back to article SmartTV, dumb vuln: Philips hard-codes Miracast passwords

Demonstrating once again that consumer electronics companies don't understand security, ReVuln has turned up a hard-coded password in Philips “smart” televisions. Shown off in the video below, the vulnerability is simplicity itself: the WiFi Miracast feature is switched on by default, has a fixed password (“Miracast”, for …

COMMENTS

This topic is closed for new posts.
  1. William Boyle

    Gah!

    "Last year, Samsung and LG were criticised for poor Internet-connected TV security. Internet of Things insecurities have also hit home automation systems and refrigerators."

    So, I own your fridge - all your bacon is mine!

    1. AbelSoul
      Trollface

      Re: Gah!

      I own your fridge - all your bacon is mine!

      All ur cheese r belong 2 us.

      1. Suricou Raven

        Re: Gah!

        I'm in ur fridge, eating ur foodz.

  2. greifpad

    Autoplay video with sound? nice.....

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: Autoplay video with sound? nice.....

        And worse, the music sounds very like the sort of cheap and cheesy track that might accompany a porn flick.

        Or so I am told.

    2. dotdavid

      Seconded

      Sloppy behaviour for a site read by many at work.

    3. McHack

      What autoplay video with sound?

      Noted: Have NoScript running to prevent embarrassing autoplaying internet video on a work computer. And also when around other humans.

      AdBlocking Vimeo wouldn't hurt either. And leaving speakers muted unless needed as well, which doesn't require sysadmin privileges.

      1. Gene Cash Silver badge

        Re: What autoplay video with sound?

        Yup. Vimeo now adblocked, unless I'm on vimeo itself. Bastards.

      2. This post has been deleted by its author

  3. Anonymous Coward
    Anonymous Coward

    I remember when I was a kid many of these SciFi ideas popped up in movies, magazines, etc. I couldn't wait to get it. But alas, I had to wait because it was all just that, props and talk. Now, here it is...... And I want no part of it. Please tell me someone is taking security seriously somewhere on something. Id like to enjoy something in this life without worrying about who's gonna hack TV, fridge, phone, thermostat, email, etc....

    1. VinceH

      ^ This.

      That is all.

  4. Anonymous Coward
    Anonymous Coward

    Doesn't matter if the password is simple or complex, if you don't protect it properly then it will get found.

    The DVD encryption was defeated by checking the RAM for the key while a DVD player program was running.

    1. This post has been deleted by its author

  5. Dan 55 Silver badge
    Meh

    When my CRT finally dies...

    I'll probably end up getting a monitor with built-in TV tuner.

    1. McHack
      Pint

      Re: When my CRT finally dies...

      I'll probably end up getting a monitor with built-in TV tuner.

      I'm just getting a TV for my next monitor, they all got PC inputs, VGA or better. And look, built in amplified speakers, and streaming over-the-air news and entertainment without Wi-Fi. And a remote control as well! Can't beat that.

    2. Anonymous Coward
      Anonymous Coward

      Re: When my CRT finally dies...

      ...I did that and don't regret it.

      My TV and my PC monitor are exactly equal and interchangeable monitor-with-tuner Samsungs. Well, not exactly, the one on the PC is 16:10 (1920x1200) while the one on the set-top cable box is bog standard 16:9.

      Back then, they cost each 800($currency) while a full-bore FullHD TV would cost 2000($currency). Samsung caught up pretty fast and brought these models down, they were stealing the TV market.

    3. Suburban Inmate
      Joke

      Re: When my CRT finally dies...

      I've got a CRT going spare, nice metallic silver model with a built in thingy that makes ~320p YouTube quality video appear out of rusty sellotape.

      £30 collection West London.

This topic is closed for new posts.

Other stories you might like

  • Why Wi-Fi 6 and 6E will connect factories of the future
    Tech body pushes reliability, cost savings of next-gen wireless comms for IIoT – not a typo

    Wi-Fi 6 and 6E are being promoted as technologies for enabling industrial automation and the Industrial Internet of Things (IIoT) thanks to features that provide more reliable communications and reduced costs compared with wired network alternatives, at least according to the Wireless Broadband Alliance (WBA).

    The WBA’s Wi-Fi 6/6E for IIoT working group, led by Cisco, Deutsche Telekom, and Intel, has pulled together ideas on the future of networked devices in factories and written it all up in a “Wi-Fi 6/6E for Industrial IoT: Enabling Wi-Fi Determinism in an IoT World” manifesto.

    The detailed whitepaper makes the case that wireless communications has become the preferred way to network sensors as part of IIoT deployments because it's faster and cheaper than fiber or copper infrastructure. The alliance is a collection of technology companies and service providers that work together on developing standards, coming up with certifications and guidelines, advocating for stuff that they want, and so on.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Alcatel-Lucent Enterprise adds Wi-Fi 6E to 'premium' access points
    Company claims standard will improve performance in dense environments

    Alcatel-Lucent Enterprise is the latest networking outfit to add Wi-Fi 6E capability to its hardware, opening up access to the less congested 6GHz spectrum for business users.

    The France-based company just revealed the OmniAccess Stellar 14xx series of wireless access points, which are set for availability from this September. Alcatel-Lucent Enterprise said its first Wi-Fi 6E device will be a high-end "premium" Access Point and will be followed by a mid-range product by the end of the year.

    Wi-Fi 6E is compatible with the Wi-Fi 6 standard, but adds the ability to use channels in the 6GHz portion of the spectrum, a feature that will be built into the upcoming Wi-Fi 7 standard from the start. This enables users to reduce network contention, or so the argument goes, as the 6GHz portion of the spectrum is less congested with other traffic than the existing 2.4GHz and 5GHz frequencies used for Wi-Fi access.

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • AMD refreshes Ryzen Embedded line with R2000 series
    The target? Thin clients and industrial devices – with new SoC family running up to 4 independent displays

    Embedded World AMD is bringing to market a new generation of Ryzen chips for embedded apps promising more CPU cores, enhanced built-in graphics and expanded I/O connectivity to drive kit such as IoT devices and thin clients.

    Crucially, AMD plans to make the R2000 Series available for up to 10 years, providing OEM customers with a long-lifecycle support roadmap. This is an important aspect for components in embedded systems, which may be operating in situ for longer periods than the typical three to five-year lifecycle of corporate laptops and servers.

    The Ryzen Embedded R2000 Series is AMD's second-generation of mid-range system-on-chip (SoC) processors that combine CPU cores plus Radeon graphics, and target a range of embedded systems such as industrial and robotic hardware, machine vision, IoT and thin client devices. The first, R1000, came out in 2019.

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading

Biting the hand that feeds IT © 1998–2022