at least until a fix is released...
er, so how many flash upgradable TVs are there? Mine isn't. I suspect that a TV firewall is a LONG way in the future.
Internet-connected HDTVs could be used by hackers to infiltrate home networks, according to a firm that markets device security software for smartphones, VoIP devices and TVs. Mocana's not-exactly-disinterested warning follows tests by the firm on a range of inter-connected TVs, during which a security flaw was discovered in …
Most new large TVs are flash upgradeable. My 32" LG, for example, has a USB port and runs Linux - throw in a stick with the new firmware on and it'll upgrade the set for you. Amusingly, someone leaked the engineer backdoor sequence to get into the service menu for an older firmware release (it was blocked after the leak though) and the menu lets you enable features in more expensive models - whoops! So a quick downgrade, enable features and upgrade again got my set playing movies, music and photos from the USB port, which it couldn't previously do.
Document mentions .eu and .tv domains and accessing home-screen.js
Google home-screen.js and you get http://customvieracast.blogspot.com/2010_05_01_archive.html
Read that document and you see "Looking at the code in home-screen.js I can see that it downloads from vieracast.eu (EU market) vieracast.tv (US market) depending on where you are."
I know the Sony Bravia range needed a software update when they used to refuse to come out of standby mode (apparently an overflow problem in a counter)
My Samsung certainly has the option for a software update and if I used the built in Freeview tuner I would probably carry out the update just to try and get something more usable (but I don't so I wont)
"I know the Sony Bravia range needed a software update when they used to refuse to come out of standby mode"
That only means too things:
a) The manufacturer got lazy - "I'll have a beer rather than debug that firmware properly, after all the luser can always be forced to update it later..." and
c) The TVs have got more "features" than they need to have
What it DOESN'T mean:
a) The Internet connectivity for TVs is a necessary or a good thing.
.. it's Samsung!
There are lots of clues in the doc, but one simple test is who makes Skype enabled TVs.
There is only Panasonic and Samsung. Further on it mentions domain names, in the .tv ccTLD, with specific JavaScript files. Guess what happens when you try those URLs with Samsung instead of the redacted X placeholders!!
If you are going to redact, do it properly!!
Looking at their list of afflicted applications, it matches with what I have on my Panasonic.
Sony have their own walled-gardens of course, as do other manufacturers.
The article confirms that the TV in question contains no actively listening services (quite rightly, why would it). Their whole premise appears to be based on the fact that they have redirected the TV (through local DNS redirection) to retrieve manufacturer-supplied scripts that have been doctored.
Rightly, as no authentication is performed on the source of these scripts, they are able to rewrite them as they like and do what they will with them. The TV in question accepts them as authentic and then the fun begins. So of course they can change things in these circumstances.
Frankly, if my home network has been compromised to that degree, then not getting youtube on my telly is the least of my worries.
That said, interesting article. I think it's of more use as an educational jumping-off point, give some people some ideas on how to customise or open-up the walled gardens the manufacturers have locked them into. Nice bit of fun in other words :-)
I've updated the software on my TV a few times since July. Part and parcel. Not a problem, nothing to see here, move along etc.
One would hope the base OS itself is actually verified before installation. Understandable that content isn't, of course. Still don't regard this as an issue to get me worried
Most appliances, even "unsophisticated" ones, are just computers with specialised peripherals. Alas, those who provide network interfaces don't often "realize" what they're doing; leaving the computer wide open to being "owned".
What is probably closer to the truth is that they don't have the resources to build in the necessary protection for the "feature" that the marketing department has dreamed up and advertised 16 hours before product launch?
And TV is, by definition, networked. How about malware payloads carried by digital TV signals, injected to attack particular TV engines? Right past the firewall of a domestic network.
Want to attack other networked computers pretending to be appliances made by competitors?
...self damaging.
My blue light special movie player frequently offers firmware upgrades, the last of which disabled playing NETFLIX. The Blu-Ray spec intimates movie playing can be likewise crippled.
HDNA gives your player/TV hooks into the rest of your network, especially mass storage.
Where things will get scarey is when a camera and mic become* a "feature" of a TV.
Makes buying a TV for your girlfriend a great christmas present. Of course skype would be on it. Trivial** to turn on the cam remotely and invisibly. A friend keeps a piece of tape over the lens on his lappy for just that reason.
These guys have identified a genuine need. But then so have the makers of duct tape.
*Technology predicted for 1984
**For some people.
I don't know of any site called www.vieracast.tv, I get a not-found when I key it in on my PC.
IPTV is an interesting alternative to Cable-TV. It is not rare for people to be paying $165/mo for Cable/Phone/Internet. For a lot of people, there is some hope that IPTV is part of a way to do that stuff cheaper.
How many people ever turn off their TVs? You switch off your PC, and many people switch off games consoles, but how often do you actually physically remove power from your telly?
You don't. You point a box at it and press a red button. So you're relying on software to switch it off. And if the software is hacked, then it can keep DDoSing websites, cracking captchas or whatever it is that the cool botnets are doing this year.
Every night almost all gadgets get powered off and unplugged. Even the router. The only thing that gets left n stand-by is one PC, and it's job is to record TV, so it often wakes up, does it's thing and then goes back to sleep.
If I am ever daft enough to connect a TV to a network (and why would I? The DRM-crippled usage wouldn't be worth it), then I'll have to make sure I am running a router and a firewall that can pick-up crap like this on the network. One simply cannot rely on the OEM to do it correctly.
"but how often do you actually physically remove power from your telly?
You don't. "
Speak for yourself. We always switch ours off at the plug mainly because we don't use it much and it saves a little bit of electricity. Not everyone is so lazy that they can't make it over to the wall socket.
...who controls the boxes. For example I have a networked "satellite receiver" which is essentially a Linux PC. I can record and store everything I want for as long as I want to. I can get both Freesat and normal FTA satellite reception. All recordings are normal files I can easily re-encode to just about anything I want. I could build an ITV to Youtube gateway, if I really wanted.
...do not connect the TV to the local network. Why are people obsessed with doing this anyway? The experience is usually marred by DRM and proprietary interfaces with are a total pain in the balls. Use the TV as a dumb-monitor, nothing else. Drive it from some kind of media centre front-end (i.e. a PC). That can be easily upgraded/reconfigured/firewalled/etc and you neatly insulate yourself from the TV manufacturer deciding that your 2 year-old TV is now "obsolete".
It's just a shame that when you get a big TV, you end up paying from USB, Ethernet, DLNA and other crap that you simply do not need.