung smart tv-2017 model- would that damage the graphics card in laptop? Acer E15 w/nvidia gforce mx150 2gb vram.

Also, I haven’t seen any mention of problems w/ security if hardwired? Cant seem to find on/off for wifi…its either asking for wi fi ssid /password or ethernet wired.

T’anks!

Consumer Reports reported a year and a half ago that a hacker could indeed take control of your smart TV:

https://www.consumerreports.org/televisions/samsung-roku-smart-tvs-vulnerable-to-hacking-consumer-reports-finds/

We found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume, which might be deeply unsettling to someone who didn’t understand what was happening. This could be done over the web, from thousands of miles away. (These vulnerabilities would not allow a hacker to spy on the user or steal information.)

A determined hacker could probably do the same today.

I have a Smart, AND DISCONNECTED, TV which I use as a regular TV. Whenever I want to watch something that is online, I switch to “PC” and browse to the thing I want to watch on the computer that I have connected to my TV. It’s a lot easier to secure a computer than a TV.

How to Turn Off Smart TV Snooping Features
(Last updated: December 04, 2019)

These concerns are receiving lots of media attention this holiday shopping season, because an FBI office in Oregon issued a warning saying that some smart TVs are vulnerable to hacking, and that a number of TVs have video cameras built into them.

But the FBI statement covers much of the same ground that we reported previously, and some of the concerns it raises have already been resolved.

Built-in cameras, for instance, have largely been eliminated from new televisions. Consumer Reports’ labs haven’t seen one in any of the hundreds of new TVs we’ve tested in the past two years.

And some security problems that Consumer Reports found and reported on in 2018 were addressed. Samsung, for instance, fixed a vulnerability that could let hackers take control of your TV after we contacted the company about the problem.

But privacy concerns remain. In a recent study, researchers at Northeastern University and Imperial College London looked at smart TVs and other internet-connected devices and found that many of them sent data to Amazon, Facebook, and Doubleclick, Google’s advertising business. Nearly all the TVs sent data to Netflix even if the app wasn’t installed or the owner hadn’t activated it.

https://www.consumerreports.org/privacy/how-to-turn-off-smart-tv-snooping-features/