Smart TVs are opening a new window of attack for cybercriminals, as the security defenses of the devices often lag far behind those of smartphones and desktop computers.
Running mobile operating systems such as Android, smart TVs present a soft target due to how to manufacturers are emphasizing convenience for users over security, a trade-off that could have severe consequences.
Smart TVs aren’t just consumer items, either, as the devices are often used in corporate board rooms. Sales of smart TVs are expected to grow more than 20 percent per year through 2019, according to Research and Markets.
While attacks against smart TVs are not widespread yet, security experts say it is only a matter of time before cybercriminals take note of the weaknesses.
“Many of the solutions aren’t even adapting the best practices that are already known in the IT world,” said Phil Marshall, chief research officer for Tolaga Research. “The ecosystem is fragmented, and there is an emphasis on getting the solution to market quickly.”
Smart TVs are essentially computers, with USB ports, operating systems and networking capabilities no different than smartphones. But unlike computers and mobile devices, smart TVs often don’t require any authentication.
“Basically with these TVs, if you are in the same room, you’re always going to be treated like you’re the owner of the TV,” said Craig Young, a computer security researcher with Tripwire.
Young, who has been researching security issues with smart TVs, also said some models don’t confirm whether someone sending commands over the network is the same person who can actually physically control the TV.
This means an attacker from afar could potentially cause a smart TV to show something far more risque than the latest sales figures during a meeting.
“If someone in the board room is doing a presentation, that can lead to some embarrassing situations or some unexpected situations,” Young said.
Many of the major manufacturers—Samsung, LG and Sony—have built app stores for smart TVs, a model pioneered by Apple for smartphones. But users can also be convinced to download malicious apps from third-party app stores, an attack method used against smartphones that could also be used against smart TVs.
Candid Wueest, a threat researcher with Symantec, deliberately infected his brand-new, Android-powered TV with ransomware, which is malware that encrypts files and demands a ransom to be paid in bitcoin.
Wueest’s experiment was a bit rigged: he modified the DNS (Domain Name System) settings on his own router in a mock man-in-the-middle attack and directed the TV to download the malicious app from a dodgy source. But such an attack would not be beyond the capabilities of attackers, he said.
Wueest has also noted many other issues with smart TVs revolving around software updates. Some models do not use encryption known as SSL/TLS (Secure Sockets Layer/Transport Layer Security) when downloading updates.
That would make it possible to trick a TV into downloading malicious firmware, which is low-level code that bridges a computer’s hardware and operating system at startup. Some models of smart TVs don’t even verify the integrity of the downloaded firmware.
Security for smart TVs “is more sprinkled on at the end as an afterthought,” Wueest said in a phone interview from Switzerland.
All of these issues pose vexing problems, particularly as smart TVs become more integrated with commerce and people increasingly enter payment card details into their TVs.
“My wife likes to do Black Friday shopping on the TV,” said Scott Wu, co-founder of 0xID, a Seattle-based company that specializes in mobile device security. “You are closely tied to your financial information on your TV.”
Smart TVs don’t run antivirus software, and it’s questionable whether that would be a practical solution to stopping cyberattacks.
While antivirus software could work, it also could degrade performance, and the question becomes “whether running security software on the TV is going to mean your Netflix is going to become choppy,” Young said. “That would be a big deal breaker.”
At least for Android, Wu said that its permissions model limits what apps can do without explicit approval from a user, blunting the capabilities of a malicious app on a smart TV.
Young said the issues around smart TVs are the same ones affecting a whole range of devices that are now being networked-enabled, the so-called Internet of things, that experts worry can be abused.
Some companies are addressing the concerns with new products designed to detect anomalies on networks rather than full-scale antivirus software. For example, F-Secure’s Sense product and one from Dojo-Labs monitor home network traffic flowing to many devices for signs of trouble.
“It’s clear that people in the industry are thinking about this problem,” Young said.